181 replies to this topic

[x3n0m0rph]

Hellow people,

I think this is not over here!

The porpose af this hack seems to be bigger..

On our server this virus has created his own administration section - practically a gate to our server with total control features.

Have a look in the attached file.

Our development team found this and much more... still investigating.

I think that we haven`t seen the big picture here.. and we only looked to put our stores online treating visible simptoms..

Attached Files

•  gate to server.jpg   257.05K   187 downloads

[treebeard]

tomerg3, on 24 August 2011 - 08:27 PM, said:

How to make sure it doesn't happen again
Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

Thanks for the work and attention on this issue.

Please give us more details, what herfix.php does. If it patches only AdminHome.php, why shouldn´t we replace only this file? Is there more or should we be still patient?

[treebeard]

x3n0m0rph, on 24 August 2011 - 09:26 PM, said:

On our server this virus has created his own administration section - practicly a gate to our server with total control features.

Is this the file called xx.php? How was this created? Via FTP or a php-Script? Are ther more unusual scripts? Did you changed anything to secure your PrestaShop before (e.g. 400 footer.tpl after cleaning it / 500 the modules folder). Did you run herfix.php?

[tonicor]

Hello and sorry for my English.

I have followed all the steps to remove the virus but I still remain a couple of problems:

1.-I can not open or edit, or delete any files in the directory store (I can only rename the files) with CuteFTP 8.3 Professional.

2 .- I try to open the store in my browser and makes the attempt to open before other sites (with rare tracks, eg www.jokelimo.com .......
The error I get in Internet Explorer is:
 virus-prestashop.jpg   71.79K   57 downloads



Is this normal?

Thanks and sorry for my English.

[x3n0m0rph]

treebeard, on 24 August 2011 - 09:33 PM, said:

x3n0m0rph, on 24 August 2011 - 09:26 PM, said:

On our server this virus has created his own administration section - practicly a gate to our server with total control features.

Is this the file called xx.php? How was this created? Via FTP or a php-Script? Are ther more unusual scripts? Did you changed anything to secure your PrestaShop before (e.g. 400 footer.tpl after cleaning it / 500 the modules folder). Did you run herfix.php?

My store is now safe and online. I applied the fix and is all good with the shop (I think).
Yes - is the xx.php file.The xx.php file was created ON THE SERVER with a php-script, not in the root of my site (we run a vps). This is about server access and control..

This gate is done before the fix and still existing after - now we controll it.

[ct1976]

MANY MANY THANKS and WELL DONE:)!!

[treebeard]

Does anyone else have this file xx.php?

It seems that this file was added/modified at 21:58:30. Is there any activity in the logs executing another php-File?

[x3n0m0rph]

anyway... I think that this hack is to messy... and the mess is a distraction from the real purpose - long term server control

[GurdeepMLC]

Hi guys,

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

root\themes\themename\cache

delete everything except index.php

[x3n0m0rph]

treebeard, on 24 August 2011 - 09:49 PM, said:

Does anyone else have this file xx.php?

It seems that this file was added/modified at 21:58:30. Is there any activity in the logs executing another php-File?

NOT created at 21:58 ! At that time we edit it so we can have control.

Is was created at 10:08 this morning.

[x3n0m0rph]

GurdeepMLC, on 24 August 2011 - 09:50 PM, said:

Hi guys,

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

root\themes\themename\cache

delete everything except index.php

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

[GurdeepMLC]

x3n0m0rph, on 24 August 2011 - 09:54 PM, said:

GurdeepMLC, on 24 August 2011 - 09:50 PM, said:

Hi guys,

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

root\themes\themename\cache

delete everything except index.php

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

Ahh - so you have to delete the cache first before applying the herfix?

[x3n0m0rph]

GurdeepMLC, on 24 August 2011 - 09:56 PM, said:

x3n0m0rph, on 24 August 2011 - 09:54 PM, said:

GurdeepMLC, on 24 August 2011 - 09:50 PM, said:

Hi guys,

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

root\themes\themename\cache

delete everything except index.php

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

Ahh - so you have to delete the cache first before applying the herfix?

NO! NOT there! Here : yoursite/tools/smarty and smarty_v2 folders

[GurdeepMLC]

No I never meant placement Lol! I meant before applying the herfix, one must delete the cache files before hand

[cobus]

x3n0m0rph, on 24 August 2011 - 09:54 PM, said:

GurdeepMLC, on 24 August 2011 - 09:50 PM, said:

Hi guys,

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

root\themes\themename\cache

delete everything except index.php

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

Thank you very much, that is what I needed to fix it.!!!!

[plwm]

Thank you very much for this quick fix !

[phrasespot]

tomerg3, on 24 August 2011 - 08:27 PM, said:

phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

I disagree with you. Every single installation of Prestashop is open if prestashop.com is hacked.

