en Jump to content
Antoine F

Major security issues with few modules and themes.

Recommended Posts

Hello everyone,

 

The last few weeks have seen security issues arise in PrestaShop ecosystem, due to serious flaws in some popular modules and themes. The latest versions of PrestaShop do not have known security issues.

 

We’ve created this thread to centralize the current available information. Feel free to share your tips, and most importantly: UPGRADE YOUR INSTALLATION!

Make sure your modules and your theme is up-to-date! And if you can, upgrade PrestaShop to the latest and safest version: PrestaShop 1.6.1.6.

 

 

The Warehouse theme

Warehouse is a very popular theme, sold through the ThemeForest marketplace (not available on PrestaShop Addons). But while the latest version (3.8.1, released July 19th) is safe, older version have modules which contain a serious security flaw.

 

The initial security fix was released on June 18th, with version 3.7.7. The initial issue was with the theme’s own Image Banners module.

 

Other modules included with the Warehouse theme appear to be problematic. In all, the community has given feedback about the following Warehouse-included modules:

 

  • Simpleslideshow

  • Columnadverts

  • Homepageadvertise

  • Productpageadverts

 

The author has quickly released issues, and also posted a thorough article on how to check your store and clean it, and contacted the people who bought this theme.

 

Community member Lesley Paone, from Dh42, has published his own article, which includes a hotfix script to help you clean your installation. Here are their recommendations once you've cleaned your installation.

 

 

Problematic modules

The community also gave us feedback about the following modules:

 

  • Advancedslider

  • Attributewizardpro

  • Columnadverts

  • Homepageadvertise

  • Homepageadvertise2

  • Productpageadverts

  • Videostab

  • vtermslidesshow

 

While we can’t confirm that all of them are related with these issues, you should double-check your store and see if you use the latest version of each of these modules.

 

 

Attribute Wizard Pro module

The community-created Attribute Wizard Pro module was found to be flawed. It has been fixed by the author on July 9th, and we strongly advise you to update yours to its latest version, v1.7.14.

 

 

VTEM Slideshow module

The community-created VTEM Slideshow module also suffers from a serious security flaw. We currently have no way of knowing whether it has been fixed or not.

 

 

Abandoned Cart Reminder Pro module

An Addons-created module was found to be vulnerable, and was fixed last week. It was put offline by the Addons team as soon as we learned about the issue, and is back online now that it is fixed it.

 

In addition to that, Addons customers who bought the module received an e-mail notification about the security optimization.

 

 

Send to a Friend module

While not being a security issue per-se, the native Send to a Friend module, which is included in every version of PrestaShop, was recently found to have an issue which allowed malicious people to spam e-mail addresses using the store’s web server.

 

The issue was fixed thanks to a community member, and a safe version is available since June 2016. The community member in question wrote about it this week.


Advanced Theme Configurator & Css Magician modules
As soon as the security fail was discovered, both modules were immediately removed from the sale. Then their security update was uploaded. The developer confirms in his message that normally all buyers of these two modules were informed by email. It was strongly recommended to do the upgrade.

If you need more information, feel free to contact him.

 

 

Fieldthemes
One of our ambassadors informed us about critical issues concerning these themes. To get more information, we suggest you check this blog article.

 

 

How PrestaShop Addons reacted

The Addons team takes security very seriously -- we even have a team member solely dedicated to security.

 

All modules (even module updates) submitted to Addons must pass the PrestaShop Validator automated tests, and Addons developers also check on new modules to make sure they work safely.

 

Even so, sometimes bad code pass our automatic and human filters: that’s what happened with the Abandoned Cart Reminder Pro module above. Luckily, our community has our back and warned us.

 

We have a process for when we learn of a security issue in a module or a theme:

 

  1. Put it offline from Addons.

  2. Contact its developer about it.

  3. Wait for the developer to fix the issue and release a new version on Addons.

  4. Put the addons back online with the fixed issue.

  5. Contact all the Addons customers who bought the addon, warning them to update their store’s module.

 

This is exactly the process we followed. A batch e-mail was sent this week, advise customers to update their installation of the Abandoned Cart module.

