Gsyfuy

Parsing a string of key-value pairs as a dictionary

Why Normality assumption in linear regression

Explain the objections to these measures against human trafficking

Do authors have to be politically correct in article-writing?

Why would space fleets be aligned?

Strange blocking on readable secondary after reboot

Every character has a name

What's a good word to describe a public place that looks like it wouldn't be rough?

Am I a Rude Number?

What is a jet (unit) shown in Windows 10 calculator?

Can I write a book of my D&D game?

Cryptic with missing capitals

What is the purpose of easy combat scenarios that don't need resource expenditure?

Why do stocks necessarily drop during a recession?

A starship is travelling at 0.9c and collides with a small rock. Will it leave a clean hole through, or will more happen?

Avoiding morning and evening handshakes

Is it a fallacy if someone claims they need an explanation for every word of your argument to the point where they don't understand common terms?

Why would the Pakistan airspace closure cancel flights not headed to Pakistan itself?

Cookies - Should the toggles be on?

Are there any modern advantages of a fire piston?

Calculate Contact age in a Drupal view

How to prevent users from executing commands through browser URL

Does static make a difference for a const local variable?

Dilemma of explaining to interviewer that he is the reason for declining second interview

magento 1.9.3.7 - google Tag Manager

text near search bar magento ce 1.9Cannot Log Back into Magento admin 1.9.xGoogle Tag ManagerHow to remove a payment option from onepage checkout?Recently viewed/report issue Magento 1.9Google tag scriptDeleted Magento 1,9 database - now get error There has been an error processing your requestMagento 1.9 - MYGENTO_ logs flood serverHTTP Problems with Google Fonts UPDATESHow to install Google TAG Manager (GTM) to Magento 1.9.2 without extension?

0

I have got a problem with a gtm script. This line always appears in all of my cms-blocks:

<script src="https://googletagmanager.eu/gtm.js"></script>


After removing this in the Database - the next day it was again included in all blcoks.

I've searched the entire files - didn't find anything near "googletagmanager" or "gtm.js"

magento-1.9

share|improve this question

edited Dec 10 '18 at 5:32

Teja Bhagavan Kollepara

2,97341847

asked Oct 2 '18 at 9:28

Mirko BabicMirko Babic

82

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you have installed before a extension for that , try to disable it first, flush cache, remove the files. If not: Check if you have added this script in the Design Configurations. Do a grep on the root files : grep -irH "googletagmanager" .
  
  – Ylgen Guxholli
  Oct 2 '18 at 9:43
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  thanks for the hint. There is no extension - never implemented googletagmanager. Also did a grep on the root files - the only result was my remove command in the .mysql_history: update cms_block set content=replace(content,"<script src="googletagmanager.eu/gtm.js"></script>","");
  
  – Mirko Babic
  Oct 2 '18 at 9:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you have external page cache enabled, be sure to flush that too.
  
  – Liam McArthur
  Oct 2 '18 at 10:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  external full page cache is disabled
  
  – Mirko Babic
  Oct 2 '18 at 10:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  great! thank you, we could see in the trigger as well and fixed.
  
  – hari
  Oct 18 '18 at 20:27
  

  
  
  
  

 | 
show 1 more comment

0

I have got a problem with a gtm script. This line always appears in all of my cms-blocks:

<script src="https://googletagmanager.eu/gtm.js"></script>


After removing this in the Database - the next day it was again included in all blcoks.

I've searched the entire files - didn't find anything near "googletagmanager" or "gtm.js"

magento-1.9

share|improve this question

edited Dec 10 '18 at 5:32

Teja Bhagavan Kollepara

2,97341847

asked Oct 2 '18 at 9:28

Mirko BabicMirko Babic

82

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you have installed before a extension for that , try to disable it first, flush cache, remove the files. If not: Check if you have added this script in the Design Configurations. Do a grep on the root files : grep -irH "googletagmanager" .
  
  – Ylgen Guxholli
  Oct 2 '18 at 9:43
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  thanks for the hint. There is no extension - never implemented googletagmanager. Also did a grep on the root files - the only result was my remove command in the .mysql_history: update cms_block set content=replace(content,"<script src="googletagmanager.eu/gtm.js"></script>","");
  
  – Mirko Babic
  Oct 2 '18 at 9:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you have external page cache enabled, be sure to flush that too.
  
