Jump to content

Edit History

Doopiempd

Doopiempd


grammar

Quote

While I cannot give you the reasons A, B, C, D, etc., I can tell you that, in my opinion, it appears to be a lack of security hygiene. Some vulnerability that allowed credentials to be retrieved. Outdated, vulnerable module? Weak BO URL/password combination? Historical SQLi? Speculation.

Direct hit because of leaked credentials.I hesitated to post some log files, but since some people are very stubborn, here they are. On the first visit, they went straight to the admin page and logged in. 

<IPADDRESS> - - [30/Oct/2025:10:46:08 +0100] "GET /<ADMINURL>/index.php HTTP/1.0" 302 1741 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7 HTTP/1.0" 200 3818 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/jquery/plugins/validate/localization/messages_nl.js HTTP/1.0" 200 3520 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/vendor/spin.js HTTP/1.0" 200 3481 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /<ADMINURL>/themes/default/public/theme.css HTTP/1.0" 200 3491 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/jquery/jquery-3.4.1.min.js HTTP/1.0" 200 3494 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /<ADMINURL>/themes/default/css/overrides.css HTTP/1.0" 200 3740 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/vendor/ladda.js HTTP/1.0" 200 3482 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/jquery/plugins/jquery.validate.js HTTP/1.0" 200 3501 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/admin/login.js?v=8.2.3 HTTP/1.0" 200 3481 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"

Prior in the logs NO scans, no sql injection or any other stuff. Just straight to the door with the key.
It was an account for Prestashop support, with sql injection or any other method you cannot retreive the plain text password!
The account was made specially for Prestashop support and credentials were only communicated through Prestashop support forum. It's never been saved or communicated anywhere else.
Speculation: Maybe it was an inside job? <-- even more worrying
 

Quote

First of all: I heard about such an attack in the community, where the victim never contacted PrestaShop SA for support. The attack was also a direct login to the back office. This is to debunk the theory that 100% PrestaShop Support credentials were leaked. If you think that's the case, instead of making public accusations here on the forum, the evidence should be shared with the proper authorities. I must say making such public accusations is bold.

We informed and contacted Prestashop. After that we've informed the national authorities.

Last email we've received from Prestashop on 4-11-2025:
image.thumb.png.1d30dbc63524fb74054b7a33444977eb.png
We provided all information .....Prestashop never gave a response or took any action....
 

Doopiempd

Doopiempd

Quote

While I cannot give you the reasons A, B, C, D, etc., I can tell you that, in my opinion, it appears to be a lack of security hygiene. Some vulnerability that allowed credentials to be retrieved. Outdated, vulnerable module? Weak BO URL/password combination? Historical SQLi? Speculation.

Direct hit because of leaked credentials.
I was hesitated to post the some log files but since some people are very stubborn here they are. First visit straight to the admin page and logged on: 

<IPADDRESS> - - [30/Oct/2025:10:46:08 +0100] "GET /<ADMINURL>/index.php HTTP/1.0" 302 1741 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7 HTTP/1.0" 200 3818 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/jquery/plugins/validate/localization/messages_nl.js HTTP/1.0" 200 3520 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/vendor/spin.js HTTP/1.0" 200 3481 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /<ADMINURL>/themes/default/public/theme.css HTTP/1.0" 200 3491 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/jquery/jquery-3.4.1.min.js HTTP/1.0" 200 3494 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /<ADMINURL>/themes/default/css/overrides.css HTTP/1.0" 200 3740 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/vendor/ladda.js HTTP/1.0" 200 3482 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/jquery/plugins/jquery.validate.js HTTP/1.0" 200 3501 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
<IPADDRESS> - - [30/Oct/2025:10:46:09 +0100] "GET /js/admin/login.js?v=8.2.3 HTTP/1.0" 200 3481 "https://<DOMAIN>/<ADMINURL>/index.php?controller=AdminLogin&token=1b07d9e72e7f972dbc659d36c6a017d7%22 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"

Prior in the logs NO scans, no sql injection or any other stuff. Just straight to the door with the key.
It was an account for Prestashop support, with sql injection or any other method you cannot retreive the plain text password!
The account was made specially for Prestashop support and credentials were only communicated through Prestashop support forum. It's never been saved or communicated anywhere else.
Speculation: Maybe it was an inside job? <-- even more worrying
 

Quote

First of all: I heard about such an attack in the community, where the victim never contacted PrestaShop SA for support. The attack was also a direct login to the back office. This is to debunk the theory that 100% PrestaShop Support credentials were leaked. If you think that's the case, instead of making public accusations here on the forum, the evidence should be shared with the proper authorities. I must say making such public accusations is bold.

We informed and contacted Prestashop. After that we've informed the national authorities.

Last email we've received from Prestashop on 4-11-2025:
image.thumb.png.1d30dbc63524fb74054b7a33444977eb.png
We provided all information .....Prestashop never gave a response or took any action....
 

×
×
  • Create New...