 

To prevent further issues, we have put offline some modules that seem to prevent the same issue, and we have strengthened our security process.

 

 

What you can do

Even if there are no recent security updates concerning your theme or modules, we advise you to check if you are infected or not.

 

In short: if you have the Warehouse theme or any of the modules listed above, DO UPGRADE THEMContact their respective author if you need to: we listed their website or product sheet above.

 

The tricky part is that every site is different, and the security flaws are mostly the same, each hacker has his own set of files to upload. Hence, cleaning up an infected store can be automatically done: the most secure way is to rely on a recent backup of your files.

Moreover, listing the flawed files would be giving too much information for potential hackers…

 

We did hear of a hack which replaced the /controllers/admin/adminLoginController file with its own, or another which edits the paypal, so even though no new file has been uploaded, your site will be more secure if you use a backup (or if you upgrade to the latest version of PrestaShop).

You can check the last modification date of your files using an FTP client, such as Filezilla, but this will take hours...

The only fail-proof ways to get your site back to security are

  • to restore a pre-hack backup.
  • to delete ALL FILES and start from a clean slate: use the files from the PrestaShop archive.

On top of cleaning up your files (or replacing them with a recent backup), what you should do in case of a confirmed infection is:

  • Change your back office password, and that of other admin accounts. Check the Employee page to make sure no new employee has been created.

  • Change your SQL password.

  • Change your FTP password.

  • Change your banking/payment modules' usernames and passwords if you use any (PayPal, Atos, PayBox, etc.).

  • Remplace your important modules with the latest version from Addons or from the original developer.

  • Change any other identification to any service.

 

We hope your site is safe and sound.


Edit: added 
Advanced Theme Configurator and Css Magician modules. Thanks to Vinum for sharing this information.
Added the Fieldthemes issues.

Edited by Antoine F
Added new information.

Share this post


Link to post
Share on other sites

Thanks for the info and thanks to iqit  for such a comprehensive guide.

 

I highlight having correct backup policy. And also some module to check modifications (like El Patron's one). I'm into one big hacking and they have done practically everything described in iqit guide (the paypal one, they have modified some index.php, in some image folders  there are scripts ..etc) and they don't have any clean backup..

 

 

Make sure you have scheduled backups performed on your website. You should have scheluded backups for files and for database. For example it is good to have:

  • 4 x Weekly Backups(or at least one)
  • 4 x Monthly Backup(or at least one)
  • Daily backups

Share this post


Link to post
Share on other sites

Thanks for the info and thanks to iqit  for such a comprehensive guide.

 

I highlight having correct backup policy. And also some module to check modifications (like El Patron's one). I'm into one big hacking and they have done practically everything described in iqit guide (the paypal one, they have modified some index.php, in some image folders  there are scripts ..etc) and they don't have any clean backup..

 

Thanks for mention on module, I wrote this after my own shop was hacked several years ago..[Module] PrestaVault Malware | Trojan | Virus Protection it of course assumes you have clean shop to start.

 

Yes, back up back up back up!  I feel comfortable having a 10 day window of backups from hosting.  I don't recommend module backup/restores because a shop can become non-functional, i.e. module backup/restore may not work.

 

Happy day, el

Share this post


Link to post
Share on other sites

VTEM Slideshow module

all prestashop users must be delete this module a.s.a.p.

my customer site hacked by this module last month . i not installed customer installed byself . of course how he know this module have a upload.php have a security issues. 

this module have upload.php and this file uploading everythink including .php files too.

 

thanks for information

Share this post


Link to post
Share on other sites

Hello

 

I have security issues too with my prestashop 1.5.6.2.

 

Since mi-july, a hacker is trying to put files on my installation.

 

That's uploading file in my root folder 'up.php' that is changing the /root/controlers/admin/adminlogincontroller.php.

 

He can access to the back office and extracts emails from the DB. After he just uploaded also a script under /root/module/hone-cgi that is redirecting to an old paypal form to force all my customer to send money.

