Jump to content
Mike Kranzler

Please Read: Security Procedure

Recommended Posts

Last night, the PrestaShop’s official website, prestashop.com, was hacked, resulting in the misappropriation of a script intended for transcribing news information in the Back Office of PrestaShop stores.

 

The entire PrestaShop team dedicated ourselves to identifying and fixing this issue as quickly as possible. That fix has been completed.

 

Has my shop been infected?

This only affects PrestaShop versions 1.4/1.4.1/1.4.2/1.4.3/1.4.4, but not all shops using these versions are necessarily affected.

 

If you use one of these versions, please check for any of the following symptoms:

• A her.php file is at the root of /modules folder

• A .php file different from index.php is in the upload and download folders

• Your footer.tpl file has been modified.

• Your tools/smartyv2 folder is missing

 

If you fulfill any of these conditions, your shop may have been infected. However, it is easy to fix just by following the instructions listed below.

 

What should I do?

1. Change your database password (or contact your webhost if you do not know how to do it). Once you have done that, open the settings.inc.php file in your /config folder and replace your old password with the new one. See below:

post-276528-0-99377500-1314209687_thumb.png

2. Download the fix published by PrestaShop by clicking here

3. Upload it to the root folder of your shop with your FTP client (Filezilla, Transmit…)

4. Go to the url http://www.myshop.com/herfix.php

5. The fix is now applied. Please do not forget to delete the herfix.php file previously uploaded at the root of your shop

6. Rename the admin folder

7. Change the password of all admins of your shop

 

If you need any help or have any additional questions, you can email us at security@prestashop.com We will answer you as soon as possible.

 

The whole PrestaShop team wants to deeply thank the community for its help in identifying this issue.

  • Like 3

Share this post


Link to post
Share on other sites

Where can we get more information about this exploit and about what the herfix.php file does?

 

Will be a nice read.

 

I would also like to thank muller for first reporting this and to the prestashop team for resolving this issue within a day.

 

 

thanks

Share this post


Link to post
Share on other sites

Where can we get more information about this exploit and about what the herfix.php file does?

 

Will be a nice read.

 

I would also like to thank muller for first reporting this and to the prestashop team for resolving this issue within a day.

 

 

thanks

 

Seconded. Sterling work to get things back to normal in quick time.

Share this post


Link to post
Share on other sites

Hi,

 

I did everything, but it is still infected. I will try some more times. Thanks for your hard work btw.

 

Well, there are no strange files in download/uploadfolder, and footer.tpl looks ok. But frontoffice still gives viruswarning from norton.

Share this post


Link to post
Share on other sites

Last night, the PrestaShop’s official website, prestashop.com, was hacked, resulting in the misappropriation of a script intended for transcribing news information in the Back Office of PrestaShop stores.

 

We were very lucky in that the people did the hacking were not very good and broke lots of installations. With a more sneaky setup this could have gone unnoticed for months while feeding all compromised shops' data to hackers.

 

So, my question is, do you intend to remove the content pulled from prestashop.com domain to our servers now, so no incident like this can ever repeat as I think you agree that no one could/would guarantee that prestasop.com will never be hacked again.

 

Thanks for quick response/resolution.

Share this post


Link to post
Share on other sites

Hi Phrasespot,

I will pass your question on to our development team, and will pass along their answer as soon as I hear back.

 

-Mike

Share this post


Link to post
Share on other sites

My browser get error message

herfix.php error on line 832

 

Sorry. That was chrome.

In mozilla write OK.

 

Thanks!

Share this post


Link to post
Share on other sites

I have restored a backup of my website installation and database, both with a date before the hack took place. Do I still have to apply this fix, using herfix.php? Or will it suffice just to change the database and admin passwords?

Share this post


Link to post
Share on other sites

phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

 

I'll try to explain the whole process that happened in simple terms.

 

What happened

The Prestashop server was hacked, and some code was modified to send malicious files back to each shop that contacts Prestashop's server.

 

Why is that even possible

A bug in /admin/tabs/AdminHome.php that allowed the Prestashop site to send files rather than just information.

 

How did it affect me

When you go to the "Home" in the backoffice, your site sends a request to Prestashop's site to get update notifications, and due to a bug there, it was also possible to send files to your server (rather than just sending text that will be displayed).

 

Why did some people not get affected

If you did not go to the Home of the backoffice, or if you did, but after Prestashop fixed the hack on their site, then you were not affected (or if you have PS older than 1.4).

 

How to make sure it doesn't happen again

Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

Share this post


Link to post
Share on other sites

Thanks Tomer,

 

It is now clear to me that everyone running 1.4.x should apply this fix, even those not affected yet.

Share this post


Link to post
Share on other sites

phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

 

I'll try to explain the whole process that happened in simple terms.

 

What happened

The Prestashop server was hacked, and some code was modified to send malicious files back to each shop that contacts Prestashop's server.

 

Why is that even possible

A bug in /admin/tabs/AdminHome.php that allowed the Prestashop site to send files rather than just information.