Here is why:

AdminHome.php

if (@ini_get('allow_url_fopen'))
		{
			$upgrade = new Upgrader();
			if($update = $upgrade->checkPSVersion())
				echo '<div class="warning warn" style="margin-bottom:30px;"><h3>'.$this->l('New PrestaShop version available').' : <a style="text-decoration: underline;" href="'.$update['link'].'" target="_blank">'.$this->l('Download').'&nbsp;'.$update['name'].'</a> !</h3></div>';
		}

Attacker replaces http://www.prestasho...xml/version.xml to send a higher version and a malicious link. Your update will be coming from a malicious URL.
GAME OVER

AdminHome.php

<iframe src="'.$protocol.'://screencasts.prestashop.com/screencast.php?iso_lang='.Tools::strtolower($isoUser).'" style="border:none;width:100%;height:420px;" scrolling="no"></iframe>

Attacker modifies http://screencasts.p...screencast.php. An iframe of attacker's choosing will be inserted to your site.
GAME OVER

There are more... From Help access to payment modules activation, where the installation interacts and pulls content from prestashop.com domain and its subdomains, but above two should demonstrate the point. It is never safe to include content from an untrusted domain in your application, and for me any domain that is not under my control is an untrusted domain and even then only 90% trust, justly so as the latest incident shown.

[chemapresta]

Mike Kranzler, on 24 August 2011 - 07:17 PM, said:

Last night, the PrestaShop’s official website, prestashop.com, was hacked, resulting in the misappropriation of a script intended for transcribing news information in the Back Office of PrestaShop stores.

The entire PrestaShop team dedicated ourselves to identifying and fixing this issue as quickly as possible. That fix has been completed.

Has my shop been infected?
This only affects PrestaShop versions 1.4/1.4.1/1.4.2/1.4.3/1.4.4, but not all shops using these versions are necessarily affected.

If you use one of these versions, please check for any of the following symptoms:
• A her.php file is at the root of /modules folder
• A .php file different from index.php is in the upload and download folders
• Your footer.tpl file has been modified.
• Your tools/smartyv2 folder is missing

If you fulfill any of these conditions, your shop may have been infected. However, it is easy to fix just by following the instructions listed below.

What should I do?
1. Change your database password (or contact your webhost if you do not know how to do it). Once you have done that, open the settings.inc.php file in your /config folder and replace your old password with the new one. See below:
herfix image.png
2. Download the fix published by PrestaShop by clicking here
3. Upload it to the root folder of your shop with your FTP client (Filezilla, Transmit…)
4. Go to the url http://www.myshop.com/herfix.php
5. The fix is now applied. Please do not forget to delete the herfix.php file previously uploaded at the root of your shop
6. Rename the admin folder
7. Change the password of all admins of your shop

If you need any help or have any additional questions, you can email us at security@prestashop.com We will answer you as soon as possible.

The whole PrestaShop team wants to deeply thank the community for its help in identifying this issue.

Hi Mike and PS team,

It works for me. Tomorrow I shall check it deeply, I'm tired now.

Many thanks to all the team and all prestashop community.

[Slava]

Hi!
What about the fresh zip file download from http://www.prestasho.../en/downloads/?
Is this loophole fixed already on Prestashop website download section, or I have to run the herfix.php just after installation?

Many thanks for PS Team!!!

Great job!!!

Regards.

[x3n0m0rph]

phrasespot, on 24 August 2011 - 10:35 PM, said:

tomerg3, on 24 August 2011 - 08:27 PM, said:

phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

I disagree with you. Every single installation of Prestashop is open if prestashop.com is hacked.

Here is why:

AdminHome.php

if (@ini_get('allow_url_fopen'))
		{
			$upgrade = new Upgrader();
			if($update = $upgrade->checkPSVersion())
				echo '<div class="warning warn" style="margin-bottom:30px;"><h3>'.$this->l('New PrestaShop version available').' : <a style="text-decoration: underline;" href="'.$update['link'].'" target="_blank">'.$this->l('Download').'&nbsp;'.$update['name'].'</a> !</h3></div>';
		}

Attacker replaces http://www.prestasho...xml/version.xml to send a higher version and a malicious link. Your update will be coming from a malicious URL.
GAME OVER

AdminHome.php

<iframe src="'.$protocol.'://screencasts.prestashop.com/screencast.php?iso_lang='.Tools::strtolower($isoUser).'" style="border:none;width:100%;height:420px;" scrolling="no"></iframe>

Attacker modifies http://screencasts.p...screencast.php. An iframe of attacker's choosing will be inserted to your site.
GAME OVER

There are more... From Help access to payment modules activation, where the installation interacts and pulls content from prestashop.com domain and its subdomains, but above two should demonstrate the point. It is never safe to include content from an untrusted domain in your application, and for me any domain that is not under my control is an untrusted domain and even then only 90% trust, justly so as the latest incident shown.

I totally agree with this. Our programmers are very mad at this hour... This is a mess from prestashop team too!

Next time when a client makes a payment it might actually pay a nice little hacker for his great effort to use another security hole in the secured prestashop platform
This are serious problems people...