Blog > Security

Back to Blog

Magento Shoplift Bug Patch

Fri. October 30, 2015 at 1:53 AM in Security

Recently, a client had contacted me to say that Google was reporting their site as being malicious, and was redirecting search results to a Google Transparency Report page.

The site was a Magento CMS site hosted externally to the company. I was asked to look into what the source of the malware could come from, and what to do to remove it and mitigate further issues with this vulnerability.

Google Transparency Report

There are two modifications of script.

Simple guruincsite script - Image courtesy

And here is the obfuscated code:

Obfuscated guruincsite script - Image courtesy

From the Securi Blog post:

The obfuscated scripts inject the hxxp://guruincsite[.]com/2.php iframe.

The malware is usually injected in the design/footer/absolute_footer entry of the core_config_data table, but we suggest scanning the whole database for code like function LCWEHH(XHFER1){XHFER1=XHFER1 or the guruincsite domain name.

It is extremely important to keep your Magento website up to date with the latest security patches. Failing to do so will expose malware to visitors browsing your site. Furthermore, the next time your website is indexed by Google, you will be blocked from search results and have your website redirected to the Google Transparency Report page.

You can go through the steps to get your website scanned by Google again by following the instructions at the bottom of the Google Transparency Report.

You can read more about the report at, and for more information about the Shoplift Bug, you can check the Magento Security page at–-shoplift-bug-patch.

More Entries in Security

Joomla populateState() function

New Joomla Vulnerability Patch

Mon. November 2, 2015 at 8:27 PM