Magento sites being targeted by Guruincsite malware?
Magento report they are actively investigating reports of Magento sites being targeted by Guruincsite malware (Neutrino exploit kit)l They are working with their developers in coordination with Magento hosting partners and community members.
They say they have not identified a new attack vector at this time but rather have found that all sites they checked showed as vulnerable to a previously identified code execution issue for which they released a patch in early 2015; sites not vulnerable to that issue show other unpatched issues.
For example, the malware can also take advantage of situations where an administrative account has been compromised through weak passwords, phishing, or any other unpatched vulnerability that allows for administrative access, so it is important to check for fake user accounts or for leftover demo accounts.
Magento merchants are advised to follow best practices to ensure the security of their sites as well as take the steps outlined below. Even if a site has deployed previous patches, they should check for Guruincsite. If their site was compromised prior to patching, through the insertion of fake admin accounts, for example, such accounts would not be removed by the patch and are still vulnerable to malware.