Prestashop 1.6.1.23 - Trojan (Paypal form)

[ezh]

Please help.

https://www.sammuke.ee/en/13-kids-shoes

Place any of items into card and you will get a Paypal form, that actually should not appear on this stage. Kaspersky warns about Trojan.Generic (so I had to pause the protection to see the actual Paypal form).

That form appears, when you open any orders in admin center.

How to fix it and how to prevent it in future?

I must add, that we are in sale of the stock and then will close the shop. So no upgrade (even minor 1.6.1.+ updates ruined the shop functionality) or big update is an option.

Tnx.

[Novalamp]

Hi

Did you manage to solve the problem? I have the same case since yesterday in my store.

[ezh]

Nope... No one answered.

[sorinsxtj]

same  here . Prestashop 1.7.4.2 . When  try to select payment  it opens a pay pal page 

[Novalamp]

Below you have the probable cause

 

https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/

[JBW]

I have seen this in a client's shop. The virus/hacker changed some files in /classes/controller and added js and php files in several locations on the server to inject the fake paypal form. The issue can be fixed by replacing these files by the originals and delete the addtional one's but on top you have to investigate on the backdoor how they got on the server e.g. the known issue posted by @Novalamp

[sorinsxtj]

yes they change something , but  hoiw to find what and where?

i sended the site and database to one of our members , and he found something  regarding adfs.contiwan.com  . but i dont know where and how to start . 

and i cannot afford his  fee to solve it

[ezh]

For sammuke.ee, it seems, this part of helps:

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

and the example find there.

[sorinsxtj]

can someone  also help me?

/index.php?controller=order  is opening another site. a fake paypal

 

[ezh]

23 minutes ago, ezh said:

For sammuke.ee, it seems, this part of helps:

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

and the example find there.

Here is the cure.

[sorinsxtj]

Guys i fix it for now .  replaced all files i seen atacked in imunify360 . and all ok now.

i dont know if i will have prblems with database later . should i  clean it up?

i run version 1.74 of Presta . should i also delete line 43-46 from confic smarty?

 

[HeineFR]

The lines on smarty config are just to prevent hacker to manupulate files with an SQL injection, like he did.

But if you didnt find what the hacker used to inject his SQL query, he could still at least stole your DB data.

[sorinsxtj]

So, changing all pswd and delete those lines, does not really help? 

[HeineFR]

"Only" this, nope.

You must find witch modules or known vulnerability the hacker used to patch it.

And more, when he get the full acces of your hosting he could put a backdoor to easy comme back again.

[sorinsxtj]

I can only update all modules. I still use some from Presta 1.6.or to quit on Presta or to move on Amazon. With, hackers does not have betters things to do but anoyng me with a little shop? 

[HeineFR]

You should pay somebody to do it... hackers can get your customer's personnal info to make good fishing...

[sorinsxtj]

what can i say? maybe better to quit open sources  softwares

at least i will have to agree with an EULA

yes i wll quit Presatshop , even i will have to work a  lot

 Sorry . i am just angry coz of these atacks over my shop. i hope i will  pass over them somehow

Edited August 10, 2022 by sorinsxtj
not concludent (see edit history)

[HeineFR]

The main problem isn't prestashop, If you take version up to date and check tier modules code you won't have any problem and prestashop could do everything you want.

If you don't have knowledgments to admin a prestashop website you need to hire somebody for some task or work with a special prestashop hosting with a maintenance. 

 

[ezh]

For me disabling the smarty fixed the Paypal form appearance.

[El Patron]

to prevent in the future use our PrestaVault module.  At installation it will create secure vault of your filesystem.

add cron or run manually to receive alerts of new/deleted/changed files

commit trusted change to vault

restore from vault untrusted change

 

https://www.addons.prestaheroes.com/products/prestavault-malware-trojan-virus-protection?variant=40653346635983

Edited August 12, 2022 by El Patron (see edit history)

[sorinsxtj]

i will reply again  in this topic , it could be a long message , but i hope that it  can be useful for the many nubs  like me whom are using Presta.

