However, if you have not deployed previous security patches and find indication in the server logs or otherwise that credit card details may have been sent externally from your site, you should review your files, configurations, and backend accounts.
As a Magento merchant, you should open the main page and view the page source. Look for the strings mentioned below. If you found any of below strings, it means that your site has been compromised.
- eval ( atob (
regexp (“ checkout Regexp (‘checkout Regexp (“onepage Regexp (‘onepage Regexp (“onestep Regexp (‘onestep
- the case of those strings can be dissimilar (For e.g, regexp, RegExp, etc.)
- However, if it is the case where you don’t find any of the above strings, you should carefully review your Admin configuration, taking account of your Admin accounts, follow best security practices, and deploy all security patches.
How to Remove Malicious Code if Your Site is Affected?
Begin by scanning your Magento site with a tool such as magereport.com. Deploy all security patches. Make sure that there are no any unknown files in the system. If you find unknown admin accounts while reviewing, it is recommended you to remove all such accounts. After removing such accounts, change the current passwords of the rest admin accounts to strong ones. As a Magento merchant, you should always follow best security practices summarized in the Magento User Guide. And, also review some parts (mentioned below) of your Admin configuration and remove any malicious code found.
- Configuration->General->Design->HTML Head->Miscellaneous Scripts
- Configuration->General->Design->Footer->Miscellaneous HTML
After removing such malicious code from your Magento based site, it is recommended you to review some server log files mentioned below. If you found such files or URLs, it means that your Magento site is totally compromised.
/downloader/Maged/Maged.php /downloader/cache.php /jquery.php /jquery.pl /css.php /opp.php /xrc.php /order.php /jquerys.php /var/extendware/system/licenses/encoder/mage_ajax.php /js/index.php