Magento Websites Targeted By Guruincsite Infection support by CMS Live Web Specialists

Magento Websites Targeted By Guruincsite Infection

Martin Starkie eCommerce, Web Specialists Blog, Website Design & Development

“Security researchers from both Sucuri and Malwarebytes have observed a recent massive malware distribution campaign that leverages Magento websites to redirect users to the Neutrino Exploit Kit, and then infect them with the Andromeda/Gamarue malware (info stealer).”

We have recently been inundated with clients wanting emergency Magento web support because they have been hacked by the Guruincsite infection.

Google has listed the Guruincsite website as a suspicious site that may harm your Magento website upon visiting it.

According to Google about 7824 domains have been infected so far by Guruincsite hosting malicious software on these website which has resulted in the sites currently being blacklisted by Google. The hackers are using “Guruincsite[.]com” to massively target Magento sites by injecting malicious scripts which create iframes from this site.


There are two adaptations of it. The first script is not confusing:

Magento Websites Targeted By Guruincsite Infection

But, the second script is unclear:

Image Credits: https://blog.sucuri.net/


The script, which is unclear or confusing, injects the iframe – “hxxp://guruincsite[.]com/2.php”.

The malicious script is generally injected into the design/footer/absolute_footer entry of the core_config_data table. However, it is wise to scan the complete database for the code similar to “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “Guruincsite” domain name.

“Guruincsite” has been able to target so many Magento websites is such a short period of time due to the websites vulnerabilities in one of the third-party Magento extensions.
The vulnerability provides the hackers with sufficient access to your database which allows them to create a malicious admin user.
The bug has been found in the Magmi Magento Extension, an add-on that simplifies the process of mass-importing products into a Magento online store. Successful exploitation of this bug results in attackers gaining access to the site’s credentials and database encryption key.


Whilst a Magento store is infected Google will usually blacklist the site and show blocked by Google with the following reason in Safe Browsing:
Malicious software is hosted on 1 domain(s), including guruincsite.com

CMS Live Web Specialists on the Guruincsite Infection

We’ve seen a few sites which were hosted in insecure shared servers. This could’ve made the hack easier to execute using the Neutrino Exploit Kit. So, if possible, you need to ask your hosting company to implement additional virtual host isolation in shared hosting servers.


Need Help?

If your Magento website has been hacked, contact us now so we get get you back online as soon as possible

Share this Post