 

How did it affect me

When you go to the "Home" in the backoffice, your site sends a request to Prestashop's site to get update notifications, and due to a bug there, it was also possible to send files to your server (rather than just sending text that will be displayed).

 

Why did some people not get affected

If you did not go to the Home of the backoffice, or if you did, but after Prestashop fixed the hack on their site, then you were not affected (or if you have PS older than 1.4).

 

How to make sure it doesn't happen again

Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

 

Ok, I did everything, the footer file doesn't change anymore. No strange files in upload/download folder. But when i go to my shop, Norton still gives a virus warning. How to fix that? Cause as long that happens, I won't open the shop.

 

Hope you can tell me what I am doing wrong.

Share this post


Link to post
Share on other sites

Thanks Prestashop Admin team for getting the fix out. I have followed the directions on changing all the passwords, and applying the herfix.php. Can I delete the fix herfix.php after applying it or should I still keep it in my store's root folder

Share this post


Link to post
Share on other sites

- CTRL + F5

- Clear the browser cache

 

or cleaned while still in the shop smarty: Copil and cache can anyone tell?

Share this post


Link to post
Share on other sites

philee: yes, you can delete it. it updated AdminHome.php, which only needs to be done once.

 

cobus: Don't know, if you view source, do you see any <iframe code?

Share this post


Link to post
Share on other sites

Hi I just ran the herfix.php then I got "OK" displayed and it deleted itself.

 

Is that correct?

Share this post


Link to post
Share on other sites

Hmm, my AdminHome.php has not been updated upon applying the fix... I use a modified version of this file (have commented out the video screencast in the past), could that be the reason why it's not updated? The ajax.php in the admin folder has been updated though.

 

When I try to reapply the herfix.php, I get a 404 error (page not found)...

Share this post


Link to post
Share on other sites

uh .... herfix.php normally file is automatically deleted after execution, at home it is.

 

Is it possible to know exactly what portion of code was a problem?

For culture and personal issues for future update.

 

Depending on the version, this does not necessarily located into AdminHome.php.

In localhost 1.4.4.0 (custom) and prod in 1.4.2.5 (custom and infected).

Infected with this virus, I did manually delete needed (gained consciousness, I launched the script herfix).

 

In any case, bravo to prestateam that solved this problem in less time before I realized that my site was infected.

 

Sorry for my english... brrrrr.... google translate isn't perfect!

Share this post


Link to post
Share on other sites

Actually, I think that just the ajax.php file is updated by this fix. I checked the latest SVN updates and only found an updated ajax.php. The changes in this SVN revision checks out with the changes applied by the fix.

Share this post


Link to post
Share on other sites

Hellow people,

 

I think this is not over here!

 

The porpose af this hack seems to be bigger..

 

On our server this virus has created his own administration section - practically a gate to our server with total control features.

 

Have a look in the attached file.

 

Our development team found this and much more... still investigating.

 

I think that we haven`t seen the big picture here.. and we only looked to put our stores online treating visible simptoms..

post-90736-0-08935800-1314217263_thumb.jpg

Share this post


Link to post
Share on other sites

How to make sure it doesn't happen again

Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

 

Thanks for the work and attention on this issue.

 

Please give us more details, what herfix.php does. If it patches only AdminHome.php, why shouldn´t we replace only this file? Is there more or should we be still patient?

Share this post


Link to post
Share on other sites

On our server this virus has created his own administration section - practicly a gate to our server with total control features.

 

Is this the file called xx.php? How was this created? Via FTP or a php-Script? Are ther more unusual scripts? Did you changed anything to secure your PrestaShop before (e.g. 400 footer.tpl after cleaning it / 500 the modules folder). Did you run herfix.php?

Share this post


Link to post
Share on other sites

Hello and sorry for my English.

 

I have followed all the steps to remove the virus but I still remain a couple of problems:

 

1.-I can not open or edit, or delete any files in the directory store (I can only rename the files) with CuteFTP 8.3 Professional.

 

2 .- I try to open the store in my browser and makes the attempt to open before other sites (with rare tracks, eg www.jokelimo.com .......

The error I get in Internet Explorer is:

post-23183-0-80139900-1314220507_thumb.jpg

 

 

 

Is this normal?

 

Thanks and sorry for my English.

Share this post


Link to post
Share on other sites

On our server this virus has created his own administration section - practicly a gate to our server with total control features.

 

Is this the file called xx.php? How was this created? Via FTP or a php-Script? Are ther more unusual scripts? Did you changed anything to secure your PrestaShop before (e.g. 400 footer.tpl after cleaning it / 500 the modules folder). Did you run herfix.php?

 

My store is now safe and online. I applied the fix and is all good with the shop (I think).

Yes - is the xx.php file.The xx.php file was created ON THE SERVER with a php-script, not in the root of my site (we run a vps). This is about server access and control..

 

This gate is done before the fix and still existing after - now we controll it.

Share this post


Link to post
Share on other sites

Does anyone else have this file xx.php?