 

I have attached all the files here -  I don't know how to fix that but its coming with a prestashop security problem

 

 

 

 

Share this post


Link to post
Share on other sites

Hello

 

I have security issues too with my prestashop 1.5.6.2.

 

Since mi-july, a hacker is trying to put files on my installation.

 

That's uploading file in my root folder 'up.php' that is changing the /root/controlers/admin/adminlogincontroller.php.

 

He can access to the back office and extracts emails from the DB. After he just uploaded also a script under /root/module/hone-cgi that is redirecting to an old paypal form to force all my customer to send money.

 

I have attached all the files here -  I don't know how to fix that but its coming with a prestashop security problem

I've had a similar problem few days ago.

I've sorted the files by last modified date and deleted the infected ones.

Next I've identified the vulnerable modules from the store and fixed them.

Then I've changed the database and backoffice passwords for safety.

Everything looks stable now

Share this post


Link to post
Share on other sites

I've had a similar problem few days ago.

I've sorted the files by last modified date and deleted the infected ones.

Next I've identified the vulnerable modules from the store and fixed them.

Then I've changed the database and backoffice passwords for safety.

Everything looks stable now

 

Its exactly the same problem.

 

How did you identify the modules infected ?

 

Cause once I deleted the file on my FTP ( I have changed the pwd twice), they are coming back.

 

I need to login everyday to delete them.

 

Thanks for your feedback !

Share this post


Link to post
Share on other sites

Its exactly the same problem.

 

How did you identify the modules infected ?

 

Cause once I deleted the file on my FTP ( I have changed the pwd twice), they are coming back.

 

I need to login everyday to delete them.

 

Thanks for your feedback !

I've started making a list with recently added modules, I had a list of 4 modules. Then I've inspected them and noticed that one of them had a php file uploader, this was the security flaw. The module was Cart Abandonment Pro v1.6.11.

Usually the unsecured file upload forms are the big issue. You have to check each module to see if it has a file upload form and see if has something wrong.

Share this post


Link to post
Share on other sites

I've started making a list with recently added modules, I had a list of 4 modules. Then I've inspected them and noticed that one of them had a php file uploader, this was the security flaw. The module was Cart Abandonment Pro v1.6.11.

Usually the unsecured file upload forms are the big issue. You have to check each module to see if it has a file upload form and see if has something wrong.

 

I think that a lot of people of these lack of security according to the prestashop team.

 

I don't have this module...And its exactly that, its is uploading form on the FTP...

 

Did you remember what was the name of this file that was uploading some stuff ?

 

How can they access to the FTP to put the up.php file ?

 

Thanks

Share this post


Link to post
Share on other sites

I think that a lot of people of these lack of security according to the prestashop team.

 

I don't have this module...And its exactly that, its is uploading form on the FTP...

 

Did you remember what was the name of this file that was uploading some stuff ?

 

How can they access to the FTP to put the up.php file ?

 

Thanks

As I've already mentioned, some modules have a file form uploader (for example images for the banners, sliders).

Those forms do not have an extension security filter and that's the issue, hackers can upload .php or other extension files and gain control over the files on the server.

Share this post


Link to post
Share on other sites

The lack of security was coming from the attribute wizard pro.

 

Hackers can upload php script on the product page.

 

I just fixes that with Tomer yesterday.

 

All was good this morning.

 

The script modified changed the admincontroller

 

The hack controller is here :  [LINK REMOVED]

 

Becarefull its very dangerous !

Share this post


Link to post
Share on other sites

I can confirm the VTEM Slideshow FREE VERSION was vulnerable. I was not using it but the folder was not deleted, and inspite of updating the modules from the ware house theme the haackers kept putting files in my root folder which provided access to the entire server folders. I used some presence of mind and remembered about this module , and after deleting it , the behaviour stopped.

 

I really urge people to delete all unused modules from the server completely.

Share this post


Link to post
Share on other sites

Hi there, 

 

I do not use this Theme or any of the listed modules, I'm on a stock prestashop-bootstrap theme with 1.6.1.3 and I did have multiple hack attempts today, similar to mentioned above.

