Malware in Database Trojware.js.Iframe.of 396209225

[hanisnl]

By total luck, when moving a prestashop website form one domain to another, in the database, i found a trojan :  Trojware.js.Iframe.of 396209225 .

This was just a line of code, the file was hosted on some server .

Location of trojan was found in the database, in _connections table :
http://176.126.202.156/language/Swedish$%7BIFS%7D&&echo$%7BIFS%7DjkHJ%3EUuWT&&tar$%7BIFS%7D/string.js

I did edit and remove that line, but I have NO idea how it got there .

What can I do to further investigate the situation ? Are there any plugins to help me out and plugins to protect the website from future incidents ?

Thank you !

[razaro]

Hi sorry to hear you got that trojan, bit strange.

 

Have you seen https://www.prestashop.com/forums/topic/544579-major-security-issues-with-few-modules-and-themes/ Warehouse theme

from ThemeForest and some others that use similar modules had issues with hacks.

 

You can try to scan files on server like DH42 says in his artickle there. or download whole site to your computer

and scan with anti-virus and anit-malwere. Also note you should doubole check your own computer or any that have access 

to your server.

 

Also do check any module you installed recently, and it is bit strange to have that in connection table.

 

For module can recomend this one [Module] PrestaVault Malware | Trojan | Virus Protection but your site must be clean.

It follows and warn on any file change, really good to have.

[tuk66]

By total luck, when moving a prestashop website form one domain to another, in the database, i found a trojan :  Trojware.js.Iframe.of 396209225 .

 

This was just a line of code, the file was hosted on some server .

 

Location of trojan was found in the database, in _connections table :

http://176.126.202.156/language/Swedish$%7BIFS%7D&&echo$%7BIFS%7DjkHJ%3EUuWT&&tar$%7BIFS%7D/string.js

 

I did edit and remove that line, but I have NO idea how it got there .

 

What can I do to further investigate the situation ? Are there any plugins to help me out and plugins to protect the website from future incidents ?

 

Thank you !

 

Forget it. There can be no trojan in the ps_connections table. This table contains only logs about connections. Nothing else.

[hanisnl]

Thank you for the answer .

At this point I did scan the files and the sql in my localhost . The trojan was just in the database and I can not find any infected files .

I did install Cloudflare in the meantime hoping that this can add a layer of protection to the website .

Any other suggestions are very welcomed .

[hanisnl]

Forget it. There can be no trojan in the ps_connections table. This table contains only logs about connections. Nothing else.

It's clearly an injection of some sort ... I can not ignore the situation ... also I just found an email from Google on that domain since a few days ago telling me that impersonating is not ok and I'm sure it's related to this issue .

[razaro]

Really strange, only maybe if it is http_referer field in ps_connection table.

 

But not sure how that would display on front office. Maybe some last visitor module

for front office.

[PrestaHeroes USA]

It's clearly an injection of some sort ... I can not ignore the situation ... also I just found an email from Google on that domain since a few days ago telling me that impersonating is not ok and I'm sure it's related to this issue .

 

1. Change all FTP passwords
2. Verify that folders are 755 files 644 and .htaccess is 664.
3. Verify permission group owner is your domain
4. make sure you computer has up to date anti-virus
5. using ftp or other method, put you shop  files on your computer, good antivirus is going to detect at that time, but you may need to run against the files
6. if antivirus detects infected file, then replace with non infected, for native PS you can download your version of ps,  see top of this nav  bar here to find download section

This module works very well with clean shop that will back up your shop files and alert you when change detected.  You then have option to restore the change to repository file or commit the change.

 

https://www.prestashop.com/forums/topic/294459-free-module-admin-alerts-email-for-new-customer-registration/

 

Regardless if you are actually hacked, the module  will let you  sleep better,  lol.

[hanisnl]

 

1. Change all FTP passwords
2. Verify that folders are 755 files 644 and .htaccess is 664.
3. Verify permission group owner is your domain
4. make sure you computer has up to date anti-virus
5. using ftp or other method, put you shop  files on your computer, good antivirus is going to detect at that time, but you may need to run against the files
6. if antivirus detects infected file, then replace with non infected, for native PS you can download your version of ps,  see top of this nav  bar here to find download section

This module works very well with clean shop that will back up your shop files and alert you when change detected.  You then have option to restore the change to repository file or commit the change.

 

https://www.prestashop.com/forums/topic/294459-free-module-admin-alerts-email-for-new-customer-registration/

 

Regardless if you are actually hacked, the module  will let you  sleep better,  lol.

 

As I said in the original post ... before I posted this, I did download the files and the sql database and scanned the files .

 

The only thing that I could find was the line in the database to a file that was NOT hosted on the websites server .

 

The thing that I can NOT figure out is how did someone inject that, using what module or what html form .. that's my current problem .

 

Thank you anyway for the answer .

[hanisnl]

After reading a lot about the Prestashop database I tend to give 5 points to user tuk66 .

I ended up cleaning the following tables : _connections / _connections_source

All is great now .