 

It seems that this file was added/modified at 21:58:30. Is there any activity in the logs executing another php-File?

Share this post


Link to post
Share on other sites

anyway... I think that this hack is to messy... and the mess is a distraction from the real purpose - long term server control

Share this post


Link to post
Share on other sites

Hi guys,

 

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

 

root\themes\themename\cache

 

delete everything except index.php

 

:blink:

Share this post


Link to post
Share on other sites

Does anyone else have this file xx.php?

 

It seems that this file was added/modified at 21:58:30. Is there any activity in the logs executing another php-File?

 

NOT created at 21:58 ! At that time we edit it so we can have control.

 

Is was created at 10:08 this morning.

Share this post


Link to post
Share on other sites

Hi guys,

 

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

 

root\themes\themename\cache

 

delete everything except index.php

 

:blink:

 

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

Share this post


Link to post
Share on other sites

Hi guys,

 

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

 

root\themes\themename\cache

 

delete everything except index.php

 

:blink:

 

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

Ahh - so you have to delete the cache first before applying the herfix? <_<

Share this post


Link to post
Share on other sites

Hi guys,

 

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

 

root\themes\themename\cache

 

delete everything except index.php

 

:blink:

 

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

Ahh - so you have to delete the cache first before applying the herfix? <_<

 

NO! NOT there! Here : yoursite/tools/smarty and smarty_v2 folders

Share this post


Link to post
Share on other sites

:lol: No I never meant placement Lol! I meant before applying the herfix, one must delete the cache files before hand

 

:P

Share this post


Link to post
Share on other sites

Hi guys,

 

even after applying the fix we were still getting the error/warning with our virus scanner. To resolve this make sure you clear the cache files for your theme:

 

root\themes\themename\cache

 

delete everything except index.php

 

:blink:

 

You must replace the smarty folders from your site with ones from a back-up or new prestashop download. The ones that you have now are altered.

 

Thank you very much, that is what I needed to fix it.!!!!

Share this post


Link to post
Share on other sites
phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

 

I disagree with you. Every single installation of Prestashop is open if prestashop.com is hacked.

 

Here is why:

 

AdminHome.php

if (@ini_get('allow_url_fopen'))
	{
		$upgrade = new Upgrader();
		if($update = $upgrade->checkPSVersion())
			echo '<div class="warning warn" style="margin-bottom:30px;"><h3>'.$this->l('New PrestaShop version available').' : <a style="text-decoration: underline;" href="'.$update['link'].'" target="_blank">'.$this->l('Download').' '.$update['name'].'</a> !</h3></div>';
	}

 

Attacker replaces http://www.prestashop.com/xml/version.xml to send a higher version and a malicious link. Your update will be coming from a malicious URL.

GAME OVER

 

AdminHome.php

<iframe src="'.$protocol.'://screencasts.prestashop.com/screencast.php?iso_lang='.Tools::strtolower($isoUser).'" style="border:none;width:100%;height:420px;" scrolling="no"></iframe>

Attacker modifies http://screencasts.prestashop.com/screencast.php. An iframe of attacker's choosing will be inserted to your site.

GAME OVER

 

There are more... From Help access to payment modules activation, where the installation interacts and pulls content from prestashop.com domain and its subdomains, but above two should demonstrate the point. It is never safe to include content from an untrusted domain in your application, and for me any domain that is not under my control is an untrusted domain and even then only 90% trust, justly so as the latest incident shown.

Share this post


Link to post
Share on other sites

Last night, the PrestaShop’s official website, prestashop.com, was hacked, resulting in the misappropriation of a script intended for transcribing news information in the Back Office of PrestaShop stores.

 

The entire PrestaShop team dedicated ourselves to identifying and fixing this issue as quickly as possible. That fix has been completed.

 

Has my shop been infected?

This only affects PrestaShop versions 1.4/1.4.1/1.4.2/1.4.3/1.4.4, but not all shops using these versions are necessarily affected.

 

If you use one of these versions, please check for any of the following symptoms:

• A her.php file is at the root of /modules folder

• A .php file different from index.php is in the upload and download folders

• Your footer.tpl file has been modified.

• Your tools/smartyv2 folder is missing

 

If you fulfill any of these conditions, your shop may have been infected. However, it is easy to fix just by following the instructions listed below.

 

What should I do?

1. Change your database password (or contact your webhost if you do not know how to do it). Once you have done that, open the settings.inc.php file in your /config folder and replace your old password with the new one. See below:

post-276528-0-99377500-1314209687_thumb.png

2. Download the fix published by PrestaShop by clicking here

3. Upload it to the root folder of your shop with your FTP client (Filezilla, Transmit…)

4. Go to the url http://www.myshop.com/herfix.php

5. The fix is now applied. Please do not forget to delete the herfix.php file previously uploaded at the root of your shop

6. Rename the admin folder

7. Change the password of all admins of your shop

 

If you need any help or have any additional questions, you can email us at security@prestashop.com We will answer you as soon as possible.

