How to Remove Malware from Magento 1.9.x and Update to ver. 1.9.4.5

Last updated: September 18 2020

When I’m dealing with infected Magento shops, my approach is radical. Most times I will apply a major update which should cover the cleanup as well.

Need help? Let us clean your site.

Step 0
Backup site
1. Backup database and site files. If you can’t do it, ask your web host.
2. Disable SQL remote access, especially if you’re using Plesk.
3. Change SQL user password.

Step 1
Install a fresh Magento ver. 1.9.4.5
1. Download a fresh Magento copy: magento-mirror-1.9.4.5.zip
2. Create a new database “_reference”. Check if the original database has a database prefix enabled. If so, add the same prefix with the new installation.
3. Extract magento-mirror-1.9.4.5.zip and run the installation.
4. Duplicate the original database, name it “_duplicate”.
5. Upload this tool inside the root folder – Magento Database Repair Tool.
a) Enter “_duplicate” credentials in the right side and “_reference” credentials in the right side.
b) Run the tool and save the list with the modules having the wrong version.

Module "admin_setup" has wrong version 1.6.1.2 in corrupted DB (reference DB contains "admin_setup" ver. 1.6.1.3)
Module "api_setup" has wrong version 1.6.0.1 in corrupted DB (reference DB contains "api_setup" ver. 1.6.0.2)
Module "catalog_setup" has wrong version 1.6.0.0.19.1.2 in corrupted DB (reference DB contains "catalog_setup" ver. 1.6.0.0.19.1.6)
Module "core_setup" has wrong version 1.6.0.6 in corrupted DB (reference DB contains "core_setup" ver. 1.6.0.10)
Module "customer_setup" has wrong version 1.6.2.0.4 in corrupted DB (reference DB contains "customer_setup" ver. 1.6.2.0.7)
Module "downloadable_setup" has wrong version 1.6.0.0.2 in corrupted DB (reference DB contains "downloadable_setup" ver. 1.6.0.0.3)
Module "payment_setup" has wrong version 1.6.0.0 in corrupted DB (reference DB contains "payment_setup" ver. 1.6.0.1)
Module "rss_setup" is not installed in corrupted DB
Module "sales_setup" has wrong version 1.6.0.9 in corrupted DB (reference DB contains "sales_setup" ver. 1.6.0.10)

c) Edit “core_resource” table after you get a successful confirmation & make sure modules from the previous list have the right version assigned.

If you’re getting this error:

Error #1067: Invalid default value for 'updated_at' on SQL: ALTER TABLE `core_config_data` ADD COLUMN `updated_at` timestamp NOT NULL DEFAULT 'CURRENT_TIMESTAMP' on update CURRENT_TIMESTAMP AFTER `value`

Add 1 collumn(s) after “value” > Hit Go button. Name it “updated_at” and add make sure the right Type, Attributes, Default and Extra are set.

Step 2
Live again
1. Edit app/etc/local.xml and switch from “_reference” to “_duplicate” database credentials.
2. Make sure to set a custom admin URL.

<frontName><![CDATA[admin]]></frontName>

3. Restore app/design/frontend/template & skin/frontend/template, where “template” should be replaced with your own theme folder.
4. Restore media/ app/ and lib/ only after performing a malware check on these files & folders. Right after re-upload app and lib folders from magento-mirror-1.9.4.5.zip, to make sure all core files are updated.
5. Review the following sections:
System->Permissions->Users
Configuration->General->Design->HTML Head->Miscellaneous Scripts
Configuration->General->Design->Footer->Miscellaneous HTML

Notes
( important )
  • Minimum SQL, PHP and Magento knowledge is required to complete these steps.
  • Magento 1.9.4.5 runs under PHP ver. 7.2, so it’s safe to update PHP.
  • Magento db repair tool requires a fresh installation ( check Step 1 ).