christmascrackers Posted August 24, 2011 Share Posted August 24, 2011 My web host sent me the following message. It would appear malware has been uploaded to my site. My webhost has told me that my site risks being taken offline unless the problem is fixed. I've told them I'm running the latest version of Prestashop 1.4.4 and they've responded by saying they are not familiar with the script! So anyone have any ideas how these files could have been uploaded as it appears they were uploaded to my server via Prestashop? Is there a way to disable uploads? I sell physical products and have no need for an upload or a download option. Message from my host: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This ticket is being created to discuss the below account with you. During a routine daily scan of this server we have identified file(s) within the account that appear to be compromised, based upon MD5 file hashes and HEX pattern matches of currently known exploits. We have detailed any action taken by ourselves and included as much relevant information as possible below. It would be appreciated if you could urgently review this report and inform us that you are investigating. We kindly ask you to acknowledge this ticket within the next 24 hours, as a lack of response may result in the website being suspended. User: clascrak Server: martyn List Of Exploited Files: ========================================================================= {HEX}php.cmdshell.unclassed.338 : /home/clascrak/public_html/upload/cd0e5832f45f9022c9f1dececbc5639d.php => /usr/local/maldetect/quarantine/cd0e5832f45f9022c9f1dececbc5639d.php.27678 {HEX}php.cmdshell.unclassed.338 : /home/clascrak/public_html/download/cd0e5832f45f9022c9f1dececbc5639d.php => /usr/local/maldetect/quarantine/cd0e5832f45f9022c9f1dececbc5639d.php.515 ========================================================================= Action(s) Taken: ========================================================================= The offending files have been quarantined ========================================================================= I'm not familiar with this script but the folder names suggest it for downloading/uploading files via the script? All we know is that those 2 files were malicious and that the script needs to be audited to confirm how it was uploaded/downloaded to be there. Please let us know what is found and any action taken etc. Carl Link to comment Share on other sites More sharing options...
SonnyBoyII Posted August 24, 2011 Share Posted August 24, 2011 please see this post. http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/ Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, please use this topic to discuss about this bug : http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/page__pid__614536__st__60#entry614536 We are all working on it, regards Link to comment Share on other sites More sharing options...
Recommended Posts