 

The whole PrestaShop team wants to deeply thank the community for its help in identifying this issue.

 

 

Hi Mike and PS team,

 

It works for me. Tomorrow I shall check it deeply, I'm tired now.

 

Many thanks to all the team and all prestashop community.

Share this post


Link to post
Share on other sites

Hi!

What about the fresh zip file download from http://www.prestashop.com/en/downloads/?

Is this loophole fixed already on Prestashop website download section, or I have to run the herfix.php just after installation?

 

Many thanks for PS Team!!!

 

Great job!!!

 

Regards.

Share this post


Link to post
Share on other sites
phrasespot: from what I understand, there was a loophole in AdminHome.php that allowed code to be sent from Prestashop's server back to your site, herfix.php fixes this loophole, so even if the Prestashop server is hacked again, it won't be possible to send files back to your server.

 

I disagree with you. Every single installation of Prestashop is open if prestashop.com is hacked.

 

Here is why:

 

AdminHome.php

if (@ini_get('allow_url_fopen'))
	{
		$upgrade = new Upgrader();
		if($update = $upgrade->checkPSVersion())
			echo '<div class="warning warn" style="margin-bottom:30px;"><h3>'.$this->l('New PrestaShop version available').' : <a style="text-decoration: underline;" href="'.$update['link'].'" target="_blank">'.$this->l('Download').' '.$update['name'].'</a> !</h3></div>';
	}

 

Attacker replaces http://www.prestashop.com/xml/version.xml to send a higher version and a malicious link. Your update will be coming from a malicious URL.

GAME OVER

 

AdminHome.php

<iframe src="'.$protocol.'://screencasts.prestashop.com/screencast.php?iso_lang='.Tools::strtolower($isoUser).'" style="border:none;width:100%;height:420px;" scrolling="no"></iframe>

Attacker modifies http://screencasts.prestashop.com/screencast.php. An iframe of attacker's choosing will be inserted to your site.

GAME OVER

 

There are more... From Help access to payment modules activation, where the installation interacts and pulls content from prestashop.com domain and its subdomains, but above two should demonstrate the point. It is never safe to include content from an untrusted domain in your application, and for me any domain that is not under my control is an untrusted domain and even then only 90% trust, justly so as the latest incident shown.

 

I totally agree with this. Our programmers are very mad at this hour... This is a mess from prestashop team too!

 

Next time when a client makes a payment it might actually pay a nice little hacker for his great effort to use another security hole in the secured prestashop platform ;)

This are serious problems people...

Share this post


Link to post
Share on other sites

I too have run this fix but when I view my shop I'm still getting the virus warning?!

 

My cache file is empty also, just got the index.php

Share this post


Link to post
Share on other sites

I still get the trojan message using the fix, erasing the cache, replacing smarty folders and everything.

 

help please!

Share this post


Link to post
Share on other sites

i have a question. should we apply these changes even if the site wasnt compromised?

 

I asked the same question earlier in this topic and came to the conclusion that this fix should also be applied to uninfected sites. Even though there is no immediate threat anymore (as the hack on the Prestashop servers has been repared), this fix should help to prevent future injection of malicious code via the same route. This is besides the current discussion how solid this fix actually is...

  • Like 1

Share this post


Link to post
Share on other sites

philee: yes, you can delete it. it updated AdminHome.php, which only needs to be done once.

 

cobus: Don't know, if you view source, do you see any <iframe code?

I can see <iframe src="'.$protocol.'://screencasts.prestashop.com/screencast.php?iso_lang='.Tools::strtolower($isoUser).'" style="border:none;width:100%;height:420px;" scrolling="no"></iframe>

<div id="footer_iframe_home">

 

need delete it or remove the code?

Share this post


Link to post
Share on other sites

I see this code in AdminHome.php

 

<iframe src="'.$protocol.'://screencasts.prestashop.com/screencast.php?iso_lang='.Tools::strtolower($isoUser).'" style="border:none;width:100%;height:420px;" scrolling="no"></iframe>

<div id="footer_iframe_home">

 

??

Share this post


Link to post
Share on other sites
need delete it or remove the code?

 

No, do not arbitrarily delete anything. Did you read the very first post in this thread, giving step-by-step instructions?

 

What should I do?

1. Change your database password (or contact your webhost if you do not know how to do it). Once you have done that, open the settings.inc.php file in your /config folder and replace your old password with the new one. See below:

post-276528-0-99377500-1314209687_thumb.png

2. Download the fix published by PrestaShop by clicking here

3. Upload it to the root folder of your shop with your FTP client (Filezilla, Transmit…)

4. Go to the url http://www.myshop.com/herfix.php

5. The fix is now applied. Please do not forget to delete the herfix.php file previously uploaded at the root of your shop

6. Rename the admin folder

7. Change the password of all admins of your shop

 

If you need any help or have any additional questions, you can email us at security@prestashop.com We will answer you as soon as possible.