More clearly, here is the part of the log : 
POST /boutique/index.php controller=manufacturer//modules/simpleslideshow/uploadimage.php 80 - 104.197.130.104 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.31+(KHTML,+like+Gecko)+Chrome/26.0.1410.63+Safari/537.31

 

He tried 3 times, but his script was intercepted these 3 times and deleted.

He then anyway tried to launch it later by : 

GET /boutique/index.php controller=manufacturer//modules/simpleslideshow/slides/ls.php?bajak 80 - 104.197.130.104 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6

 

After all, all he gets was 404 errors, and now he is forbidden for life, but I know other IPs will come soon.

My question is, How come he can do this trick if we do not have this module at all (simpleslideshow) ?

I guess, he is using a prestashop vulnerability on 1.6.1.3. What about something related to manufacturer controller stuff as log says ?

 

Please confirm, that would help a lot of users, I guess.

 

By the way, I will update to 1.6.1.6 asap.

 

In advance, thank you for your reply.

Share this post


Link to post
Share on other sites

Hi there, 

 

I do not use this Theme or any of the listed modules, I'm on a stock prestashop-bootstrap theme with 1.6.1.3 and I did have multiple hack attempts today, similar to mentioned above.

 

More clearly, here is the part of the log : 

POST /boutique/index.php controller=manufacturer//modules/simpleslideshow/uploadimage.php 80 - 104.197.130.104 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.31+(KHTML,+like+Gecko)+Chrome/26.0.1410.63+Safari/537.31

 

He tried 3 times, but his script was intercepted these 3 times and deleted.

 

He then anyway tried to launch it later by : 

GET /boutique/index.php controller=manufacturer//modules/simpleslideshow/slides/ls.php?bajak 80 - 104.197.130.104 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6

 

After all, all he gets was 404 errors, and now he is forbidden for life, but I know other IPs will come soon.

 

My question is, How come he can do this trick if we do not have this module at all (simpleslideshow) ?

I guess, he is using a prestashop vulnerability on 1.6.1.3. What about something related to manufacturer controller stuff as log says ?

 

Please confirm, that would help a lot of users, I guess.

 

By the way, I will update to 1.6.1.6 asap.

 

In advance, thank you for your reply.

 

 

Delete this module - and block the ip with HTACCESS ;)

Share this post


Link to post
Share on other sites

But, as mentioned above, I do not use this module and it is even not installed at all (no such a folder or files).

My message is more to highlight a vulnerability somewhere else and related to 1.6.1.3 as I do use this version with the stock theme version.

Share this post


Link to post
Share on other sites

i have a problem with virus: when i try to enter at dashboard , to modules , kaspersky send this error as phishing:  

/index.php?controller=AdminModules&token=1f3bafd53c49abc95d0c46a4a74e20bb;

 

Yesterday i thought i clean virus as i delete up.php from server but today again the same.

 

i don't know what to do,can you help me please?
 

Share this post


Link to post
Share on other sites

I have several Prestashop sites and my Anti Virus (Kaspersky) is giving a fishing warning and I would like to know if it is genuine or a false positive. Note detection is by heuristic analysis.

 

The warning occurs in the back office of multiple sites (possibly every site although I haven't checked them all) and is notable that it occurs when I try to open the modules section (screenshot attached).

 

Note that none of the modules or themes listed as problematic are installed and I get the warning with shops that are almost brand new installs of 1.6.1.7 (just a few weeks old) and shops that have been upgraded to the latest version today (1.6.1.7).

 

So is this something that I should be worried about or not.screenshots.png

Edited by Ryan_Glass

Share this post


Link to post
Share on other sites

Finally, someone like me, who did not have any of these modules nor themes got attacked too.

As I stated earlier in this post, someone tried to drop php files in folder modules/simpleslideshow/ even if I do not have this module at all, I do use stock prestashop + stock theme.

