Edit History

manolo · July 25, 2022

On 7/22/2022 at 9:59 PM, mandrake said:

Bonsoir, merci pour l'information !

Le fichier config/smarty.config.inc.php de la version 1.6.0.8 est différent.

On n'y trouve pas la portion de code indiquée à supprimer.

Quelqu'un a une idée sur la partie à supprimer dans cette version ?

Merci.

Bonjour, j'ai le meme probleme, ma version est 1.6.0.6 et le fichier config/smarty.config.inc.php est similaire a le tien (mon français ecrit n'est pas tres bone, je change a l'anglais)

When I try to enter the admin panel, I put the email and the password, it takes me to index.php?controller=AdminLogin&token=a26cBLABLABLA...&redirect=AdminDashboard but no message or screen change. I'm not a prestashop developer so I don't know exactly what is the problem because it seems to log into prestashop but the screen maybe does not change because smarty is corrupt.

I have analyzed previous days logs and I have seen some suspicious GET/POST from IP 92.205.110.171 using a python script, here is the sequence..

92.205.110.171 - - [18/Jul/2022:03:53:11 +0000] "GET /en//modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:13 +0000] "GET /en//modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:17 +0000] "GET /en//modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:19 +0000] "GET /en//modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 67209 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:23 +0000] "GET /en//modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:26 +0000] "GET /en//modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:29 +0000] "POST /en//modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:32 +0000] "POST /en//modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=XSam-XAdoo&data_type=image HTTP/1.1" 404 67325 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:36 +0000] "GET /en//modules/jmsslider/views/img/layers/xsam_xadoo_bot.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:39 +0000] "POST /en//modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:43 +0000] "POST /en//modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 404 67209 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:47 +0000] "GET /en//modules/verticalmegamenus/images/temps/xsam_xadoo_bot.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:48 +0000] "POST /en//modules/fieldvmegamenu/ajax/upload.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:51 +0000] "GET /en//modules/fieldvmegamenu/uploads/xsam_xadoo_bot.php HTTP/1.1" 404 67203 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:55 +0000] "POST /en//modules/vtemskitter/uploadimage.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:57 +0000] "GET /en//modules/vtemskitter/img/xsam_xadoo_bot.php HTTP/1.1" 404 67209 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:59 +0000] "POST /en//modules/blocktestimonial/addtestimonial.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:54:03 +0000] "GET /en//upload/xsam_xadoo_bot.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:54:06 +0000] "POST /en//modules/blocktestimonial/addtestimonial.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"

The files changed (excluding smarty ones) are the following

cache/push/activity
cache/push/trends
config/xml/default_country_modules_list.xml
config/xml/tab_modules_list.xml
config/xml/must_have_modules_list.xml
modules/paypal
modules/paypal/views/img/logos/ES_PayPal_logo_80x35.gif
modules/paypal/views/img/logos/FR_pp_cc_mark_37x23.jpg
modules/paypal/views/img/logos/ES_PayPal_logo_100x45.gif
modules/paypal/views/img/logos/default_PayPal_logo_80x35.gif
modules/paypal/views/img/logos/ES_PayPal_mark_60x38.gif
modules/paypal/views/img/logos/default_PayPal_logo_150x65.gif
modules/paypal/views/img/logos/ES_PayPal_mark_50x34.gif
modules/paypal/views/img/logos/default_PayPal_logo_100x45.gif
modules/paypal/views/img/logos/default_PayPal_mark_37x23.gif
modules/paypal/views/img/logos/FR_pp_cc_mark_111x69.jpg
modules/paypal/views/img/logos/default_PayPal_mark_50x34.gif
modules/paypal/views/img/logos/ES_vertical_solution_PP.gif
modules/paypal/views/img/logos/default_PayPal_mark_60x38.gif
modules/paypal/views/img/logos/ES_PayPal_mark_37x23.gif
modules/paypal/views/img/logos/ES_horizontal_solution_PP.gif
modules/paypal/views/img/logos/ES_PayPal_logo_150x65.gif
modules/paypal/views/img/logos/FR_pp_cc_mark_74x46.jpg
modules/paypal/views/img/logos/FR_logo_paypal_moyens_paiement_fr.jpg
modules/gamification/data/data_ES_EUR_ES.json

So it seems they are hacking paypal module to pick the data typed by the payer. And also gamification module was changed but I'm not sure if this is because of the hackers.

Today monday 25 july after analyzing I think that the shop was not attacked. I have reviewed the backup files and only some gif and jpg at modules/paypal/views/img/logos were changed and their content are images (so probably paypal module updated the logos). Also gamification module changed a json but I think is the same, just some update done by the module.

Therefore my conclusion is that in this particular shop case there was no attack, maybe the version is too old to be attacked..

manolo · July 24, 2022

On 7/22/2022 at 9:59 PM, mandrake said:

Bonsoir, merci pour l'information !