 

This fix will

 

- clean/reinstate smarty, smarty caches, upload and download folders, footer.tpl

- modify the existing code to make it more secure

- restrict access for everyone to download folder

- remove malicious her.php file

- and finally remove itself (note that this is slightly different from step 5 of Mike's instructions but does not matter, just disregard the 2nd part of step 5)

 

Currently there are three possibilities:

 

1 - Your website was affected: Follow step-by-step instructions in applying the fix provided. The fix will solve it.

2 - Your website was not affected: This specific vector of attack is closed without you needing to do anything. Attackers reached prestashop installations using prestashop.com website as an intermediary. As soon as hacked prestashop.com server was fixed, you could not be infected. However you must still apply the fix as it strengthens the existing installation.

3 - You did not have an installation until now and just downloaded/installed the latest version (v1.4.4) from prestashop.com. Apply the fix as this fix will strengthen the existing installation.

 

For those who still receive warnings after applying the fix, it may be a caching issue, the affected version of the page may be cached by your browser, by your downstream provider, by your prestashop installation or any machine in between. It does not necessarily mean your website is still infected. Also some anti-virus programs are over eager and once a website is caught with dangerous code, you are warned at subsequent visits to website even if it was cleaned.

 

The code snippet you quoted in your posts relates not to this issue but to more general issue and you can safely ignore it. Do not go deleting parts of your installation arbitrarily; just follow the instruction in the first post of this thread, quoted again in this post. It was my fault to enter into this subject in a thread where tensions run high, apologies to community managers. However I still maintain my position and I am looking forward to an answer.

Share this post


Link to post
Share on other sites

Guys ...

 

Perhaps we need a new forum under the 'General' category for;

 

Security Isuues, Risks and Fixes ?

 

That way there'll be one forum to go to for these problems (and there are bound to be more); already there are multiple threads on this subject in a few forums.

Share this post


Link to post
Share on other sites

i have a question. should we apply these changes even if the site wasnt compromised?

 

I asked the same question earlier in this topic and came to the conclusion that this fix should also be applied to uninfected sites. Even though there is no immediate threat anymore (as the hack on the Prestashop servers has been repared), this fix should help to prevent future injection of malicious code via the same route. This is besides the current discussion how solid this fix actually is...

thanks

Share this post


Link to post
Share on other sites

Why was users are not informed regarding this? any security issues should be treated as utmost urgency at least we get notified about any security problem so we can take necessary action

Share this post


Link to post
Share on other sites

 

This fix will

 

- clean/reinstate smarty, smarty caches, upload and download folders, footer.tpl

- modify the existing code to make it more secure

- restrict access for everyone to download folder

- remove malicious her.php file

- and finally remove itself (note that this is slightly different from step 5 of Mike's instructions but does not matter, just disregard the 2nd part of step 5)

 

 

Could you give us some more details, which files are modified in the existing code by this fix?

How is access restricted to the download folder?

Share this post


Link to post
Share on other sites

hello, I also still got problems, I followed the instructions, changed all the passwords also deleted herfix afterwards.

The browser shows that the malware within the website is send by bestburjobah.com

 

The errors are

 

Webpage error details

 

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.3; chromeframe/13.0.782.215; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; eSobiSubscriber 2.0.4.16; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618; Tablet PC 2.0; .NET CLR 1.1.4322; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET4.0C)

Timestamp: Wed, 24 Aug 2011 07:09:12 UTC

 

 

Message: Object doesn't support this property or method

Line: 83

Char: 136

Code: 0

URI: http://theshopdomain.com/js/jquery/jquery-1.4.4.min.js

 

 

Message: Object doesn't support this property or method

Line: 35

Char: 3

Code: 0

URI: http://theshopdomain.com/themes/prestashop/js/tools/treeManagement.js

 

It seems that it is a bigger problem

 

What should I do?

Share this post


Link to post
Share on other sites

I had apply upadate herfix.php but i did not change password in settings.inc.php file. Besides i had change my database password. One point i did not change the password in settings.inc.php because if i change it i will not able to run herfix.php file. It will prompt a message out which stated no database link.

 

Should i ignore and not change the password in settings.inc.php? For your information i'm still able to access my database with my new password.

Share this post


Link to post
Share on other sites

herfix.php doesnt work for me?

 

I uploaded herfix.php , did the link and still the same???

Share this post


Link to post
Share on other sites

My host keeps a full back up of my site every 24 hours (I think). Is it worth asking them to get the back up store and replace this one that's infected?

 

I am not sure I have the ability to make these changes. I'm sure it's easy for some, but I have no experience in this sort of thing.

 

I don't have smarty V2 folder, and there is a .php file with a very long name in the upload folder. It has the date 23/08, time 15:30.

Share this post


Link to post
Share on other sites

I had this but try clearing your browser cache your site cache and double check the password as its case sensitive .

I have another problem:

 

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'lavandula_v2'@'localhost' (using password: YES) in /home/lavandula/domains/lavandulashop.com/public_html/classes/MySQL.php on line 34

Link to database cannot be established.