 

The hacker/bot used this : POST /boutique/index.php controller=manufacturer//modules/simpleslideshow/uploadimage.php
Dropped 3 php files, which went to some tmp folder then got stuck by the antivirus.

 

IMO, this is related more to a hole in prestashop, anyway I upgraded from 1.6.1.3 to 1.6.1.7 and I didn't notice such activity anymore, yet.

Hope to get a more dedicated answer from PrestaTeam than previously where sadly my post was not read correctly if not read at all as the answer was completely out of sense :(

 

Note to Ryan_Glass : Getting this from Kaspersky may mean that your shop is already infected, double check your files for suspicious names, also go to advanced parameters / informations to check for modified files.

Edited by JSSSX

Share this post


Link to post
Share on other sites

Thanks for the advice. I have checked for modified file and had two results:

 

adminxxx/autoupgrade/index.php

 

sitc-backoffice/autoupgrade/backup/index.php

 

Nothing obviously malicious to be seen - here is the code:

 

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

header("Location: ../");
exit;
 

Share this post


Link to post
Share on other sites

Hello,

after in my statistic some sites could not be found, I just recognized this in my log files :

 

185.7.215.163 mydomain.com - [15/Oct/2016:11:47:43 +0200] "POST //modules/columnadverts//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:43 +0200] "GET ///modules/columnadverts//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:44 +0200] "GET ///modules/columnadverts//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171799 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:45 +0200] "POST //modules/soopamobile//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:45 +0200] "GET ///modules/soopamobile//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:45 +0200] "GET ///modules/soopamobile//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171937 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:47 +0200] "POST //modules/soopabanners//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:47 +0200] "GET ///modules/soopabanners//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:47 +0200] "GET ///modules/soopabanners//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 172028 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:49 +0200] "POST //modules/vtermslideshow//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:49 +0200] "GET ///modules/vtermslideshow//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:49 +0200] "GET ///modules/vtermslideshow//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171869 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:50 +0200] "POST //modules/simpleslideshow//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:50 +0200] "GET ///modules/simpleslideshow//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:50 +0200] "GET ///modules/simpleslideshow//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171939 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:52 +0200] "POST //modules/productpageadverts//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:52 +0200] "GET ///modules/productpageadverts//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:52 +0200] "GET ///modules/productpageadverts//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171946 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:53 +0200] "POST //modules/homepageadvertise//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:53 +0200] "GET ///modules/homepageadvertise//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:53 +0200] "GET ///modules/homepageadvertise//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171945 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:55 +0200] "POST //modules/homepageadvertise2//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:55 +0200] "GET ///modules/homepageadvertise2//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:55 +0200] "GET ///modules/homepageadvertise2//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171644 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:56 +0200] "POST //modules/jro_homepageadvertise//uploadimage.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:56 +0200] "GET ///modules/jro_homepageadvertise//slides/hous.php?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:56 +0200] "GET ///modules/jro_homepageadvertise//slides/hous.php?up=shell?up=shell HTTP/1.1" 404 171887 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:58 +0200] "POST //modules/attributewizardpro//file_upload.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:58 +0200] "POST //modules/1attributewizardpro/file_upload.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:58 +0200] "POST //modules/attributewizardpro.OLD//file_upload.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:58 +0200] "POST //modules/attributewizardpro_x//file_upload.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:59 +0200] "POST //modules//advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%26id_slide=php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:59 +0200] "POST //modules/cartabandonmentpro/upload.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:59 +0200] "POST //modules/cartabandonmentproOld/upload.php HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:59 +0200] "POST //modules//videostab/ajax_videostab.php?action=submitUploadVideo%26id_product=upload HTTP/1.1" 301 - "-" "curl/7.49.1"
185.7.215.163 mydomain.com - [15/Oct/2016:11:47:59 +0200] "GET ///modules//cartabandonmentpro/uploads/hous.php.png?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:47:59 +0200] "GET ///modules//cartabandonmentpro/uploads/hous.php.png?up=shell?up=shell HTTP/1.1" 404 171730 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:48:01 +0200] "GET ///modules//cartabandonmentproOld/uploads/hous.php.png?up=shell HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:48:01 +0200] "GET ///modules//cartabandonmentproOld/uploads/hous.php.png?up=shell?up=shell HTTP/1.1" 404 171779 "-" "-"
185.7.215.163 mydomain.com - [15/Oct/2016:11:48:02 +0200] "GET ///modules/up.php HTTP/1.1" 301 - "-" "-"
185.7.215.163 www.mydomain.com - [15/Oct/2016:11:48:02 +0200] "GET ///modules/up.php HTTP/1.1" 404 171709 "-" "-"