PresatVault  sounds very good and is not  expensive , but what  will happend  if they took the control of ur  back panel ans simple disable the module?

for this i will  tell all the story  about what hapened to me . maybe it can be useful also for experienced guys. if is too much to read just ignore it

* first i got the info via  email that older Presta  can be  hacked  with an injection .. bla bla , u could find on ur shop root file blm.php

i did not pay much atention coz i was in holiday and thought that the   super guys will solve it  fast , plus i am a very small shop  , nobody wants nothing from me .  i checked   , the blm.php was there , Smarty on etc . but nothing strange on the site . imunify360  shows some files  cleaned  , all  ok 

then , surprise .  i try to make an order on my site  and  when  i had to chose payment  method  , a window that looks  almost exactly like my theme apears  and ask me for my credit card details. it was almost perfect , somebody worked on it. if i  compile  all data on that window (even write  wrong data there) the  window vanish and turns me back to the standard  payment  page of my website . and  it never apeared again. but the i had a doubt and create another customer  acount . same window till i copleted all fields with credit card details.

i sayd upss , and like i was in holiday and not much activity i asked my host to rollback a backup and reset my cpanel/ftp password.  swithc off SMARTY ,all was okay then/

what  I DID NOT do was to change also password of the shop ,  and to check  if there is also some more new user in  back panel. 

SO , after a week or  so , a client called me  that he does not have Paypal account and cannot order but he needs   that tool very fast. UPSSS again 

Smarty ON , try to order something  on my site ....Paypal screen. beleave me that i was frustraded  , i dont have enough knowledge  to repair it , google , forums  , guy that i know  is a developer in holiday ,bla  bla , friendly guys ,cheapest one was 600 eur . the sky was over me.

 now what i did is the most important thing in this love story

i have seen in the root of site a file b2b.php - i dont have b2b shop sio i deleted- nothing happens it has 0 bytes , but i figure out they replace  BLP file with B2B

then i opened in CPanel Imunify360 and noted all files atacked and cured by it ( see the pic bellow)

 

repelaced manualy all those files from a backup before atacks,  i will my have some problems with database later ( like i had when deleted test orders from  search bar of the browser , dont do that, anyway is another topic). made a clean of  orfan  things in my myPhPadmin

And haleluja , all back to normal.

then change again Cpanel password , this time  ALSO SHOP PASSWORD , emails  passwords of that domain , a fully scan of all PC  using  to work

then everyday several times i check if new files apeared on the root of my site and Smarty is OFF. i will see the results anyway on Monday coz both atacks took place on weekend when hackers are bored i suppose

 and  for sure i will buy  Prestavault module   acording sugestion of @El Patron , it should be usefull

sorry once again for the long bla  bla , i hope it can help somebody in the future

 

 

 

Edited August 12, 2022 by sorinsxtj (see edit history)

[Maxflor]

On 8/12/2022 at 7:24 PM, sorinsxtj said:

i will reply again  in this topic , it could be a long message , but i hope that it  can be useful for the many nubs  like me whom are using Presta.

PresatVault  sounds very good and is not  expensive , but what  will happend  if they took the control of ur  back panel ans simple disable the module?

for this i will  tell all the story  about what hapened to me . maybe it can be useful also for experienced guys. if is too much to read just ignore it

* first i got the info via  email that older Presta  can be  hacked  with an injection .. bla bla , u could find on ur shop root file blm.php

i did not pay much atention coz i was in holiday and thought that the   super guys will solve it  fast , plus i am a very small shop  , nobody wants nothing from me .  i checked   , the blm.php was there , Smarty on etc . but nothing strange on the site . imunify360  shows some files  cleaned  , all  ok 

then , surprise .  i try to make an order on my site  and  when  i had to chose payment  method  , a window that looks  almost exactly like my theme apears  and ask me for my credit card details. it was almost perfect , somebody worked on it. if i  compile  all data on that window (even write  wrong data there) the  window vanish and turns me back to the standard  payment  page of my website . and  it never apeared again. but the i had a doubt and create another customer  acount . same window till i copleted all fields with credit card details.

i sayd upss , and like i was in holiday and not much activity i asked my host to rollback a backup and reset my cpanel/ftp password.  swithc off SMARTY ,all was okay then/

what  I DID NOT do was to change also password of the shop ,  and to check  if there is also some more new user in  back panel. 

