Fictitious payment module on e-shop + cannot log in to admin panel (prestashop 1.7.8)

[Maxflor]

Can someone please help me? I started to see a fictitious payment module on the e-shop, Avast filters it on my computer (JS / Spy.Banker.IV) but on the mobile it overlaps my payment methods. Subsequently, it happened to me that I could not even log in to the admin panel of the prestashop. Has anyone encountered this and how can I remove it? Thank you very much for your help

[El Patron]

4 hours ago, Maxflor said:

Can someone please help me? I started to see a fictitious payment module on the e-shop, Avast filters it on my computer (JS / Spy.Banker.IV) but on the mobile it overlaps my payment methods. Subsequently, it happened to me that I could not even log in to the admin panel of the prestashop. Has anyone encountered this and how can I remove it? Thank you very much for your help

you are going to need to access via ftp to remove the untrusted changes.

consider posting in job section to get affordable tech to help 

when you get it all cleaned up then consider our cybersecurity module to protect your domain files

https://www.addons.prestaheroes.com/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

[Maxflor]

I have complete access to the FTP server and soon the point is where to look and if anyone here has already had a similar problem that would be able to guide me to fix the error. well thank you

[El Patron]

3 minutes ago, Maxflor said:

I have complete access to the FTP server and soon the point is where to look and if anyone here has already had a similar problem that would be able to guide me to fix the error. well thank you

With proper ftp client you can sort modules and other files by date to try and determine what was last updated.  You can also download your shop files and run through antiviral as it may detect.

Also you should check shop ownership and file permissions.  

 

If you searched before post maybe you didn't find similar.  Our cybersecurity module detects file change,add,deletion and let's you restore with a click to trusted files.  No other module like it for any website so sometime I like to point it out.

 

Good luck!

[geigerherbert]

Hi there,

did anyone find a way to fix the problem? I think we have to fix the security gap in the code  not only to monitor the changes. anybody found the way in, where the malware came in? So we could shut this hole down?

Thank you

Herb

[El Patron]

3 hours ago, geigerherbert said:

Hi there,

did anyone find a way to fix the problem? I think we have to fix the security gap in the code  not only to monitor the changes. anybody found the way in, where the malware came in? So we could shut this hole down?

Thank you

Herb

to monitor you can use our paid module that is now free to community

 

[geigerherbert]

thanks, monitoring is not the solution. it helps to keep the risc low, but it does not fix the problem

But whatif the attacker stops  monitoring first and then he places the malware? Do you know, where the gap is and what possibilities he have?

[Maxflor]

3 hours ago, geigerherbert said:

dakujem, monitorovanie nie je riesenie. pomáha to udržať riziko nízke, ale problém to nevyrieši

Ale čo ak útočník najskôr prestane monitorovať a potom umiestni malvér? Viete, kde je medzera a aké má možnosti?

Hi, I found how to remove the fictitious payment module and also found antivirus 3 viruses on my server. The payment module adds to the js file - this is usually a file that contains capital letters and numbers - so you delete it. We're working to find out where it's coming from.
We have changed the complete admin login, also the names of the passwords to the database. If I find out anything, I write here.

[El Patron]

6 hours ago, Maxflor said:

Hi, I found how to remove the fictitious payment module and also found antivirus 3 viruses on my server. The payment module adds to the js file - this is usually a file that contains capital letters and numbers - so you delete it. We're working to find out where it's coming from.
We have changed the complete admin login, also the names of the passwords to the database. If I find out anything, I write here.

...the module recommended above would help tell you where it's coming from.  My 1.4 shop got hacked, I wanted a solution that would monitor shop files and tell me when a change occurs.  I'm not here to sell modules or solicit work, incredible you would just disregard this option.  ave mari

 

also you did not mention changing ftp, you will want to do that...

 

a cute trick, once you restore corrupted file make it read only....

Edited June 23, 2022 by El Patron (see edit history)

[Maxflor]

I'm going to try to download and see

[Maxflor]

I tried your module, it shows the changes but I don't know how to remove them.
I did the complete latest installation of PS to 1.7.8.6, update of all modules. Change all passwords. And a few days passed and I have the virus again. Fictitious payment module and I can't log in to the admin panel. I don't know how to deal with it - it always attacks the files /classes/db/Db.php - /classes/Hook.php - /controllers/admin/AdminLoginController.php - /classes/Dispatcher.php - /classes/Hook.php and inserts file /app/Mage.php
I don't know how to find out if it comes from a module or from where. I also have the output from your module - see attachment.
Could you please advise me?

[northon]

Hello, we have faced the same issue on one of our PS 1.6 shops. 
I would advise you to run check for malware (or ask your hosting provider to it for you) and check for obfuscated code (base64 human non-readable code) and check for changed files on server if there is anything you have not edited by yourself. We have found physingkit on server this way (test.php), but I am not certain it is related. You can make corrupted files read-only, as El Patron says, to prevent happening this in future.

In our case, there was no need to reinstall Prestashop. What helped us:

• replacing /classes and /controllers folder with the one from backup
• deleting cache/class_index.php
• deleting the fake payment gateway js/O7Iop.js (probably random numbers and letters)
• deleting /js/js-retro-compat.php 
• replacing /tools/smarty/sysplugins/smarty_internal_templatebase.php with the one from backup (when DEV_MODE turned on, we got this backend error: syntax error, unexpected '<' - all of the templates were not compiling due to code change in this file)
• clearing cache

Of course make a backup of all files before deleting anything.

Hope it helps.

[El Patron]

On 7/7/2022 at 1:59 AM, Maxflor said:

I tried your module, it shows the changes but I don't know how to remove them.
I did the complete latest installation of PS to 1.7.8.6, update of all modules. Change all passwords. And a few days passed and I have the virus again. Fictitious payment module and I can't log in to the admin panel. I don't know how to deal with it - it always attacks the files /classes/db/Db.php - /classes/Hook.php - /controllers/admin/AdminLoginController.php - /classes/Dispatcher.php - /classes/Hook.php and inserts file /app/Mage.php
I don't know how to find out if it comes from a module or from where. I also have the output from your module - see attachment.
Could you please advise me?

if module is installed after untrusted change then the good files are not stored in the vault so cannot not be restored.  once you are clean then you will have the vault for backups.

[Nickz]

On 6/22/2022 at 10:49 PM, geigerherbert said:

thanks, monitoring is not the solution. it helps to keep the risc low, but it does not fix the problem

the best way to fix the proplem is to install a new shop on a different server where you have ultimate control.

Edited July 10, 2022 by Nickz (see edit history)