 

I have changed the password in the settings php.

Share this post


Link to post
Share on other sites

On our site, I had commented out all of the feeds from Prestashop, as they are far too "In your face".

Perhaps an idea would be to allow admins to turn this feature off if they do not want it?

  • Like 1

Share this post


Link to post
Share on other sites

hello, i have got a new problem.

 

Webpage error details

 

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.3; chromeframe/13.0.782.215; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.1; eSobiSubscriber 2.0.4.16; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618; Tablet PC 2.0; .NET CLR 1.1.4322; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET4.0C)

Timestamp: Thu, 25 Aug 2011 08:33:24 UTC

 

 

Message: Object doesn't support this property or method

Line: 83

Char: 136

Code: 0

URI: http://myshopsdomain.com/js/jquery/jquery-1.4.4.min.js

 

 

Message: Object doesn't support this property or method

Line: 35

Char: 3

Code: 0

URI: http://myshopsdomain.com/themes/prestashop/js/tools/treeManagement.js

 

THE NXET ONE IS NEW

Message: Exception thrown and not caught

Line: 14

Char: 17109

Code: 0

URI: http://ajax.googleapis.com/ajax/libs/dojo/1.5/dojo/dojo.xd.js

Share this post


Link to post
Share on other sites

This is a very BIG problem.

 

A lot of people use ps distribution for work, and compromise a lot of store only for send text message from PS website is very ******.

 

I'm sorry but i close the prestashop.com website access to all my store - website on my server, next installation of PS i'll check if all work good whitout the connection to prestashop website.

 

I've use iptables to block all in-out connection to and for prestashop.com

 

under unix using iptables:

 

iptables -A INPUT -s 213.186.52.66 -j DROP

iptables -A OUTPUT -d 213.186.52.66 -j DROP

Share this post


Link to post
Share on other sites

When I goto the herfix.php page I get the error

 

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting ')' in /home/mymumsfa/public_html/shop/herfix.php on line 3125

 

I've tried, with chrome, firefox and IE and still the same message. Any suggestions please?!

Share this post


Link to post
Share on other sites

Guys, have done all proceedures, now have even disabled shop, but Google have picked up:

 

Warning: Something's Not Right Here!

www.myshop.co.uk contains content from jokelimo.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found that malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed. Why not try again tomorrow or go somewhere else?

We have already notified jokelimo.com that we found malware on the site. For more about the problems found on jokelimo.com, visit the Google

 

Please HELP!

 

Thank you

Share this post


Link to post
Share on other sites

Are we going to see this Security Vulnerability reported on various websites like Secunia - http://secunia.com/advisories/product/20395/ so that people that look there can find out that there was a vulnerability in Prestashop - regardless of whether the actual hole was on your website or not it STILL affected your customers shops and should therefore be reported.

Share this post


Link to post
Share on other sites

Also, what does herfix.php actually do - I see reports in this forum that if you're not affected by the issue, then it means you will not be affected in the future -- however, running herfix.php on my store and diffing the new file(s) against the ones in our VCS doesn't show any changes.

Share this post


Link to post
Share on other sites

Does anyone can help me where to locate and remove links to the 'jokelimo.com' on my shop please?

 

Thank you

Share this post


Link to post
Share on other sites

Guys, have done all proceedures, now have even disabled shop, but Google have picked up:

 

Warning: Something's Not Right Here!

www.myshop.co.uk contains content from jokelimo.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found that malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed. Why not try again tomorrow or go somewhere else?

We have already notified jokelimo.com that we found malware on the site. For more about the problems found on jokelimo.com, visit the Google

 

Please HELP!

 

Thank you

 

 

Did you clear your cache on your browser before revisiting the site?

Share this post


Link to post
Share on other sites

Guys, have done all proceedures, now have even disabled shop, but Google have picked up:

 

Warning: Something's Not Right Here!

www.myshop.co.uk contains content from jokelimo.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found that malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed. Why not try again tomorrow or go somewhere else?

We have already notified jokelimo.com that we found malware on the site. For more about the problems found on jokelimo.com, visit the Google

 

Please HELP!

 

Thank you

 

 

Did you clear your cache on your browser before revisiting the site?

 

Yes have cleared cache in the browser and on the website (themes cache and smarty cache)

 

Now have red screen only on my PC (from my IP which is enabled shop maintanace).

Share this post


Link to post
Share on other sites

My Host has just recovered the store from 21st August, but when I check the upload folder there is a file called 6c96ae82728326784f4def6dfc240ab2.php which has the date 23rd August. Does this mean all backups have been infected?

Share this post


Link to post
Share on other sites

Guys, have done all proceedures, now have even disabled shop, but Google have picked up:

 

Warning: Something's Not Right Here!

www.myshop.co.uk contains content from jokelimo.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found that malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed. Why not try again tomorrow or go somewhere else?

