MageReport: “Malicious code found, you are vulnerable” - possible false positive?

Question

I get a warning for one of our sites on magereport.com about the famous Credit Cart Hijack:

Credit Card Hijack detected?

But there is nothing added to "Miscellaneous HTML" or "Miscellaneous Scripts" configurations, and when I check the HTML source code, I don't find any additional scripts that should not be there. Searching in the minified JS for remarkable parts of the example also yields nothing. Patches were always applied immediately.

I watched the Firebug netwok tab while going through the checkout, entering credit card details and going to the next step. No requests were made except to Magento and to the payment provider.

---

Since the message from Magereport has a question mark, I am wondering:

Does anybody know of false positives, where harmless scripts were identified as malicious? Or am I looking in the wrong places?

Answer 1

The part of the hack that is easily identifiable (whether as JS or in the PHP files) is the use of SESSIID as a cookie.

The cookie can be set via a JS or via PHP.

Thus, the first thing I would check in your case is your browser cookies while doing a purchase.

Go through the checkout process and check your cookies.

If you see a cookie named SESSIID then you're probably affected by the hack.

To check the files you could probably run:

grep -ri "SESSIID" .

On your Magento folder and see what comes up.

Regarding the database, I reckon you need to look in the following tables for the SESSIID string:

• core_config_data
• cms_block
• cms_page