nebojsar Posted June 5, 2013 Share Posted June 5, 2013 Recently we moved to 1.5.4.1, using default theme and no third party modules other than those found on add-ons market here and past few days hosting provider informed us that our account is suspended due to high cpu usage. In root directory of website we found file without extension with random name and size of 1.08 gb. Also I read about vulnerability in html and xml http://hauntit.blogspot.com/2013/05/en-prestashop-1541-htlm-injection.html also found some files on our shop missing or changed. missing: override/classes/cache/index.php override/classes/controller/index.php override/classes/db/index.php override/classes/helper/index.php override/classes/log/index.php override/classes/module/index.php override/classes/order/index.php override/classes/pdf/index.php override/classes/range/index.php override/classes/shop/index.php override/classes/stock/index.php override/classes/tax/index.php override/controllers/admin/index.php override/controllers/admin/templates/index.php changed: modules/blocknewsletter/mails/index.php modules/blocknewsletter/mails/en/index.php modules/blocknewsletter/mails/en/newsletter_conf.html modules/blocknewsletter/mails/en/newsletter_conf.txt modules/blocknewsletter/mails/en/newsletter_voucher.html modules/blocknewsletter/mails/en/newsletter_voucher.txt modules/blockwishlist/mails/index.php modules/blockwishlist/mails/en/index.php modules/blockwishlist/mails/en/wishlink.html modules/blockwishlist/mails/en/wishlink.txt modules/blockwishlist/mails/en/wishlist.html modules/blockwishlist/mails/en/wishlist.txt modules/followup/mails/index.php modules/followup/mails/en/followup_1.html modules/followup/mails/en/followup_1.txt modules/followup/mails/en/followup_2.html modules/followup/mails/en/followup_2.txt modules/followup/mails/en/followup_3.html modules/followup/mails/en/followup_3.txt modules/followup/mails/en/followup_4.html modules/followup/mails/en/followup_4.txt modules/followup/mails/en/index.php modules/mailalerts/mails/index.php modules/mailalerts/mails/en/customer_qty.html modules/mailalerts/mails/en/customer_qty.txt modules/mailalerts/mails/en/index.php modules/mailalerts/mails/en/new_order.html modules/mailalerts/mails/en/new_order.txt modules/mailalerts/mails/en/productcoverage.html modules/mailalerts/mails/en/productoutofstock.html modules/mailalerts/mails/en/productoutofstock.txt modules/referralprogram/mails/index.php modules/referralprogram/mails/en/index.php modules/referralprogram/mails/en/referralprogram-congratulations.html modules/referralprogram/mails/en/referralprogram-congratulations.txt modules/referralprogram/mails/en/referralprogram-invitation.html modules/referralprogram/mails/en/referralprogram-invitation.txt modules/referralprogram/mails/en/referralprogram-voucher.html modules/referralprogram/mails/en/referralprogram-voucher.txt modules/sendtoafriend/mails/index.php modules/sendtoafriend/mails/en/index.php modules/sendtoafriend/mails/en/send_to_a_friend.html modules/sendtoafriend/mails/en/send_to_a_friend.txt override/index.php override/classes/index.php override/classes/exception/index.php override/classes/webservice/index.php override/controllers/index.php override/controllers/front/index.php Any hint how to save website? Link to comment Share on other sites More sharing options...
Bill Dalton Posted June 5, 2013 Share Posted June 5, 2013 Assuming this guy is correct. He is talking about a file in your Admin. After an install you are required to rename your admin. This works very much like a password. You don't let people know about your password or use something easy to guess like admin123. In order to do what he is talking about he needs BOTH the name of your admin directory and your user name and password. What happened to you is more likely your FTP password was compromised. You need to change all passwords, FTP, phpmyadmin, Prestashop back office. You need to make a backup of your database and if you are sure files have been changed you should delete the old copy and install from a clean backup or install fresh if necessary. Link to comment Share on other sites More sharing options...
hauntit.blog Posted June 5, 2013 Share Posted June 5, 2013 Hi all forum Members, too bad that we meet in this situation, anyway: I just saw an email at my-blogs-mail, from R.G. After few mails I decide to wrote here a little note. I'm working like this: sometimes after work I'm reading source from 'popular cms's' or other webapps searching for bugs. If I will find something 'interesting' (some vulnerability related to inject code (in this or other (php/html/js/whatever,bug.) way)) I will send an email/post/linkedin msg to someone related with this project with all details (most times ). All of story. If Vendor want to cooperate with patch - no problem. So, back to this 'hacked' - that's not me. If you want any help with anything related to checking source, I'm always happy to help. (...) Back to this prestashop-vuln (from my blog), this is xss for admin, so in my opinion, oyu should think about: - checking js files - checking php files (look for new code, ([p,a,c,k,e,d]functions(), etc etc code) - new 'based64_...' strings (or functions *_encode/_decode...) (other 'coding' you can check too, once I saw somewhere at net tutorial about rot13-encoded-webshell ) - at www logs: check for hm... how to say... ;D links in logs where parameter value is equal to something like : ?*blahparam*=http://*whateverheretoo/herewillbe/shell.php... so in my opinion, admin went to some weird place, was logged-in in other cart in prestashop, and maybe xss was recreated as a csrf (at this other page/cart) exploit. If coders, dev/sec-team (or just you R.G.) want to talk, just send me the email. R.G have my mail. It was a pleasure. Best regards, Jakub Link to comment Share on other sites More sharing options...
