Magento 1.9.2.1 how to prevent core_config_data from getting malicious scripts

Question

I have been scanning the website at Magento Scan and getting the following error:

Magento Compromise Injection
Your site is compromised with injected JavaScript. (131) The malicious code signature(s) has been found on the page.

In page source I can clearly see a malicious script included in header.

After further research I found that there are entries in core_config_data with path : 'design/head/includes' and the value column has that malicious script.

I have not changed nor uploaded any extensions.

This has happened 3 to 4 times earlier and I am able to track how is this being injected.

When it happened for the first time and for every other times, I have changes database credentials but it didn't helped.

What measures should I take to prevent this?

Answer 1

Changing the database credentials only will not help. You may need to change the following:

• Admin Panel URL path
• Admin Panel login credentials
• Check if there are any other admin users created
• Hosting Panel credentials
• FTP Login details (if any)
• SSH credentials

You also need to check whether there are any FTP, SSH users created without your knowledge.

Apart from above, if you are not using SSL (HTTPS) for your website, please ask your hosting provider to install it for you.

Please let me know if you are not sure how to check above details.

Answer 2

Remember that almost all the configuration stores in the table: core_config_data In this case:

SELECT * FROM core_config_data where path like '%design/head/includes%';