Xsamxadoo malware through Explorerpro module

[jiri992]

Hi,

Today we had big attack to our websites Prestashop 1.5 version. Malware creates xsamxadoo.php file in the root of webshop.
We already deleted all /phpunit files from the websites since January to avoid this attack but still somehow attackers were succesful. We are suspecting module explorerpro where is file action.php - see attachment which allows to adding files to our website

Have anybody experience the same issue? We had this module in our website for a long time and never got attack through this module.

action.php

[SpreeCode]

Hi,

we found the same Problem in one Shop this morning. The xsamxadoo must have been extended to use a Security Hole in explorerpro Module. A POST request to explorerpro/actions.php triggers uploads of various files to the root of the Shop and to the modules root Directory.

In this process, the file controllers/AuthController.php gets modified to post Email and Passwords of Users who login to a Telegram Bot via Telegram API.

Check the file controllers/AuthController.php for modifications. In PS 1.6.10 the Code was inserted around line 450.

Possible search terms may be: "$passwordbajaa", "$dhsqndsqdjsqdhsqdqsdhdqs" or "https://"."ap"."i".".tel"."egr"."am".".org"."" (These might obviously be changed by the Hacker in other Versions of the Malware).

Luckily that Code produces a Syntax Error, when logging in, so at the moment it is easy to find.

 

 

[orakel]

Hello,

We also had the same issue on our sites.

The impacted files were : 

• controllers/front/AuthController.php
• controllers/admin/AdminLoginController.php
• classes/Customer.php
  • In getByEmail function
• classes/Employee.php
  • In getByEmail function

Also check the overrides

Malicious files were also injected in /modules directory (search for xsamxadoo / bajatax / .. )

And there was a new directory in root folder named xsamxadoo

Hope it'll helps

 

Edit : we also removed sampledatainstall and explorerpro modules

Edited August 21, 2020 by orakel (see edit history)

[JeanPatrickAligator]

Hi,

We experienced the same attack this week on a Prestashop 1.6 shop with Explorerpro module. After reading the logs, it seems the hacker used action.php too.

We exactly had the same issues as @orakel (same files modified and injected, same syntax error on AuthController.php but AdminLoginController.php had no syntax error, so the administrators' logins and passwords has surely been sent to the hacker via the telegram API. We're not sure about the customers.

According to our logs, it also seems that the hacker created xsamxadoo directory at the root, but he surely deleted it because we don't find it. The injected files at root (bajatax.php, ex_bajatax.php, xsam_baja.php, xamxadoo.php) are still here.

We will remove explorerpro module (and some other unused old modules), and restore a backup. For the moment it seems that the database is safe.

[tomerg3]

Great post, sorry for the trouble, but thanks for sharing, hopefully this could save others some trouble.
Have you guys contacted the creator of the module? They should know, fix, and alert all their customers.

Any module that allows you to upload, or post custom text is at a much higher risk for vulnerabilities.

[JeanPatrickAligator]

Hi @tomerg3,

I think the security issue was known since a long time according to this thread https://www.prestashop.com/forums/topic/73866-module-file-explorer/

In our case, the shop was a bit old and we just maintain it (we didn't built it) until we make a new version on PS 1.7. We just didn't know this module and didn't look close enough... Very classical error in few words ! You're very right about the level of risk of this kind of module.

 

[MichaelEZ]

Hi, so its happinging to us too, so far:

: $path_exploit_payloads=array("/modules/explorerpro/action.php","/modules/sampledatainstall/sampledatainstall-ajax.php","/modules/colorpictures/ajax/upload.php",);

 

so be carefull about sampledatainstall and colorpictures too

 

Ill be back soon..

[jindrich.pilat]

Hi,

we made this module, for detecting this attack, module will tell you, if you are infected. Then write you necessary steps to fix the issue.

Available in Czech and English language.

https://psmoduly.cz/xsamxadoo-detektor-286/prestashop-1-7.htm

Only bankwire payment is accepted - if you would like to pay by paypal, write us email directly without making order - [email protected]

[BrenMaarten]

Hi ,

I also have the same problem as exact same time as @orakel and @JeanPatrickAligatorI think they sent out the bot on that module (Explorerpro) at the same time.
We removed the PHPunit's when the vulnerability alert came out but we didn't know about this module being a security issue.

We managed to clean the infected files. We've also changed all passwords to everything (BO admins, Cpanel, Database), deleted the problematic modules, cleaned the index.php and AuthController files.
Also scanned for Malware so everything seems pretty clean.

For some reason, every morning I log in to check and the bot still seems to inject the index.php file in the root directory. It also sometimes creates new XsamXado files in the root directory too that I have to delete. I don't know where the attack vector still remains - Are there any other modules we've noticed that I should look for? I've gone as far as downloading the entire modules folder via FTP and doing a malware scan on my local machine to check if there is anything there. It seems clean.

Does anyone know where else I could look to see how it still has access? 
Thanks!

[tomerg3]

It's quite possible that they injected a new file that you are not aware of, and that is how they keep injecting files to your site.

If you have an old backup of your site, before the attack happened, you can download it to your local computer, as well as a complete copy of the current site, and use a file compare program (like beyond compare), to see if there are any new files in the current (infected) site, which were not there before the attack.

You can also try looking at all the files that are dated after the attack.

[fosics]

On 8/20/2020 at 11:37 AM, SpreeCode said:

Hi,

we found the same Problem in one Shop this morning. The xsamxadoo must have been extended to use a Security Hole in explorerpro Module. A POST request to explorerpro/actions.php triggers uploads of various files to the root of the Shop and to the modules root Directory.

In this process, the file controllers/AuthController.php gets modified to post Email and Passwords of Users who login to a Telegram Bot via Telegram API.

Check the file controllers/AuthController.php for modifications. In PS 1.6.10 the Code was inserted around line 450.

Possible search terms may be: "$passwordbajaa", "$dhsqndsqdjsqdhsqdqsdhdqs" or "https://"."ap"."i".".tel"."egr"."am".".org"."" (These might obviously be changed by the Hacker in other Versions of the Malware).

Luckily that Code produces a Syntax Error, when logging in, so at the moment it is easy to find.

 

 

i founf my AuthController.php modified with this. How did you manage to eliminate it?

 

[tomerg3]

You can replace it with the original file that came in the PrestaShop installation.

If it was automatically installed, or done by a 3rd party, you can go to the PrestaShop download page, and look for your version in the previous versions section, and then copy controllers/AuthController.php from the zip to your server.

[fosics]

1 minute ago, tomerg3 said:

You can replace it with the original file that came in the PrestaShop installation.

If it was automatically installed, or done by a 3rd party, you can go to the PrestaShop download page, and look for your version in the previous versions section, and then copy controllers/AuthController.php from the zip to your server.

Hi there. Thank you for your tip.

I just did that from a backup of my PS website. So far it works fine. I also deleted other infected files.

I discovered this issue when Google Search Console sent me an email this morning telling that a malicious content page was injected in my site and they sent me the link of it. The problem is that that page (advertising a japanese electronic product) is still there, and I cannot figure out how to remove it.

[tomerg3]

If you still see an infected page on your site (and you cleared your PS cache), then there is still malicious code on your website.

You can compare the files from an old backup to the current ones on the site, and see which files were changed / added, and try to restore only those.

It would be best to take a backup of the current site, in case you accidentally break it more.

[bnadauld]

is it necessary to change the string of random characters after your shops url after admin? ie www.yoursite.com/admin2dgh4fg?

[BrenMaarten]

On 8/28/2020 at 10:43 PM, fosics said:

Hi there. Thank you for your tip.

I just did that from a backup of my PS website. So far it works fine. I also deleted other infected files.

I discovered this issue when Google Search Console sent me an email this morning telling that a malicious content page was injected in my site and they sent me the link of it. The problem is that that page (advertising a japanese electronic product) is still there, and I cannot figure out how to remove it.

@fosics Did you find a fix for the Japanese SEO spam? I have the same problem.

I've can't restore or check files from a backup because it turns out the only back up I have is zipped and the zipped file has redundancy check errors so I can't even unzip it.
I know there is still a back door on my end because its somehow still editing my .htaccess and index.php file every day. The Authcontroller files are fine now but I too have the same issue with the Japanese Spam.

Does anyone else know where I could look for the backdoor besides comparing with a backup file?

[BrenMaarten]

11 hours ago, bnadauld said:

is it necessary to change the string of random characters after your shops url after admin? ie www.yoursite.com/admin2dgh4fg?

I don't think this is necessary. Even if someone knew what the url for your BO is, if you change the passwords it should be fine.
I suppose for an extra layer of security you could change it.

[fosics]

4 hours ago, BrenMaarten said:

@fosics Did you find a fix for the Japanese SEO spam? I have the same problem.

I've can't restore or check files from a backup because it turns out the only back up I have is zipped and the zipped file has redundancy check errors so I can't even unzip it.
I know there is still a back door on my end because its somehow still editing my .htaccess and index.php file every day. The Authcontroller files are fine now but I too have the same issue with the Japanese Spam.

Does anyone else know where I could look for the backdoor besides comparing with a backup file?

 

4 hours ago, BrenMaarten said:

@fosics Did you find a fix for the Japanese SEO spam? I have the same problem.

I've can't restore or check files from a backup because it turns out the only back up I have is zipped and the zipped file has redundancy check errors so I can't even unzip it.
I know there is still a back door on my end because its somehow still editing my .htaccess and index.php file every day. The Authcontroller files are fine now but I too have the same issue with the Japanese Spam.

Does anyone else know where I could look for the backdoor besides comparing with a backup file?

Hi BrenMaarten,

I am still struggling with the japanese injected page. I asked here and there but no definitive answer. Moreover, the malware also damaged the access to the BO. The front works fine. Somehow we are still managing to keep our bussiness going. But I am not happy at all with Prestashop. I think it takes too much attention to keep it running.

It looks like this malware attacked again recently, after January's Prestashop warning. We will probably read about more cases from now on.

The funny thing is that when this first came up in January we did all the checks and handlings regarding the phpunit issue, but apparently it still found a backdoor.

 

 

[BrenMaarten]

What damage are you seeing to the backend? Are you not able to login?
Just check your AdminLoginController.php under controllers/admin. That file was breached for me and had to replace it from a fresh install of prestashop.

Yeah same thing happened to us, we thought we were safe after checking the phpunit files.
Unfortunately our problem was that we had the explorerpro module still installed and didn't know. That's how they found their way in to place backdoors.
As of now, the backdoor still exists. I am still trying to find it.

However I have noticed that the Japanese Spam is not present on DuckDuckGo or on Bing Search Results. Only on Google, so It has something to do with SEO services related to google using our sitemap. Still investigating though. 
 

[fosics]

Thanks for your answer @BrenMaarten.

I did what you said. And this came up

 

(1/1) UndefinedMethodException

Attempted to call an undefined method named "getDefaultTabClassName" of class "Employee".

in Dispatcher.php line 292

at DispatcherCore->getDefaultController(2, object(Employee))in Dispatcher.php line 338

at DispatcherCore->useDefaultController()in Dispatcher.php line 351

at DispatcherCore->dispatch()in index.php line 97

[fosics]

1 minute ago, fosics said:

Thanks for your answer @BrenMaarten.

I did what you said. And this came up

 

(1/1) UndefinedMethodException

Attempted to call an undefined method named "getDefaultTabClassName" of class "Employee".

in Dispatcher.php line 292

at DispatcherCore->getDefaultController(2, object(Employee))in Dispatcher.php line 338

at DispatcherCore->useDefaultController()in Dispatcher.php line 351

at DispatcherCore->dispatch()in index.php line 97

This is what you get with the original AdminLoginController.php

(1/1) UndefinedMethodException

Attempted to call an undefined method named "getDefaultTabClassName" of class "Employee".

in Dispatcher.php line 292

at DispatcherCore->getDefaultController(2, object(Employee))in Dispatcher.php line 338

at DispatcherCore->useDefaultController()in Dispatcher.php line 351

at DispatcherCore->dispatch()in index.php line 97

[BrenMaarten]

That is really strange, 
So you're getting the same error with and without replacing the AdminLoginController.php?

I had similar issues but never encountered that one. I eventually just replaced my entire Classes folder with a new one from a fresh installation of my current version of Presta.
I did this because I had no idea to what extent the bot had injected and into which files. After replacing this and clearing the cache, the backend loaded for me.

If you do this though PLEASE make backups before. You can't be doing changes like this all willy nilly without knowing if you have a plan B in case something breaks.
 

[puffdade]

I have been hit hard by this as well and they have taken all my sites out,  Unfortunately im not as clued up as you guys but have been following this thread with interest

I had a variation of one of the folders mentiond above installed on my server and that was named   xx0_xsamado 

is it possible for one of you guys to do a step by step guide of how to deal with this issue im really out of my depth here however i can rename, copy and replace files when pointed in the right direction 

All my website front pages had the below text

Hacked by El Moujahidin | Nidal365_Dz 

 

 

[BrenMaarten]

Hey Puffdade,

Sorry to hear that. That looks like a hack from the Hacker Group from Algeria. Super Irritating. Probably a bunch of kids who learnt the exploit from some malicious discord server somewhere.
The only thing you can do is stop the initial attack vector which is either a bad/non-secure module or the phpUnit Folders which you can read about here:

https://build.prestashop.com/news/critical-security-vulnerability-in-prestashop-modules/
Next make sure you're not using any outdated modules that may be vulnerable, the extent of your attack looks like it might stem from the 3rd party modules rather than phpUnit exploit.
Make sure you're not using of any the infected modules listed in the first few posts in this thread - uninstall them and remove them from the modules folder in prestashop.

Then go to your Back Office under Advanced Parameters > Configuration Information. At the bottom of this page it will check for any file changes not normal to Prestashop files.
Replace those files with a backup of your website from before the attack. If you don't have a backup, replace it with the correct files from a fresh installation of your version of Prestashop.
Watch out particularly for controller/admin/AdminLoginController.php and controller/front/AuthController.php - These are common to edit as they control the way passwords are handled.

After all those files are checked. Go to your home/public_html and delete any suspicious files, You can identify them by being changed or edited the same day as the attack. Some are them are named the following:

XsamXadoo_Bot.php
XsamXadoo_deface.php
0x666.php
f.php
Xsam_Xadoo.html
Its not limited to this list. Also look for anything with the words "Bajatax" or "jaguar" 

After all this is done and the website is operational again. You need to keep checking for modified changes each day to make sure there are no back doors. I currently am still looking for the backdoor on my site at the moment. If we cannot find the remaining backdoor, you may not be able to have your site back without completely restoring.

This all goes without saying please back up everything before making changes. if you delete something you're not supposed to with no back ups, then you have a problem.
Also after its all over, remember to change your passwords. if they've hacked your back end - they probably have your passwords.

God Speed!
 

[jiri992]

Hi guys,

I would like to add some advice here that it is good to turn on access.log in your hosting where you can discover the source of modyfing the files.

My hosting found the problem with explorerpro since the really beginning and that's why I open this topic on this forum.

The exact suspicious logs were:
2020-08-17 00:15:14 sid-239 nginx 23.101.182.117,us POST /modules/explorerpro/action.php HTTP/1.1 200 (www.domain.xx/ 127.0.0.1:5080 -) [17/Aug/2020:00:15:10 +0200] - sec=0.005 0.006
2020-08-17 00:15:14 sid-239 nginx 23.101.182.117,us GET /xsamxadoo.php HTTP/1.1 200 (www.domain.xx/ 127.0.0.1:5080 -) [17/Aug/2020:00:15:11 +0200] - sec=0.003 0.003

My websites seems ok after restoring backup and delete module explorerpro.

Also do not forget to update these modules:
1-Click upgrade: v4.10.1
Cart Abandonment Pro: v2.0.10
Faceted Search: v3.4.1
Merchant Expertise: v2.3.2
PrestaShop Checkout: v1.2.9

Good luck!

Edited September 3, 2020 by jiri992 (see edit history)

[puffdade]

Now thats a first class reply  Thanks BrenMaarten

[fosics]

Last minute update. (SOLVED)

I contacted a specialist who went through our Prestashop install and located and deleted several virused files located on the root. After that both admin and front are working fine again. The infamous injected page was also removed.

These are some of the virus found,

as.php

bridge_CQKQ0NCR.php

bridge_xYOTwV.php

evpyujtlgq.php

iajrlzxlet.php

II5yetwrybljmcjeny629s1zi56ayt.html

mauvvnzxld.php

I hope this can help others to solve the issue

 

[mecollectibles]

On 8/25/2020 at 9:25 AM, jindrich.pilat said:

Hi,

we made this module, for detecting this attack, module will tell you, if you are infected. Then write you necessary steps to fix the issue.

Available in Czech and English language.

https://psmoduly.cz/xsamxadoo-detektor-286/prestashop-1-7.htm

Only bankwire payment is accepted - if you would like to pay by paypal, write us email directly without making order - [email protected]

Hello,

This module is for Prestashop 1.6 & 1.5.

Have you thought of lower versions like 1.5.6? Have you it for the lower versions like 1.5.6?

Thanks,

 

[bnadauld]

i just got another email from ipage hosting. I had more malware in /modules/supercheckout/views/img/upload.

Is this residual bs from when i removed /phpunit and did a full sweep or is this a reinfection or re-pawn?

[MichaelEZ]

most likely.. can u pm me infected file? 

[bnadauld]

On 10/26/2020 at 7:26 PM, MichaelEZ said:

most likely.. can u pm me infected file? 

each file has no code in the actual file .. just stuff like: PRIVET BOT BY BAJATAX && XSam-XAdoo

[MichaelEZ]

what dates are on those files? 

Edited October 28, 2020 by MichaelEZ (see edit history)

[bnadauld]

from a backup  - not sure - about July i think

[MichaelEZ]

imho those are probably just files left from before

[puffdade]

I had a cron set up as well on my server that my isp suspected was sending random mail  took me weeks to clean this mess up  

 

[bnadauld]

i removed all the phpunit directories and i just got hit again.

has anyone got a good check list of what files in PS that i need to look for the malware?

Edited January 25, 2021 by bnadauld (see edit history)