Visbot malware infects almost 7000 Magento stores.
Recently, we came across a Magento site that was infected with the Visbot malware that so many other resources have been talking about. One way to find out if your store is infected, is by running a simple curl command against your site like this:
curl -H 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;email@example.com)' http://yoursite.com
If you run that command and see a ‘Pong’ response, you are actively infected with the visbot malware. To locate and remove it, you will need to check a few files which will contain links to stenography images (Images that have code embedded in them).
The easiest and fastest way to find the files (if you have access via SSH to your server) is to simply run a grep command like the following:
grep -ri visbot '*.php' .
That should give you the names of the files that contain the code that you will need to remove which will be injected at the very top of the *.php page. If you don’t have SSH access, you can start by checking the most common files that it has been located in:
Once you’ve located that code, BEFORE you remove it, locate the line or lines (which should be at the top) that will contain a path to an image like such (It varies from site to site so don’t rely on this specific example):
That image will also need to be removed – this is actually the file that will contain the encrypted data that the attackers will eventually come back to retrieve that contains payment data so be sure to remove that!
If you’ve found that you have been compromised and infected with the visbot malware, it’s very important (and required for PCI compliance) that you communicate that information to your customers and inform them that they need to contact their credit card companies and possibly have new cards issued.