karcharoth Posted August 2 Share Posted August 2 (edited) My sites keep getting hacked with following trojan mentioned in this thread Prestashop 1.6 trojan. New method. I have searched the logs and found the part responsible for the attack: spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:12 +0200] "POST /admin123/ajax-tab.php?rand=1668337335767 HTTP/1.1" 200 1110 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123 HTTP/1.1" 301 496 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123/ HTTP/1.1" 302 1027 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:15 +0200] "GET /admin123/index.php?controller=AdminDashboard&token=7480da1f86d8f689ef56741572277611 HTTP/1.1" 200 28914 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:17 +0200] "POST /admin123/index.php?controller=AdminModules&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1156 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 792 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123/?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 200 1155 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 752 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123/?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1190 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:46 +0200] "GET /admin123/index.php?controller=AdminModules&conf=22&token=02c1b073920cf96f1b62560fc2f0bad5&tab_module=others&module_name=doofinder HTTP/1.1" 200 137033 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:51 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:52 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:54 +0200] "GET /api_1.php HTTP/1.1" 200 4479 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:55 +0200] "POST /api_1.php HTTP/1.1" 200 4557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:57 +0200] "POST /api_1.php HTTP/1.1" 301 4536 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:58 +0200] "GET /api_1.php HTTP/1.1" 200 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:00 +0200] "POST /api_1.php HTTP/1.1" 200 4631 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:00 +0200] "POST /api_1.php HTTP/1.1" 200 349 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:01 +0200] "POST /api_1.php HTTP/1.1" 200 386 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:01 +0200] "POST /api_1.php HTTP/1.1" 200 390 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:02 +0200] "POST /api_1.php HTTP/1.1" 200 338 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:02 +0200] "POST /api_1.php HTTP/1.1" 200 336 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:02 +0200] "POST /api_1.php HTTP/1.1" 200 328 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:03 +0200] "POST /api_1.php HTTP/1.1" 200 351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:03 +0200] "POST /api_1.php HTTP/1.1" 200 382 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:04 +0200] "POST /api_1.php HTTP/1.1" 200 364 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:04 +0200] "POST /api_1.php HTTP/1.1" 200 366 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:04 +0200] "POST /api_1.php HTTP/1.1" 200 356 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:05 +0200] "POST /api_1.php HTTP/1.1" 200 370 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:05 +0200] "POST /api_1.php HTTP/1.1" 200 367 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:06 +0200] "POST /api_1.php HTTP/1.1" 200 369 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:06 +0200] "POST /api_1.php HTTP/1.1" 200 359 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:07 +0200] "POST /api_1.php HTTP/1.1" 200 373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:07 +0200] "POST /api_1.php HTTP/1.1" 200 379 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:07 +0200] "POST /api_1.php HTTP/1.1" 200 377 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:08 +0200] "POST /api_1.php HTTP/1.1" 200 377 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:08 +0200] "POST /api_1.php HTTP/1.1" 200 336 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:08 +0200] "POST /api_1.php HTTP/1.1" 200 335 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:09 +0200] "POST /api_1.php HTTP/1.1" 200 339 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:09 +0200] "POST /api_1.php HTTP/1.1" 200 335 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:09 +0200] "POST /api_1.php HTTP/1.1" 200 394 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:10 +0200] "POST /api_1.php HTTP/1.1" 200 379 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:10 +0200] "POST /api_1.php HTTP/1.1" 200 339 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:11 +0200] "POST /api_1.php HTTP/1.1" 200 334 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:11 +0200] "POST /api_1.php HTTP/1.1" 200 353 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:12 +0200] "POST /api_1.php HTTP/1.1" 200 352 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:12 +0200] "POST /api_1.php HTTP/1.1" 200 352 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:12 +0200] "POST /api_1.php HTTP/1.1" 200 355 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:13 +0200] "POST /api_1.php HTTP/1.1" 200 367 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:13 +0200] "POST /api_1.php HTTP/1.1" 200 354 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:14 +0200] "POST /api_1.php HTTP/1.1" 200 353 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:14 +0200] "POST /api_1.php HTTP/1.1" 200 341 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:14 +0200] "POST /api_1.php HTTP/1.1" 200 351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:15 +0200] "POST /api_1.php HTTP/1.1" 200 357 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:15 +0200] "POST /api_1.php HTTP/1.1" 200 334 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:15 +0200] "POST /api_1.php HTTP/1.1" 200 339 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:16 +0200] "POST /api_1.php HTTP/1.1" 200 345 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:16 +0200] "POST /api_1.php HTTP/1.1" 200 343 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:16 +0200] "POST /api_1.php HTTP/1.1" 200 357 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:17 +0200] "POST /api_1.php HTTP/1.1" 200 389 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:17 +0200] "POST /api_1.php HTTP/1.1" 200 376 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:20 +0200] "POST / HTTP/1.1" 301 4527 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:21 +0200] "GET / HTTP/1.1" 301 834 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:23 +0200] "GET /pl/ HTTP/1.1" 200 42977 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:24 +0200] "POST /api_1.php HTTP/1.1" 200 349 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:25 +0200] "POST /api_1.php HTTP/1.1" 200 351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:27 +0200] "POST /api_1.php HTTP/1.1" 200 4714 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:29 +0200] "POST /api_1.php HTTP/1.1" 200 8672 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:31 +0200] "POST /api_1.php HTTP/1.1" 200 4622 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:32 +0200] "POST /api_1.php HTTP/1.1" 200 4606 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:34 +0200] "POST /api_1.php HTTP/1.1" 200 4635 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:36 +0200] "POST /api_1.php HTTP/1.1" 200 4585 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:39 +0200] "POST /api_1.php HTTP/1.1" 200 4749 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:03 +0200] "POST /api_1.php HTTP/1.1" 200 4626 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:10 +0200] "POST /api_1.php HTTP/1.1" 200 4550 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:17 +0200] "POST /api_1.php HTTP/1.1" 200 4550 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:22 +0200] "POST /api_1.php HTTP/1.1" 200 4579 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:24 +0200] "POST /api_1.php HTTP/1.1" 200 4554 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:25 +0200] "GET /api_1.php HTTP/1.1" 301 4536 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:27 +0200] "GET /api_1.php HTTP/1.1" 404 158928 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" It seems that the hackers somehow accessed the back-office, installed the module named `doofinder` and posted compromised file api_1.php, which has been executed and has infected the PrestaShop files. But I can't find out how they entered - I guess the most probable cause is a broken password, right? We are still using the old PS 1.6.1.20 PS (we are updating all the shops to PS 8.1.7 soon, but need aprox. a month to finish the migration). So we need to secure shops for this period of time to prevent attacks from happening. We have already changed the admin folder name and all the user passwords. Any thoughs/hints about the issue? Edited August 2 by karcharoth (see edit history) Link to comment Share on other sites More sharing options...
