Malicious code added to cached files - where can I see how the cached files are created?

[thirdsun]

Hello,

 

I have an urgent security request. Our shop contains malicious code that is only present in cached files.

 

At the end of those cached files there's some encrypted javacript code added which adds a reference to an IP adress - at least that's why understand. It's explained here: http://www.stopthehacker.com/2011/12/08/rokbox-js-infections/

 

Of course I cleaned/deleted all affected files and changed DB, FTP and Admin Logins. However new cached files are being created in the theme's cache directory which contain the mentioned code.

 

Where can I check how the cached files are created in Prestashop? I suspect this code is added automatically when a JS file is copied into the cache.

 

Or even better: Has anyone come across this type of malware and knows how to fix it?

 

Thanks for your help.

[Carl Favre]

Hi thirdsun,

 

If you have not already done it, you should check the tpl of your theme and search for any suspicious code in it and remove it.

 

Also check if you have this type of code in your javascript files :

var _0x4470=["\x39\x3D\x31\x2E\x64

[thirdsun]

As stated in the first post, this is exactly the code that is present in cached JS files - and only the cached ones in /themes/sometheme/cache/.

 

Given that this only appears in cached files which have been cleaned and removed several times, I suspect the code is added whenever those cached files are created. Where exactly can I see the code that creates the cached files? Is this handled in the theme folder or in a prestashop file like the smarty engine?

[Carl Favre]

You can find all the cache files in tools\smarty\cache + tools\smarty\compile