  – Liam McArthur
  Oct 2 '18 at 10:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  external full page cache is disabled
  
  – Mirko Babic
  Oct 2 '18 at 10:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  great! thank you, we could see in the trigger as well and fixed.
  
  – hari
  Oct 18 '18 at 20:27
  

  
  
  
  

 | 
show 1 more comment

I have got a problem with a gtm script. This line always appears in all of my cms-blocks:

<script src="https://googletagmanager.eu/gtm.js"></script>


After removing this in the Database - the next day it was again included in all blcoks.

I've searched the entire files - didn't find anything near "googletagmanager" or "gtm.js"

magento-1.9

share|improve this question

edited Dec 10 '18 at 5:32

Teja Bhagavan Kollepara

2,97341847

asked Oct 2 '18 at 9:28

Mirko BabicMirko Babic

82

share|improve this question

edited Dec 10 '18 at 5:32

Teja Bhagavan Kollepara

2,97341847

asked Oct 2 '18 at 9:28

Mirko BabicMirko Babic

82

share|improve this question

edited Dec 10 '18 at 5:32

Teja Bhagavan Kollepara

2,97341847

asked Oct 2 '18 at 9:28

Mirko BabicMirko Babic

82

edited Dec 10 '18 at 5:32

Teja Bhagavan Kollepara

2,97341847

edited Dec 10 '18 at 5:32

Teja Bhagavan Kollepara

2,97341847

asked Oct 2 '18 at 9:28

Mirko BabicMirko Babic

82

asked Oct 2 '18 at 9:28

Mirko BabicMirko Babic

82

2 Answers
2

active

oldest

votes

0

I was recently employed to remove this malware from a UK based magento website.

The domain is not actually a Google domain, it is malware, see here
https://www.hybrid-analysis.com/sample/c91d1e290fc46ede3930192c80ee1bb42d301e5d23dec47affc44a0a1cdea76f?environmentId=100

You have to go into your mysql database and look at the TRIGGERS, you'll see one that contains the malware. Then delete all the code snippets from your header, footer and static blocks.. the code should not return this time

Delete this entire trigger, then do a full security audit and change all passwords etc.

share|improve this answer

answered Oct 2 '18 at 16:08

Mark TaylorMark Taylor

16

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hello Mark, thanks so much for the input - that solved my problem.
  
  – Mirko Babic
  Oct 4 '18 at 7:25
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Glad to hear, and happy to help. I would also check your magento file and folder permissions as well as checking for any malicious backdoor files such as adminer.php
  
  – Mark Taylor
  Oct 5 '18 at 10:25
  

  
  
  
  

add a comment | 

0

This is a hack mostlty through adminer.php. In magento its inserted into the database as a trigger. The trigger fires after a checkout has been placed and will insert in database (cms_block and core_config_data). Steps to clean:

1. login in adminer or phpmyadmin


2. sql query: SHOW ALL triggers;


3. Delete the trigger from there: DROP TRIGGER IF EXISTS trigger.name


4. replace database with senr(https://interconnectit.com/products/search-and-replace-for-wordpress-databases/comment-page-36/) or you can import export sql file and replace it with editor.


5. remove adminer.php

share

answered 8 mins ago

Vince VerhoevenVince Verhoeven

1011

New contributor

Vince Verhoeven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f244693%2fmagento-1-9-3-7-google-tag-manager%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

I was recently employed to remove this malware from a UK based magento website.

The domain is not actually a Google domain, it is malware, see here
https://www.hybrid-analysis.com/sample/c91d1e290fc46ede3930192c80ee1bb42d301e5d23dec47affc44a0a1cdea76f?environmentId=100

You have to go into your mysql database and look at the TRIGGERS, you'll see one that contains the malware. Then delete all the code snippets from your header, footer and static blocks.. the code should not return this time

Delete this entire trigger, then do a full security audit and change all passwords etc.

share|improve this answer

answered Oct 2 '18 at 16:08

Mark TaylorMark Taylor

16

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hello Mark, thanks so much for the input - that solved my problem.
  
  – Mirko Babic
  Oct 4 '18 at 7:25
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Glad to hear, and happy to help. I would also check your magento file and folder permissions as well as checking for any malicious backdoor files such as adminer.php
  
  – Mark Taylor
  Oct 5 '18 at 10:25
  

  
  
  
  

add a comment | 

0

I was recently employed to remove this malware from a UK based magento website.