 

I don't have any of these files on my server, but why there are some 301??? Hope this will not effect anything to my?! I don't have any of the posted modules or themes installed. I'm on PS 1.6.1.7

 

But when I try to update the lastest PayPal module, it's not connecting to PayPal in the checkout!

 

Vivi

Share this post


Link to post
Share on other sites

I've got this one too, and I don't use any of these modules or themes.
Fortunately, this bot searched on the root drive but the shop is on an other folder.

Here is some part of the log : (He got a 404)

POST /modules/simpleslideshow/uploadimage.php - 80 - 189.89.125.52 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0 - 404 0 2 560

or

POST /modules/attributewizardpro/file_upload.php - 80 - 178.162.201.97 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0 - 404 0 2 5983

 

I'm on 1.6.1.7 but previously I was on 1.6.1.3 and the hacker/bot uploaded files even if I did not have any of these modules (but he was intercepted by the antivirus).
If this happens once again, I will really worry about prestashop reliability in terms of security. Also I wonder why no one of the team replied to this earlier.

Edited by JSSSX

Share this post


Link to post
Share on other sites

Also I wonder why no one of the team replied to this earlier.

 

 

That's simple. PrestaShop is not responsible for external modules that do not even respect the framework's standards. These modules are so messed up, they often include new ways to infiltrate the software and hack it from there, no matter how safe the rest of the files are. These are also often the kind of modules that cannot be found in the official Addons store, with obvious reasons. Since PrestaShop has no influence on these modules, there's not much they can do for you.
 
It's pretty common that, with open source software, you're on your own. It's both the beauty and the curse of it. Don't know if a module can't be trusted? Either don't install it or hire a security expert.

Share this post


Link to post
Share on other sites

 

That's simple. PrestaShop is not responsible for external modules that do not even respect the framework's standards. These modules are so messed up, they often include new ways to infiltrate the software and hack it from there, no matter how safe the rest of the files are. These are also often the kind of modules that cannot be found in the official Addons store, with obvious reasons. Since PrestaShop has no influence on these modules, there's not much they can do for you.
 
It's pretty common that, with open source software, you're on your own. It's both the beauty and the curse of it. Don't know if a module can't be trusted? Either don't install it or hire a security expert.

 

mdekker, you did not get it.

 

We got this attack, but we do not and never had these modules or themes, I was on a stock, unmodded, 1.6.1.3 prestashop when this happened to me and to some other users too.

 

Old log about it : 

POST /boutique/index.php controller=manufacturer//modules/simpleslideshow/uploadimage.php 80 - 104.197.130.104 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.31+(KHTML,+like+Gecko)+Chrome/26.0.1410.63+Safari/537.31

Share this post


Link to post
Share on other sites

1.6.1.3 prestashop

 

I have no idea how PrestaShop can help you if you are reluctant to keep your software updated.

 

What do you expect from PrestaShop?

Share this post


Link to post
Share on other sites

You may have read my post like the previous one (not correctly).
I clearly said I was on 1.6.1.3 at the time of the attack and mentioning that I already updated to 1.6.1.7, which makes your potentially angry reply senseless.

Also, I am not the kind of user still on 1.3 / 1.4 / 1.5 complaining about needed fixes, many users if not the majority are still not on 1.7 and even not on 1.6.1.9.

I just expected a reply in relation with my question, not with an other. Isn't that forum made for reporting issues obtaining/sharing help and support ?

I thought that getting these attacks when not having the infected themes or modules would be important enough to be reported, now I know it is absolutely not important.
Thanks for your great support.