El Patron Posted June 5, 2013 Share Posted June 5, 2013 (edited) 1. change your ftp password 2. make sure you have a good anti-virus sfw on your computer 3. download your shop, your anti-virus sfw should pick up infected files 4. download and unzip the native ps you are runnning 5. replace infected files from the native ps files you unzipped edited; added (6.) 6. re upload those affected files Edited June 5, 2013 by eTiendas.co (see edit history) 1 Link to comment Share on other sites More sharing options...
nebojsar Posted June 6, 2013 Author Share Posted June 6, 2013 Hello guys, thanks for fast response. Admin folder is renamed from very beginning so that could not be reason. Ftp is not used because we use cpanel file manager and password for cpanel is changed regularly. Jakub don't get me wrong I did not mean that you are hacker but that my website is hacked, that you have noted vulnerability and that this might be reason for our problems. I will do as suggested, change all passwords again and monitor what happens. best regards, Nebojsa Link to comment Share on other sites More sharing options...
hauntit.blog Posted June 6, 2013 Share Posted June 6, 2013 Hello guys, thanks for fast response. Admin folder is renamed from very beginning so that could not be reason. Ftp is not used because we use cpanel file manager and password for cpanel is changed regularly. Jakub don't get me wrong I did not mean that you are hacker but that my website is hacked, that you have noted vulnerability and that this might be reason for our problems. I will do as suggested, change all passwords again and monitor what happens. best regards, Nebojsa Hi Nebojsa, thanks for reply. ad. renamed admin folder - did you check all perms for directories-in-admin-dir? ad cpanel - vulnerable version? (or should I say, it is your server or hosting? ;]) most time at hosting servers you can find old/vulnerable versions. in my opinion. ad. 'Jakub don't get me wrong' - relax. I'm looking for a method how can I help you in this stupid situation ad last part of your answer (about changing passwords, and so on), if I can suggest something, maybe this conversation should be continued 'more privately'. talking about 'how your server is/or not configured' in public, could be problem for the future. Back from paranoid mode... Send me a blank email, I will answer you with few other ideas related to what can be done/checked at your server. Back to 'my finding': few words: - vulnerability was found in part of webapplication available only for admin user logged in. - this is xss - sooo, (if this could be changed/extended to csrf) only if logged-(at cart/tab1 in firefox for example)-in administrator (to presta-adminpanel) switched to cart/tab2 (in ff) where 'payload' to exploit (this admins right and add code/shell/download a js file with some backdoor, etc) csrf could be located. So, in my opinion you should look something 'like this' in your code. check for a new files. check 'new found files' with simple (from *nix) command 'file *.those_files' to check 'if gif is realy gif', etc. next, like I said before, check php.ini settings, maybe something was added... list can be longer, but 'if' this was realy 'hacked via my super-sploit'. I don't think so. honestly, after few years I'm watching that 'attackers' mostly use some kind of quick-scripts to search 'all possible as fast as possible' servers for rce/rfi/lfi vulnerabilities, so in your case, I will look deep in www log files. all of them, line by line, be sure that it was not changed by an attacker of course. like I said, if you want to talk, or need any help, write directly to me. Best regards, J. Link to comment Share on other sites More sharing options...
nebojsar Posted June 7, 2013 Author Share Posted June 7, 2013 Did as suggested here. I dont have any suspicious files in root any more and antivirus check was ok. Still I'm having problem with high CPU load and thus my website is suspended. Before issues CPU load was around 2-3% and now going up to 10%, anyone what could be reason? Link to comment Share on other sites More sharing options...
hauntit.blog Posted June 7, 2013 Share Posted June 7, 2013 Hi Nebojsar, durning first coffee at work today, I saw something what should be interesting for you. You did not answered me about 'configuration' ('if this is hosting or not') anyway, here may be part of your answer if it wasa hosting: http://seclists.org/fulldisclosure/2013/Jun/36 Links related to this (and related to other one too) topic(s) you will find when you will start digging. check your sshd and apache correctly. Best regards, J o/ Link to comment Share on other sites More sharing options...
.png.022b5452a8f28f552bc9430097a16da2.png)
Recommended Posts