The domain is not actually a Google domain, it is malware, see here
https://www.hybrid-analysis.com/sample/c91d1e290fc46ede3930192c80ee1bb42d301e5d23dec47affc44a0a1cdea76f?environmentId=100

You have to go into your mysql database and look at the TRIGGERS, you'll see one that contains the malware. Then delete all the code snippets from your header, footer and static blocks.. the code should not return this time

Delete this entire trigger, then do a full security audit and change all passwords etc.

share|improve this answer

answered Oct 2 '18 at 16:08

Mark TaylorMark Taylor

16

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hello Mark, thanks so much for the input - that solved my problem.
  
  – Mirko Babic
  Oct 4 '18 at 7:25
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Glad to hear, and happy to help. I would also check your magento file and folder permissions as well as checking for any malicious backdoor files such as adminer.php
  
  – Mark Taylor
  Oct 5 '18 at 10:25
  

  
  
  
  

add a comment | 

I was recently employed to remove this malware from a UK based magento website.

The domain is not actually a Google domain, it is malware, see here
https://www.hybrid-analysis.com/sample/c91d1e290fc46ede3930192c80ee1bb42d301e5d23dec47affc44a0a1cdea76f?environmentId=100

You have to go into your mysql database and look at the TRIGGERS, you'll see one that contains the malware. Then delete all the code snippets from your header, footer and static blocks.. the code should not return this time

Delete this entire trigger, then do a full security audit and change all passwords etc.

share|improve this answer

answered Oct 2 '18 at 16:08

Mark TaylorMark Taylor

16

share|improve this answer

answered Oct 2 '18 at 16:08

Mark TaylorMark Taylor

16

answered Oct 2 '18 at 16:08

Mark TaylorMark Taylor

16

answered Oct 2 '18 at 16:08

Mark TaylorMark Taylor

16

0

This is a hack mostlty through adminer.php. In magento its inserted into the database as a trigger. The trigger fires after a checkout has been placed and will insert in database (cms_block and core_config_data). Steps to clean:

1. login in adminer or phpmyadmin


2. sql query: SHOW ALL triggers;


3. Delete the trigger from there: DROP TRIGGER IF EXISTS trigger.name


4. replace database with senr(https://interconnectit.com/products/search-and-replace-for-wordpress-databases/comment-page-36/) or you can import export sql file and replace it with editor.


5. remove adminer.php

share

answered 8 mins ago

Vince VerhoevenVince Verhoeven

1011

New contributor

Vince Verhoeven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

This is a hack mostlty through adminer.php. In magento its inserted into the database as a trigger. The trigger fires after a checkout has been placed and will insert in database (cms_block and core_config_data). Steps to clean:

1. login in adminer or phpmyadmin


2. sql query: SHOW ALL triggers;


3. Delete the trigger from there: DROP TRIGGER IF EXISTS trigger.name


4. replace database with senr(https://interconnectit.com/products/search-and-replace-for-wordpress-databases/comment-page-36/) or you can import export sql file and replace it with editor.


5. remove adminer.php

share

answered 8 mins ago

Vince VerhoevenVince Verhoeven

1011

New contributor

Vince Verhoeven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

This is a hack mostlty through adminer.php. In magento its inserted into the database as a trigger. The trigger fires after a checkout has been placed and will insert in database (cms_block and core_config_data). Steps to clean:

1. login in adminer or phpmyadmin


2. sql query: SHOW ALL triggers;


3. Delete the trigger from there: DROP TRIGGER IF EXISTS trigger.name


4. replace database with senr(https://interconnectit.com/products/search-and-replace-for-wordpress-databases/comment-page-36/) or you can import export sql file and replace it with editor.


5. remove adminer.php

share

answered 8 mins ago

Vince VerhoevenVince Verhoeven

1011

New contributor

Vince Verhoeven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share

answered 8 mins ago

Vince VerhoevenVince Verhoeven

1011

New contributor

Vince Verhoeven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 8 mins ago

Vince VerhoevenVince Verhoeven

1011

New contributor

Vince Verhoeven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 8 mins ago

Vince VerhoevenVince Verhoeven

1011