Prestashop Addict Posted August 2 Share Posted August 2 First you should change the admin folder name, too simple 😞 Then alert doofinder editor that they have a security issue, this is important. Link to comment Share on other sites More sharing options...
karcharoth Posted August 2 Author Share Posted August 2 (edited) Quote First you should change the admin folder name, too simple 😞 Then alert doofinder editor that they have a security issue, this is important. The admin folder name has been already changed. As to the module - well, the point is that the doofinder module was never present in any of our shop - I have never used it, never uploaded it, never heard about it. The scenerio is quite similar to this vulnerability https://build.prestashop-project.org/news/2022/major-security-vulnerability-on-prestashop-websites/, but hackers didn't execute any real module .php file. We have also applied the given fix (config/smarty.config.inc.php on your PrestaShop install, and remove lines 40-43 (PrestaShop 1.6)), but it did not solve the problem. Edited August 2 by karcharoth (see edit history) Link to comment Share on other sites More sharing options...
Mmargi Posted August 4 Share Posted August 4 Same problem today morning. Presta 1.7.8.10 , admin page was changed to something based on czech language with changed lettrest to numbers.... Here is little piece of log, mybe not importat, in this time is my prioroty to fix eshop (orders are working, login to admin interface not, without error). I will load my eshop from yesterday backup (i hope the fucker changet only file, not db...) and after it i will extrat whole log and put it here. IP is of my ngnix forwarder, the fucker came from 95.164.38.97 10.0.0.253 - - [04/Aug/2024:04:52:18 +0200] "GET / HTTP/1.0" 200 14571 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:20 +0200] "GET /adm1n1strac3 HTTP/1.0" 301 745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:20 +0200] "GET /adm1n1strac3/ HTTP/1.0" 302 1282 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:21 +0200] "GET /adm1n1strac3/index.php?controller=AdminLogin&token=c69cae45444ddf3c8601395264092cfd HTTP/1.0" 200 3369 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl eWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:21 +0200] "POST /adm1n1strac3/ajax-tab.php?rand=1668337335767 HTTP/1.0" 200 1895 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chr ome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:23 +0200] "GET /adm1n1strac3 HTTP/1.0" 301 745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:23 +0200] "GET /adm1n1strac3/ HTTP/1.0" 302 1509 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:23 +0200] "GET /adm1n1strac3/index.php?controller=AdminOrders&token=a6ba9d09f9c379d8016330d02def9575 HTTP/1.0" 302 1339 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) App leWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:24 +0200] "GET /adm1n1strac3/index.php/sell/orders/?token=a6ba9d09f9c379d8016330d02def9575&_token=_5_DlF2K3rY-VGUWvjGh4ltmvwixViivxM4V5w-2w-M HTTP/1.0" 200 35436 "-" "Moz illa/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 10.0.0.253 - - [04/Aug/2024:04:52:28 +0200] "POST /modules/purls/override/controllers/front/CategoryController.php HTTP/1.0" 301 990 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, lik e Gecko) Chrome/54.0.2840.99 Safari/537.36" Link to comment Share on other sites More sharing options...
Prestashop Addict Posted August 5 Share Posted August 5 This IP 95.164.38.97 is a VPN at OLSO, so it doesn't give any information. If hte attacker is entered in BO, several possibilities: He knows a superadmin account You still have a security hole Your mail ou computer has a been hijacked higkecked with a spyware Try to find where the hole is. For that I recommend this procedure: Restore a backup (files and database) Rename your backoffice folder Change password of superadmin account disable all other accounts verify smarty vulnerability is patched or apply it Install a free script that alert you on any file change If you receive an alert extract all POST request from your log file to determine where the hole is Try to fix it or alert Prestashop if it's a core issue Link to comment Share on other sites More sharing options...
El Patron Posted August 5 Share Posted August 5 your best option? as most can never find the hack that inserts untrusted behaviours? download install your version of ps use migration module ps-ps to transfer catalog/customers/orders/most shop infos. using original zips re-install theme and modules....and only modules from ps addons...do not use 'free' downloadable modules from forum or elsewhere when your new shop is read to go live back up old shop, replace all files with new shop get this module, it will monitor your shop files and report if changes. you can also restore untrusted change https://prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215 it's really the only way most will be able to recover their shops because the imbed that loads untrusted files is very difficult to find without doing this, the untrusted code inserted, i.e. fake credit card, rename of admin or other method where admin can not be accessed will keep occuring. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now