Malware getting added to cart page magento 1.9

I have a website hosted in magento 1.9 and it has been affected by a malware code on cart page. I know magento 1.9 is old and should move my website to magento 2, and of course we are doing it but right now I need to remove that malware from my website. Details: This is the website url - https://www.great-save.com/ Malware is a js code and I can see it on cart pages at the end but only in mozilla browser and not in google chrome. Malware in mozilla browser.

enter image description here

There is no malware in google chrome

enter image description here

When I open this link then I can see a code like this. enter image description here

I tried looking for this script using grep through all the files and also tried to search it using file name, but did not find anything. I looked in the Miscellaneous HTMl section in admin panel and there is no such script added. enter image description here

I have also searched the database trying to find the word, in the url if it was added there but did not find anything. enter image description here

My question is How I can go on debugging this issue to locate the files from where it is loaded. In the network tab I see the file getting loaded while inspecting. enter image description here

Update: I tried using grep to locate the malware inside my public_html directory but did not get anything.

enter image description here

Answers 3



  • We had the exact same malware injection. I used the following command to find the injection: grep -r ‘base64’ app/

    It showed a list of all the files using base64 and the malware was injected in file: /app/code/core/Mage/Page/Block/Html.php line 164.

    Please make sure you check for extra admin users, change the database password and also change you admin users passwords and ftp passwords.


Related Questions