It looks like one of the biggest magento vulnerabilities has been capitalised on, but no one yet knows what it is and how it happened. All that we know so far is magento administration areas have been compromised and malicious code is present on front-end pages.

It’s till a fluid situation, with no word from magento themselves yet, just murmurings in the community about the attack, which is being penned as guruincsite. Named, because iframe’s have been placed which reference the domain guruincsite[.]com.

A number of magento users have reported strange user accounts appearing in their magento admin and certain view files have been injected with some nasty JavaScript which is potentially listening and reporting activity back to a still unknown entity. Most affected users are only finding out about the hack because of unsettling browser messages when navigating to the site.

The malicious code can be removed easily enough by searching the magento database for occurrences of “guruincsite”, however, as an attack vector or “point of entry” is yet to be identified, removing the references may be only a short term fix.

Update – Tuesday 20 October 2015

Still no indication on the attack vector at the moment, waiting for news. Although, the site can repaired, at least in the short term. If you need help with your magento site to get it back online, give me a shout.