Secure is currently seeing a massive attack on Magento sites where hackers inject malicious scripts that create iframes from “guruincsite[.]com“. Google already blacklisted about seven thousand sites because of this malware.

There are two modifications of it. The first script is in not obfuscated:

simple-guruincsite-site

 

and the second one is obfuscated

obfuscated-guruincsite-script

 

The obfuscated scripts inject the “hxxp://guruincsite[.]com/2.php” iframe.

The malware is usually injected in the design/footer/absolute_footer entry of the core_config_data table, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.