 

Share this post


Link to post
Share on other sites

Ok, so you were using an older version at the time (1.6.1.3 - november, 2015).

 

You report concerns an external module and has already been warned against by PrestaShop. What else do you expect from PrestaShop or the community?

Share this post


Link to post
Share on other sites

Please add pk_flexmenu and pk_vertflexmenu to the list of possibly vulnerable modules:

 

213.32.78.xx - - [04/Dec/2016:13:05:01 +0100] "GET //modules///pk_flexmenu//uploads/hous.php?up=shell HTTP/1.0" 200 282 "-" "-"
213.32.78.xx - - [04/Dec/2016:13:05:02 +0100] "GET //modules///pk_vertflexmenu//uploads/hous.php?up=shell HTTP/1.0" 200 282 "-" "-"

Share this post


Link to post
Share on other sites

Guys, you should actually calm down.

Just because some malicious bot or software tried to post something on your server is not the end of the world. Every Website gets those "attacks". If you don't have those software installed or you have patched them nothing will happen. Keep your Software up-to date, this is the magic word. Don't use unsafe or weird sources to buy modules and so on. The info you posted is simply prestashop saying, hey somebody tried to do that which does not mean it worked.

Edited by jetway

Share this post


Link to post
Share on other sites

The above log snippet was part of the BREACH, not part of pre-scanning (but they look the same). 

 

But at least i agree on you up-to-date-strategy.

Edited by jansass

Share this post


Link to post
Share on other sites

Hello,
First sorry for my bad english.
I am the creator of the Advanced Theme Configurator and Css Magician modules
A security fail have been discovered.
I would first like to apologize for that security fail on thoses modules.
As soon as the security fail was discovered, prestashop addons was informed.
Both modules were immediately removed from the sale.
Then their security update was uploaded.
Normally all buyers of these two modules were informed by email.
It was strongly recommended to do the upgrade.
Unfortunately, it can happen that emails do not arrive or that the buyer has changed email.
I wanted to communicate on this security fail on the forum but I waited for the updates to be made by the customers so as not to inform the malicious people.
I am at your disposal for further information.
Best regards,

 

Share this post


Link to post
Share on other sites

Hello everyone, 
I've added Theme Configurator, Css Magician modules in the list. Thanks to Vinum for sharing this information.

Also added the Fieldthemes issues.

 

Antoine

Share this post


Link to post
Share on other sites

Hi,

 

Where about are these log files located so i can detect attacks like this and see whats causing them?

Hi, Paul

To find out which are the infected files you have to access the FTP and sort them by the changed/created date. This way you will know what are files that have been added recently and there are big chances to find them.

Also you can check the access logs on your server. You can try to find all the ".php" files that have been accessed.

Good luck!

Share this post


Link to post
Share on other sites

thanks for the reply,

 

Can you explain how to do this? "...check the access logs on your server. You can try to find all the ".php" files that have been accessed."

Share this post


Link to post
Share on other sites

Usually, all the hosing providers have an access log for every website. If you are using cPanel search for 'access log', or 'access'.

There you will find some lists with access logs grouped by months. Download and open them with a text editor.

 

Find the files with ".php" extension, because usually the attacks are made by accessing a .php file on your server.

If you find files with strange names you should check them.

Share this post


Link to post
Share on other sites

And if you are on IIS / Windows Servers, you can find the logs on DRIVE\inetpub\logs\LogFiles\

 

If you are not familiar in reading these logs, even with a good text editor (notepad++ for example), you can use Apache Log Viewer which is a tool, it makes that work easier, and it's free to use.

 

Share this post


Link to post
Share on other sites

Hi, Paul

To find out which are the infected files you have to access the FTP and sort them by the changed/created date. This way you will know what are files that have been added recently and there are big chances to find them.

Also you can check the access logs on your server. You can try to find all the ".php" files that have been accessed.

Good luck!