Le fichier config/smarty.config.inc.php de la version 1.6.0.8 est différent.

On n'y trouve pas la portion de code indiquée à supprimer.

Quelqu'un a une idée sur la partie à supprimer dans cette version ?

Merci.

Bonjour, j'ai le meme probleme, ma version est 1.6.0.6 et le fichier config/smarty.config.inc.php est similaire a le tien (mon français ecrit n'est pas tres bone, je change a l'anglais)

When I try to enter the admin panel, I put the email and the password, it takes me to index.php?controller=AdminLogin&token=a26cBLABLABLA...&redirect=AdminDashboard but no message or screen change. I'm not a prestashop developer so I don't know exactly what is the problem because it seems to log into prestashop but the screen maybe does not change because smarty is corrupt.

I have analyzed previous days logs and I have seen some suspicious GET/POST from IP 92.205.110.171 using a python script, here is the sequence..

92.205.110.171 - - [18/Jul/2022:03:53:11 +0000] "GET /en//modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:13 +0000] "GET /en//modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:17 +0000] "GET /en//modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:19 +0000] "GET /en//modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 67209 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:23 +0000] "GET /en//modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:26 +0000] "GET /en//modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:29 +0000] "POST /en//modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:32 +0000] "POST /en//modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=XSam-XAdoo&data_type=image HTTP/1.1" 404 67325 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:36 +0000] "GET /en//modules/jmsslider/views/img/layers/xsam_xadoo_bot.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:39 +0000] "POST /en//modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:43 +0000] "POST /en//modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 404 67209 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:47 +0000] "GET /en//modules/verticalmegamenus/images/temps/xsam_xadoo_bot.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:48 +0000] "POST /en//modules/fieldvmegamenu/ajax/upload.php HTTP/1.1" 404 67211 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:51 +0000] "GET /en//modules/fieldvmegamenu/uploads/xsam_xadoo_bot.php HTTP/1.1" 404 67203 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:55 +0000] "POST /en//modules/vtemskitter/uploadimage.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:57 +0000] "GET /en//modules/vtemskitter/img/xsam_xadoo_bot.php HTTP/1.1" 404 67209 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:53:59 +0000] "POST /en//modules/blocktestimonial/addtestimonial.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:54:03 +0000] "GET /en//upload/xsam_xadoo_bot.php HTTP/1.1" 404 67205 "-" "python-requests/2.27.1"
92.205.110.171 - - [18/Jul/2022:03:54:06 +0000] "POST /en//modules/blocktestimonial/addtestimonial.php HTTP/1.1" 404 67207 "-" "python-requests/2.27.1"

The files changed (excluding smarty ones) are the following

cache/push/activity
cache/push/trends
config/xml/default_country_modules_list.xml
config/xml/tab_modules_list.xml
config/xml/must_have_modules_list.xml
modules/paypal
modules/paypal/views/img/logos/ES_PayPal_logo_80x35.gif
modules/paypal/views/img/logos/FR_pp_cc_mark_37x23.jpg
modules/paypal/views/img/logos/ES_PayPal_logo_100x45.gif
modules/paypal/views/img/logos/default_PayPal_logo_80x35.gif
modules/paypal/views/img/logos/ES_PayPal_mark_60x38.gif
modules/paypal/views/img/logos/default_PayPal_logo_150x65.gif
modules/paypal/views/img/logos/ES_PayPal_mark_50x34.gif
modules/paypal/views/img/logos/default_PayPal_logo_100x45.gif
modules/paypal/views/img/logos/default_PayPal_mark_37x23.gif
modules/paypal/views/img/logos/FR_pp_cc_mark_111x69.jpg
modules/paypal/views/img/logos/default_PayPal_mark_50x34.gif
modules/paypal/views/img/logos/ES_vertical_solution_PP.gif
modules/paypal/views/img/logos/default_PayPal_mark_60x38.gif
modules/paypal/views/img/logos/ES_PayPal_mark_37x23.gif
modules/paypal/views/img/logos/ES_horizontal_solution_PP.gif
modules/paypal/views/img/logos/ES_PayPal_logo_150x65.gif
modules/paypal/views/img/logos/FR_pp_cc_mark_74x46.jpg
modules/paypal/views/img/logos/FR_logo_paypal_moyens_paiement_fr.jpg
modules/gamification/data/data_ES_EUR_ES.json

So it seems they are hacking paypal module to pick the data typed by the payer. And also gamification module was changed but I'm not sure if this is because of the hackers.

As mandrake says, what can we do?

How can I enter the backoffice? (as I said when I put the right user and password the screen content remains the same)

If I succeed to enter the backoffice, just by disabling smarty the attackers will not be able to enter?

I hope some of you have some answers, Thanks in advance if you have some advice to help me.

Sign In

Edit History

manolo

manolo

Browse

Activity

Go back to prestashop.com