179 replies to this topic

[Mike Kranzler]

Last night, the PrestaShop’s official website, prestashop.com, was hacked, resulting in the misappropriation of a script intended for transcribing news information in the Back Office of PrestaShop stores.

The entire PrestaShop team dedicated ourselves to identifying and fixing this issue as quickly as possible. That fix has been completed.

Has my shop been infected?
This only affects PrestaShop versions 1.4/1.4.1/1.4.2/1.4.3/1.4.4, but not all shops using these versions are necessarily affected.

If you use one of these versions, please check for any of the following symptoms:
• A her.php file is at the root of /modules folder
• A .php file different from index.php is in the upload and download folders
• Your footer.tpl file has been modified.
• Your tools/smartyv2 folder is missing

If you fulfill any of these conditions, your shop may have been infected. However, it is easy to fix just by following the instructions listed below.

What should I do?
1. Change your database password (or contact your webhost if you do not know how to do it). Once you have done that, open the settings.inc.php file in your /config folder and replace your old password with the new one. See below:
 herfix image.png   41.24K   1132 downloads
2. Download the fix published by PrestaShop by clicking here
3. Upload it to the root folder of your shop with your FTP client (Filezilla, Transmit…)
4. Go to the url http://www.myshop.com/herfix.php
5. The fix is now applied. Please do not forget to delete the herfix.php file previously uploaded at the root of your shop
6. Rename the admin folder
7. Change the password of all admins of your shop

If you need any help or have any additional questions, you can email us at security@prestashop.com We will answer you as soon as possible.

The whole PrestaShop team wants to deeply thank the community for its help in identifying this issue.

[indus]

Where can we get more information about this exploit and about what the herfix.php file does?

Will be a nice read.

I would also like to thank muller for first reporting this and to the prestashop team for resolving this issue within a day.


thanks

[fancydressqueen]

indus, on 24 August 2011 - 07:24 PM, said:

Where can we get more information about this exploit and about what the herfix.php file does?

Will be a nice read.

I would also like to thank muller for first reporting this and to the prestashop team for resolving this issue within a day.


thanks

Seconded. Sterling work to get things back to normal in quick time.

[cobus]

Hi,

I did everything, but it is still infected. I will try some more times. Thanks for your hard work btw.

Well, there are no strange files in download/uploadfolder, and footer.tpl looks ok. But frontoffice still gives viruswarning from norton.

[phrasespot]

Mike Kranzler, on 24 August 2011 - 07:17 PM, said:

Last night, the PrestaShop’s official website, prestashop.com, was hacked, resulting in the misappropriation of a script intended for transcribing news information in the Back Office of PrestaShop stores.

We were very lucky in that the people did the hacking were not very good and broke lots of installations. With a more sneaky setup this could have gone unnoticed for months while feeding all compromised shops' data to hackers.

So, my question is, do you intend to remove the content pulled from prestashop.com domain to our servers now, so no incident like this can ever repeat as I think you agree that no one could/would guarantee that prestasop.com will never be hacked again.

Thanks for quick response/resolution.

[Mike Kranzler]

Hi Phrasespot,
I will pass your question on to our development team, and will pass along their answer as soon as I hear back.

-Mike

[istox]

My browser get error message
herfix.php error on line 832

Sorry. That was chrome.
In mozilla write OK.

Thanks!

[AKJV]

I have restored a backup of my website installation and database, both with a date before the hack took place. Do I still have to apply this fix, using herfix.php? Or will it suffice just to change the database and admin passwords?

[tomerg3]

phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

I'll try to explain the whole process that happened in simple terms.

What happened
The Prestashop server was hacked, and some code was modified to send malicious files back to each shop that contacts Prestashop's server.

Why is that even possible
A bug in /admin/tabs/AdminHome.php that allowed the Prestashop site to send files rather than just information.

How did it affect me
When you go to the "Home" in the backoffice, your site sends a request to Prestashop's site to get update notifications, and due to a bug there, it was also possible to send files to your server (rather than just sending text that will be displayed).

Why did some people not get affected
If you did not go to the Home of the backoffice, or if you did, but after Prestashop fixed the hack on their site, then you were not affected (or if you have PS older than 1.4).

How to make sure it doesn't happen again
Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

[AKJV]

Thanks Tomer,

It is now clear to me that everyone running 1.4.x should apply this fix, even those not affected yet.

[cobus]

tomerg3, on 24 August 2011 - 08:27 PM, said:

phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

I'll try to explain the whole process that happened in simple terms.

What happened
The Prestashop server was hacked, and some code was modified to send malicious files back to each shop that contacts Prestashop's server.

Why is that even possible
A bug in /admin/tabs/AdminHome.php that allowed the Prestashop site to send files rather than just information.

How did it affect me
When you go to the "Home" in the backoffice, your site sends a request to Prestashop's site to get update notifications, and due to a bug there, it was also possible to send files to your server (rather than just sending text that will be displayed).

Why did some people not get affected
If you did not go to the Home of the backoffice, or if you did, but after Prestashop fixed the hack on their site, then you were not affected (or if you have PS older than 1.4).

How to make sure it doesn't happen again
Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

Ok, I did everything, the footer file doesn't change anymore. No strange files in upload/download folder. But when i go to my shop, Norton still gives a virus warning. How to fix that? Cause as long that happens, I won't open the shop.

Hope you can tell me what I am doing wrong.

[philee]

Thanks Prestashop Admin team for getting the fix out. I have followed the directions on changing all the passwords, and applying the herfix.php. Can I delete the fix herfix.php after applying it or should I still keep it in my store's root folder

[shacker]

thanks a lot for the fix.

[kosmolog]

- CTRL + F5
- Clear the browser cache

or cleaned while still in the shop smarty: Copil and cache can anyone tell?

[tomerg3]

philee: yes, you can delete it. it updated AdminHome.php, which only needs to be done once.

cobus: Don't know, if you view source, do you see any <iframe code?

[bsmooth]

Hi I just ran the herfix.php then I got "OK" displayed and it deleted itself.

Is that correct?

[AKJV]

Hmm, my AdminHome.php has not been updated upon applying the fix... I use a modified version of this file (have commented out the video screencast in the past), could that be the reason why it's not updated? The ajax.php in the admin folder has been updated though.

When I try to reapply the herfix.php, I get a 404 error (page not found)...

[allobambin]

Tip: click inside this box to load the editor

[allobambin]

uh .... herfix.php normally file is automatically deleted after execution, at home it is.

Is it possible to know exactly what portion of code was a problem?
For culture and personal issues for future update.

Depending on the version, this does not necessarily located into AdminHome.php.
In localhost 1.4.4.0 (custom) and prod in 1.4.2.5 (custom and infected).
Infected with this virus, I did manually delete needed (gained consciousness, I launched the script herfix).

In any case, bravo to prestateam that solved this problem in less time before I realized that my site was infected.

Sorry for my english... brrrrr.... google translate isn't perfect!

[AKJV]

Actually, I think that just the ajax.php file is updated by this fix. I checked the latest SVN updates and only found an updated ajax.php. The changes in this SVN revision checks out with the changes applied by the fix.