911 Hack Removal

Visbot Malware – How to Find and Fix It

Updated on: July 22, 2020

Visbot Malware – How to Find and Fix It

Hackers are using smart techniques to hack credit card information in Magento 1.9 – including modifying core files to add malware called the Visbot malware. Read on to know how to find and fix it. 

How The Visbot Malware Works

The Visbot malware, found on hacked Magento websites, runs every time the site loads. It intercepts POST requests made to the server, collects any information submitted by visitors to the site and encrypts and stores it onto an image file. 

This image can contain information such as passwords, addresses, and even credit card and payment information. The hackers occasionally retrieve this image and sell it on the black market. Sometimes, this file can be as large as 850 MB!

The malware is usually found in core Magento files, such as the one below at file path /var/www/html/includes/config.php:

How to Find the Visbot Malware

The simplest way to find the Visbot malware is to run the following scan: 

grep -r Visbot --include='*.php' /my/document/root

The Visbot malware is usually hidden in a core file which is run on every page load, such as app/Mage.php or includes/config.php as in the above example. The collected data can be stored in various locations. Here are a few locations the file was found to be stored:

  • /media/mage.jpg
  • /media/catalog/category/<various files>
  • /skin/adminhtml/default/default/images/accordion_open_bg.gif
  • /skin/adminhtml/default/default/images/btn_gr_on_bg.gif
  • /skin/adminhtml/default/default/images/notice-msg_bg.png
  • /skin/adminhtml/default/default/images/sort-arrow-down_bg.png
  • /skin/adminhtml/default/default/images/side_col_bg_bg.gif
  • /skin/adminhtml/default/default/images/left_button_back.gif

A specialised malware scanner that can find many types of malicious code and files, like Astra’s, is the best option to find the Visbot malware without much effort. What’s more, Astra’s engineers will also help you recover and clean up your site. 

How to Fix Your Site After a Visbot Malware Attack

1. Take a backup of your site before cleaning.

It’s advisable to take the website offline so that users don’t visit the infected pages while you’re cleaning it. Make sure to take a backup of all the core files and databases. It’s a good idea to take the backup in a compressed file format, like .zip.

2. Replace the core, plugin, and theme files.

You can replace the infected core files with the original versions of the same from reputable sources. After downloading the fresh and updated versions of these files & directories, you can delete the older ones. This is especially important in cleaning up the Visbot malware, as malicious code has been found inside the core files. 

3. Clean any suspicious, recently modified files. 

You might find potentially infected files by looking at the ones which were recently modified. You can restore these files from a clean backup you have or from a trusted source. 

4. Run a malware scan.

Run a malware scan on your web server for malware and malicious files. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host, or get expert malware cleanup with the Astra Pro Plan, which blocks the attack and also the bots which try to download the stolen data. 

In addition to these steps, you may find this article on Magento security helpful. 

Visbot Malware: Conclusion

The Visbot malware can be very dangerous in that it’s mostly found in core files and steals sensitive information like credit card information. Therefore, it’s very important that you keep your site malware-free. In addition to using updated versions of software, it’s a great idea to get a Website Firewall like Astra for your site. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website. This way, you never have to worry about getting hacked again!

About Astra

Astra is the essential web security suite that fights hackers, internet threats & bots for you. We provide proactive security for your websites running popular CMSs like WordPress, OpenCart, Magento etc. Our professional malware removal team is available 24×7 throughout the year to help you regain your hacked website and quickly get back to business.

Was this post helpful?

Sreenidhi

Sreenidhi is a tech enthusiast who enjoys writing about cybersecurity and data science. Her areas of interest include WordPress security, new malware, and recent cybersecurity news.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany