Critical Prestashop hack

[Julien]

Hi,

 

I have a problem with a customer website. Someone found a way to insert custom script on the website checkout page to insert a fake paiement method to get cards numbers..

 

I already saw the post about the critical security vulnerability caused by SQL injection (https://www.nethues.com/blog/prestashop-1-7-8-7-security-vulnerability/) I didn't updated the website to the version 1.7.8 but I did the fix by removing the smarty configuration lines:

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
    $smarty->caching_type = 'mysql';
}

 

I already find the script in my website directories (/js/1KUfS.js) wich contain code to insert the fake paiement method and send informations :

(Code is blocked by the website, I put it on archive attach file but Avast alarm me about this file so be aware about it)

I deleted it, but the script still being inserted (only on checkout page). I already deleted the cache, and try to find where the script is inserted but I cant find it.. 

When I delete the checkout.tpl file content, the script persist on <head> (even is the file dont have layout defined) :

I really need help to find a solution..

 

I wish you can help me,

Thanks in advance  iKUfS.js

 

Julien

 

iKUfS.zip

[Mediacom87]

Hi,

an avenue to explore: https://www.mediacom87.fr/en/how-to-prevent-hacking-on-prestashop-and-thirty-bees/

[Julien]

Thank you for your reply,

I readed the article and checked my website modules files to see if the problem was that. But I find nothing suspect using file_put_contents or move_uploaded_file function..

 

[Mediacom87]

And did you test the Eolia script ?

[Julien]

I just found this script 30min ago and it working perfectly !

 

I you have a problem with fake paiement method insertion, you can check this post, the script find all suspicious files, i just had to replace it by my local clean files: 

 

[Maxflor]

Hello, I cleaned the files according to the script from eolio, but every time I change the files that are orange at the top, I have them modified again in a moment - or should I try to change the files in the modules that are also orange? And those files in blue, I don't know what they are. But I can also try to delete them, what will happen?.
It always fixes itself over and over 😞
well thank you

[Julien]

Hi Maxflor,

You can try to change files write permissions for your directory controller / classe.

For module files, you have to check inside if it's a malware script or just an override for your website, if you don't know how to check it I advise you not to delete these files.

Can you send a screenshot of the list of modified files ?

[Maxflor]

[Wallgrind.nl]

You shoud try and use this module

https://github.com/MathiasReker/blmvuln/releases/tag/2.2.1

https://www.prestashop.com/forums/topic/1066464-free-module-fix-major-security-vulnerability-on-prestashop-websites/

[Maxflor]

Please, do you have experience with that module? Alternatively, did you have a similar problem and did the given module help you with it?