We have already notified jokelimo.com that we found malware on the site. For more about the problems found on jokelimo.com, visit the Google

 

Please HELP!

 

Thank you

 

 

Did you clear your cache on your browser before revisiting the site?

 

From Phrasepot's post earlier; perhaps PM him for more info:

 

For those who still receive warnings after applying the fix, it may be a caching issue, the affected version of the page may be cached by your browser, by your downstream provider, by your prestashop installation or any machine in between. It does not necessarily mean your website is still infected. Also some anti-virus programs are over eager and once a website is caught with dangerous code, you are warned at subsequent visits to website even if it was cleaned.

Share this post


Link to post
Share on other sites

Guys, have done all proceedures, now have even disabled shop, but Google have picked up:

 

Warning: Something's Not Right Here!

www.myshop.co.uk contains content from jokelimo.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found that malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed. Why not try again tomorrow or go somewhere else?

We have already notified jokelimo.com that we found malware on the site. For more about the problems found on jokelimo.com, visit the Google

 

Please HELP!

 

Thank you

 

 

Did you clear your cache on your browser before revisiting the site?

 

From Phrasepot's post earlier; perhaps PM him for more info:

 

For those who still receive warnings after applying the fix, it may be a caching issue, the affected version of the page may be cached by your browser, by your downstream provider, by your prestashop installation or any machine in between. It does not necessarily mean your website is still infected. Also some anti-virus programs are over eager and once a website is caught with dangerous code, you are warned at subsequent visits to website even if it was cleaned.

 

Have asked my friend from different IP to go on the website and same result, norton antivirus says 'attack blocket website toolkit 5'....

 

Any suggestions?

Share this post


Link to post
Share on other sites

Is it possible to do a fresh install and use the old database? (products,...)

Share this post


Link to post
Share on other sites

From reading other replies, I have a feeling my site isn't infected, but I have the .php file and my smartyv2 folder is missing. I get no warnings when I visit the site on either Chrome or Firefox.

Share this post


Link to post
Share on other sites

From reading other replies, I have a feeling my site isn't infected, but I have the .php file and my smartyv2 folder is missing. I get no warnings when I visit the site on either Chrome or Firefox.

 

If you have the her.php file and a missing smartyv2 folder, apply the fix. All 1.4.x versions should preventively apply the fix anyway.

 

 

For the users who still have a warning message, check that you clear the cache in /tools/smarty/cache and /tools/smarty/compile as well and your browser cache too.

Share this post


Link to post
Share on other sites

every time i refresh website (Ctrl+F5) in Smarty Cache directory is created file:

 

blockcategories^1_1_0_0^f3840cbffca8176836b033c3d0f0244ee959fd4b.blockcategories.tpl.php

 

Every time i click on Categories more files are created in Cache....

 

Is it ok?

Share this post


Link to post
Share on other sites

Hi torchia,

 

Yes it is normal.

 

Did you apply the fix and follow the guide? Did you clear all the cache folders? Still the warning message?

Share this post


Link to post
Share on other sites

Hello

 

My store has been afected by the hack and fixed. I need also change my payment modules password (paypal, moneybookers...)?

 

Thanks

Share this post


Link to post
Share on other sites

Hi torchia,

 

Yes it is normal.

 

Did you apply the fix and follow the guide? Did you clear all the cache folders? Still the warning message?

 

Stil the same.... :(

Share this post


Link to post
Share on other sites

Guys, have done all proceedures, now have even disabled shop, but Google have picked up:

 

Warning: Something's Not Right Here!

www.myshop.co.uk contains content from jokelimo.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found that malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed. Why not try again tomorrow or go somewhere else?

We have already notified jokelimo.com that we found malware on the site. For more about the problems found on jokelimo.com, visit the Google

 

Please HELP!

 

Thank you

 

 

Did you clear your cache on your browser before revisiting the site?

 

From Phrasepot's post earlier; perhaps PM him for more info:

 

For those who still receive warnings after applying the fix, it may be a caching issue, the affected version of the page may be cached by your browser, by your downstream provider, by your prestashop installation or any machine in between. It does not necessarily mean your website is still infected. Also some anti-virus programs are over eager and once a website is caught with dangerous code, you are warned at subsequent visits to website even if it was cleaned.

 

Have asked my friend from different IP to go on the website and same result, norton antivirus says 'attack blocket website toolkit 5'....

 

Any suggestions?

 

I found this on the Norton site, seems like it might pass in time:

 

The Norton Intrusion Prevention System uses signatures to detect and block exploits that leverage vulnerabilities in software programs to install malware. When a new exploit is discovered a signature is created and distributed as quickly as possible in order to provide immediate protection. After this initial signature is released refinements are made to perfect a new signature that is smaller and more efficient. Because there is an increased likelihood of false positives, the revised definition is first released as a test signature. When one of these test signatures is triggered it is reported back to Symantec as an IPS Detection Statistical Submission. These submissions help Symantec fine-tune the accuracy of the detections. Once testing is completed, the initial signature will be replaced or updated with the improved version. While testing is in progress you are protected from the actual exploit by the originally released signature, which will trigger IPS to block, log, and alert you to any real attack. A statistical submission alone without a corresponding IPS action would indicate a false positive.