 

Hey Daniel, I have module long time that monitors on file change and think is relevant to this posting.  I wrote this few years back after my then 1.4 module shop got hacked.  I looked at different solutions and did not find any that did not require remote access to shop files and db.  

 

[Module] PrestaVault Malware | Trojan | Virus | Hack Protection PS 1.5 | 1.6 | 1.7

Share this post


Link to post
Share on other sites
All .tpl .php files was deleted from server when I'm clicking "Erase Cache" on back office - performance.

 


 

Warning: require(/customers/3/e/4/icenet.es/httpd.www/config/config.inc.php): failed to open stream: No such file or directory in /customers/3/e/4/icenet.es/httpd.www/admin027nznws6/index.php on line 43 Fatal error: require(): Failed opening required '/customers/3/e/4/icenet.es/httpd.www/admin027nznws6/../config/config.inc.php' (include_path='.:/usr/share/php') in /customers/3/e/4/icenet.es/httpd.www/admin027nznws6/index.php on line 43

Share this post


Link to post
Share on other sites

Hello,

 

my web was hacked to :( I have PS 1.6.1.4 andi dont have the modules listes (except the Send to friend module which I now deleted) But I have theme Vela from Fieldthemes. On that blog link http://www.presta-[spam-filter].com/2017/03/problemi-di-sicurezza-su-prestashop/ (which is in italian, but google translate helped) is exactly what happend to me, and my hosting disabled my live shop.

 

I have some core mods, but if it helps, when I will make a clean PS 1.6.1.15, even with fieldthemes theme, will it be then okey?

 

Or I can just return to backup before attacks and update modules like is stated in that blog post

Share this post


Link to post
Share on other sites

Hello Everyone!!!

 

I'm Martin from FieldThemes team.

 

First of all, i do apologize about the security issues in the our modules and themes.

 

Yes, it occurs on the our Vmegamenu module only.

 

We already found a solution to fix it and updated the our themes which have the issue.

 

https://themeforest.net/user/fieldthemes/portfolio?ref=fieldthemes

 

If you need any help, please contact us via email fieldthemes@gmail.com

 

We willing to help you.

 

Have a nice day!

 

Best Regards,

 

Martin

Edited by fieldthemes

Share this post


Link to post
Share on other sites

So, the fieldmegamenu from Fsport is not affected?

Hi Rho_Bur,

 

Thank you for your question!

 

No, it does not affected.

 

The security issue occurs in the Ajax Upload function on the our Vmegamenu module only.

 

Actually, the our Fsport theme hasn't the vertical megamenu.

 

Have a nice day!
 
Best Regards,
 
Martin

Share this post


Link to post
Share on other sites

Hello people,

Just discovered on a client website a script for mining cryptocurrency.

In every theme's js/autoload a seal.js script was added, also in the theme's folder as a separate script and included in the theme's footer.

It uses the coinhive Brasil domain mining.

Didn't find yet how it got there.

So pay attention and if your site seems slower these days check for the above. 

R.

Share this post


Link to post
Share on other sites

If you use the theme

Trendy Prestashop Theme by webdziner

 

The 1.1.0 version of the module wdoptionpanel of the Trendy Prestashop theme (is a 1.5.4.1 Prestashop version so is an old one) has a security hole in wdoptionpanel/wdoptionpanel_ajax.php so the hacker can upload whatever he wants.

 

 

 

 

 

Share this post


Link to post
Share on other sites
On 31/10/2017 at 6:47 AM, Enrique Gómez said:

If you use the theme

Trendy Prestashop Theme by webdziner

 

The 1.1.0 version of the module wdoptionpanel of the Trendy Prestashop theme (is a 1.5.4.1 Prestashop version so is an old one) has a security hole in wdoptionpanel/wdoptionpanel_ajax.php so the hacker can upload whatever he wants.

 

 

 

 

 

I confirm that. Through this file several other malicious files have been inserted into several folders.

115.89.123.121 - - [16/May/2018:21:46:51 -0300] "POST /modules/wdoptionpanel/wdoptionpanel_ajax.php HTTP/1.1" 200 68 "-" "python-requests/2.9.0"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×