Magento sent an email to every partners to prevent about a new malware issue.
This malware is inside a script and contains words like “onepage” or “checkout”.
Hackers use admin acess or database access to implement this code.
Magento doesn’t how they do that, but it might be because :
– Admin password is too weak
– Website doesn’t have all security patches
– Admin users were created before patch installation and were not deleted
You can check inside the Magento BO :
Admin->Configuration->General->Design->HTML Head->Miscellaneous Scripts
Admin->Configuration->General->Design->Footer-> Miscellaneous HTML
Or launch this SQL :
SELECT * FROM `core_config_data` WHERE path LIKE 'design/head/includes' OR path LIKE 'design/footer/absolute_footer'
This first request will display your configuration were the code can resides.
You can add a filter on the words “onepage” and “checkout” :
SELECT * FROM `core_config_data` WHERE (path LIKE 'design/head/includes' OR path LIKE 'design/footer/absolute_footer') AND (value LIKE '%onepage%' OR value LIKE 'checkout')
Don’t forget to check the magento admin users, and delete the accounts which like weird for you.
Magento has got a page with security best practices, you can read this article : https://magento.com/security/best-practices/security-best-practices