Share this post


Link to post
Share on other sites

From reading other replies, I have a feeling my site isn't infected, but I have the .php file and my smartyv2 folder is missing. I get no warnings when I visit the site on either Chrome or Firefox.

 

If you have the her.php file and a missing smartyv2 folder, apply the fix. All 1.4.x versions should preventively apply the fix anyway.

 

 

For the users who still have a warning message, check that you clear the cache in /tools/smarty/cache and /tools/smarty/compile as well and your browser cache too.

 

 

I dont see a cache folder nor compile folder in de smarty folder.

 

I uploaded herfix.php to my ftp, then i load the site ../herfix.php and still same warning.

 

deleted herfix.php, nothing happend.

 

Help?

Share this post


Link to post
Share on other sites

Hi randori,

 

The full path is tools/smarty/cache and tools/smarty/compile

 

You do not have these folders?

Share this post


Link to post
Share on other sites

When I goto the herfix.php page I get the error

 

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting ')' in /home/mymumsfa/public_html/shop/herfix.php on line 3125

 

I've tried, with chrome, firefox and IE and still the same message. Any suggestions please?!

 

Any suggestions at whether the herfix.php patch has worked?

Share this post


Link to post
Share on other sites

Hi,

 

Have followed all procedures again: deleted all unesecery files from Cache in Smarty, Smartyv2, Themes, Compile...

 

Have changed DB passwords, Admin passwords, Payment Module passwords....

 

Downloaded herfix.php, run it once again, deleted all cookies and cache from browsers and...

 

IT IS WORKING! Looks like website back in business :) (fingers crossed)

 

Thank you for your help guys!

Share this post


Link to post
Share on other sites

When I goto the herfix.php page I get the error

 

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting ')' in /home/mymumsfa/public_html/shop/herfix.php on line 3125

 

I've tried, with chrome, firefox and IE and still the same message. Any suggestions please?!

 

Any suggestions at whether the herfix.php patch has worked?

 

Sorry to pester the board, but does anyone have any idea why I get this parse error using the same herfix.php code? Really stumped!

Share this post


Link to post
Share on other sites

Hi randori,

 

The full path is tools/smarty/cache and tools/smarty/compile

 

You do not have these folders?

 

As you can see in the attachment, i dont have those folders :/

post-258457-0-60339900-1314270790_thumb.jpg

Share this post


Link to post
Share on other sites

Your line should be completed by 3125:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=');

Check if it is

it's a very long line!

Share this post


Link to post
Share on other sites

Your line should be completed by 3125:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=');

Check if it is

it's a very long line!

 

Blimey, that is a long line; mine ends with

IidpZiciOwogICAgICAgICAgICAkX2Vycm9yX21zZyAuPSAnIHN0YXRlbWVudCByZXF1aXJlcyBhcmd1bWVudHMnOyAKICAgICAgICAgICAgJHRoaXMtPl9zeW50YXhfZXJyb3IoJF9lcnJvcl9tc2csIEVfVVNFUl9FUlJPU

 

Any suggestions?

Share this post


Link to post
Share on other sites

Kevin229,

 

Can you redownload and reupload the fix and try again?

 

Hi, I've tried that twice already, with no joy :-(

Share this post


Link to post
Share on other sites

A part from user passwords and db password, is it necessary to change any other passwords, like Paypal module? Is there any way to check (online scan, firebug?) if the malicious code is still there? Just to be 100% sure the patch worked.

Share this post


Link to post
Share on other sites

 

Hi, I've tried that twice already, with no joy :-(

 

Could you give us your PHP version? Thanks.

 

 

A part from user passwords and db password, is it necessary to change any other passwords, like Paypal module? Is there any way to check (online scan, firebug?) if the malicious code is still there? Just to be 100% sure the patch worked.

 

Hi Mister Denial,

 

I have asked a developer and it should not be necessary to change the password of your module.

 

If you have had no error message while applying the fix there is no reason to think it did not work.

 

But to reassure you, you can check your website in http://www.urlvoid.com/ for example.

Share this post


Link to post
Share on other sites

 

Hi, I've tried that twice already, with no joy :-(

 

Could you give us your PHP version? Thanks.

 

 

Hi it's PHP Version 5.3.6

Share this post


Link to post
Share on other sites

Hi randori,

 

The full path is tools/smarty/cache and tools/smarty/compile

 

You do not have these folders?

 

As you can see in the attachment, i dont have those folders :/

Those folders were deleted by the exploit along with the smartyv2 folder.MIne reappeared later though probably by enabling force compile.Iam not sure though.

Share this post


Link to post
Share on other sites

Hi,

 

if you still have a problem for applying the patch, please contact me by private message with your ftp (url login and pass)

Share this post


Link to post
Share on other sites