What You Need to Know About the Visbot Malware

Visbot is a particular type of malware that is found on hacked Magento stores. It intercepts POST requests to the server (so anything submitted by visitors, such as passwords and payment data), encrypts it and stores it into an hidden image file. This “image” is periodically retrieved by criminals and – presumably – sold on the black market. Learn all about Visbot malware in this article.


The first documented case of Visbot malware goes back to March 2015. At the end of 2016, about 7000 Magento stores globally have been found running the malware.


Visbot is a symptom of a hacked store. Our hosting platform Hypernode protects against further Visbot abuse. However, the very existence of Visbot is a sign that hackers have taken control of your store. The most ubiquitous ways for hackers to get in are Shoplift (patch 5344) exploitation or the use of weak admin passwords.


The actual Visbot malware is usually hidden in app/Mage.php or includes/config.php, as these files are run on every page load. You can run a simple scan for find Visbot like this:

grep -r Visbot --include='*.php' /my/document/root

But a better protection is to use a specialized Magento malware scanner.

To check whether your store still runs the Visbot malware, you can check MageReport.com or run this command:

curl -H 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)' http://my-site.com

If you get Pong, it means that Visbot is still active.

Visbot stores its intercepted POST data in random locations. In the wild, we have seen locations such as these:

/media/catalog/category/<various files>


See our instructions on how to recover a hacked Magento store.

Are you a Hypernode customer? Our intrusion prevention rules filter almost all known attacks. But if you happen to migrate a previously hacked store to our platform, our support team will contact you to get it resolved quickly.