Hackers are using smart techniques to hack credit card information in Magento 1.9 – including modifying core files to add malware called the Visbot malware. Read on to know how to find and fix it.
How The Visbot Malware Works
The Visbot malware, found on hacked Magento websites, runs every time the site loads. It intercepts POST requests made to the server, collects any information submitted by visitors to the site and encrypts and stores it onto an image file.
This image can contain information such as passwords, addresses, and even credit card and payment information. The hackers occasionally retrieve this image and sell it on the black market. Sometimes, this file can be as large as 850 MB!
The malware is usually found in core Magento files, such as the one below at file path /var/www/html/includes/config.php:
How to Find the Visbot Malware
The simplest way to find the Visbot malware is to run the following scan:
grep -r Visbot --include='*.php' /my/document/root
The Visbot malware is usually hidden in a core file which is run on every page load, such as app/Mage.php or includes/config.php as in the above example. The collected data can be stored in various locations. Here are a few locations the file was found to be stored:
- /media/mage.jpg
- /media/catalog/category/<various files>
- /skin/adminhtml/default/default/images/accordion_open_bg.gif
- /skin/adminhtml/default/default/images/btn_gr_on_bg.gif
- /skin/adminhtml/default/default/images/notice-msg_bg.png
- /skin/adminhtml/default/default/images/sort-arrow-down_bg.png
- /skin/adminhtml/default/default/images/side_col_bg_bg.gif
- /skin/adminhtml/default/default/images/left_button_back.gif
A specialised malware scanner that can find many types of malicious code and files, like Astra’s, is the best option to find the Visbot malware without much effort.
How to Fix Your Site After a Visbot Malware Attack
1. Take a backup of your site before cleaning.
It’s advisable to take the website offline so that users don’t visit the infected pages while you’re cleaning it. Make sure to take a backup of all the core files and databases. It’s a good idea to take the backup in a compressed file format, like .zip.
2. Replace the core, plugin, and theme files.
You can replace the infected core files with the original versions of the same from reputable sources. After downloading the fresh and updated versions of these files & directories, you can delete the older ones. This is especially important in cleaning up the Visbot malware, as malicious code has been found inside the core files.
3. Clean any suspicious, recently modified files.
You might find potentially infected files by looking at the ones which were recently modified. You can restore these files from a clean backup you have or from a trusted source.
4. Run a malware scan.
Run a malware scan on your web server for malware and malicious files. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host, or get expert malware cleanup with the Astra Pro Plan, which blocks the attack and also the bots which try to download the stolen data.
In addition to these steps, you may find this article on Magento security helpful.
Visbot Malware: Conclusion
The Visbot malware can be very dangerous in that it’s mostly found in core files and steals sensitive information like credit card information. Therefore, it’s very important that you keep your site malware-free. In addition to using updated versions of software, it’s a great idea to get a Website Firewall like Astra for your site. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website. This way, you never have to worry about getting hacked again!
About Astra
Astra is the essential web security suite that fights hackers, internet threats & bots for you. We provide proactive security for your websites running popular CMSs like WordPress, OpenCart, Magento etc. Our security team available 24×7 throughout the year to help you with your queries.