SO , after a week or  so , a client called me  that he does not have Paypal account and cannot order but he needs   that tool very fast. UPSSS again 

Smarty ON , try to order something  on my site ....Paypal screen. beleave me that i was frustraded  , i dont have enough knowledge  to repair it , google , forums  , guy that i know  is a developer in holiday ,bla  bla , friendly guys ,cheapest one was 600 eur . the sky was over me.

 now what i did is the most important thing in this love story

i have seen in the root of site a file b2b.php - i dont have b2b shop sio i deleted- nothing happens it has 0 bytes , but i figure out they replace  BLP file with B2B

then i opened in CPanel Imunify360 and noted all files atacked and cured by it ( see the pic bellow)

 

repelaced manualy all those files from a backup before atacks,  i will my have some problems with database later ( like i had when deleted test orders from  search bar of the browser , dont do that, anyway is another topic). made a clean of  orfan  things in my myPhPadmin

And haleluja , all back to normal.

then change again Cpanel password , this time  ALSO SHOP PASSWORD , emails  passwords of that domain , a fully scan of all PC  using  to work

then everyday several times i check if new files apeared on the root of my site and Smarty is OFF. i will see the results anyway on Monday coz both atacks took place on weekend when hackers are bored i suppose

 and  for sure i will buy  Prestavault module   acording sugestion of @El Patron , it should be usefull

sorry once again for the long bla  bla , i hope it can help somebody in the future

 

 

 

I replaced and deleted all the files you listed here and I still can't log into the back office 😕 Can you give me any advice on what to try? well thank you

Edited August 15, 2022 by Maxflor (see edit history)

[El Patron]

What if lool, yes if you cannot get in via admin ptestavault is not helpful to restore.

 But via cron prestavault will tell you what changed.

Surface assault monitor and protection, I rule the pool in PS including solving hacked shops.

Tip. Add Russian language pack, localize on browser language they will bypass you.

Priceless.  

Edited August 15, 2022 by El Patron (see edit history)

[lubomirpospisil12]

I have a compromised website: https://cestabrno.cz/module/supercheckout/supercheckout
How do I find the files that were placed there?
I have already removed the lines from "config/smarty.config.inc.php"

[El Patron]

Via ftp, download all your shop files.  You can then sort on date modified to identify changes recently made.  Also you can run antivirus on files on you pc.

Change all ftp passwords.  Also on hosting see if immunavy, I think that is the name is available, it can find some malware.

Look for module prestavault, once clean install this and it will monitor your shop files and detect new, changed or deleted files and supports restore of untrusted files.

Good luck!

[sorinsxtj]

@lubomirpospisil12 , found those files from Cpanel with  Imunify360 . look in log waht have been atacked  if ur host is using  this software. ur host should use something anyway . look in the report. and make a backup first to ur files and database.

in case of fail ur host should have a montly backup at least. or i hope so

 u should change all ur passwords then , even email ones

[lubomirpospisil12]

@sorinsxtj Thank you for your reply. I don't have access to Imunify360.
Or I don't know how to use it but I don't think my hosting will allow me to use CPANEL.
How to browse those files locally?

[sorinsxtj]

u should have acces to Cpanel and FTP . just ask ur host for  credentials  and adress

[lubomirpospisil12]

@sorinsxtj I have access to FTP but not to cPanel... I don't think my hosting supports it.

For info. I found the infected files in a folder: /classes/controller/
But they changed again overnight. The virus changed them again.
I deleted all the old FTP accounts. What should I do next?

Thank you

[sorinsxtj]

i think u should do a scan with an antirus to ur files .  the easy way is  via Cpanel. also take a look to files  in the root of ur shop. in my case was a file called B2B.php
B2B sound like a file that is from the shop , but it was not.

and change also  backoffice password

Edited September 16, 2022 by sorinsxtj (see edit history)

[idnovate.com]

The script from @Eolia is not useful for this?

 

[Eolia]

My script detect these bad files (in js files)^^

[Nickz]

the most secure form handling a hack is to redo the entire shop. Start with a clean slate, just as with your PC when having a virus.

[Eolia]

It's not a PC virus but a js injection allowed by a module...

[Nickz]

9 hours ago, Eolia said:

It's not a PC virus but a js injection allowed by a module...

reading must be difficult

Quote

Start with a clean slate, just as with your PC when having a virus.

 

[El Patron]

On 9/21/2022 at 8:01 AM, Nickz said:

the most secure form handling a hack is to redo the entire shop. Start with a clean slate, just as with your PC when having a virus.

I disagree, there has been plenty of good advices here.  We have fixed several hacked shops over the years even have our own sfw, all without ever redoing the entire shop, what does that even mean?  What about the module that is vulnerable, how is that solved?  

Reading is not difficult, your advice is novice idea.

 

[Eolia]

il y a 46 minutes, PrestaHeroes.com a dit :

comment cela est-il résolu ?  

They used my script^^

[Nickz]

20 hours ago, PrestaHeroes.com said:

Reading is not difficult, your advice is novice idea.

do you really believe that the users of this forum are on your level of experise?

Would you advise someone without any IT insight to remove rather than rebuild? Really?