rotaru 10 Posted April 7, 2023 Share Posted April 7, 2023 (edited) 1 hour ago, Marcos said: And yes, the detection occurs under specific conditions. Can you be more "specific" please??? Which specific conditions???? On my PC (with NOD32) , opening hxxps://www.domainedestrottieres.com/connexion?back=https%3A%2F%2Fwww.domainedestrottieres.com%2Fcommande%3Fstep%3D1 triggers a detection each and every time. Edited April 7, 2023 by rotaru Link to comment Share on other sites More sharing options...
Administrators Marcos 5,307 Posted April 7, 2023 Administrators Share Posted April 7, 2023 6 minutes ago, rotaru said: Can you be more "specific" please??? Which specific conditions???? On my PC (with NOD32) On 4/5/2023 at 3:54 PM, itman said: Mouse click on the shopping cart tab located in Visa/Mastercard area of the web page. On the next web page displayed, mouse click on the "Commander" button Link to comment Share on other sites More sharing options...
franck 0 Posted April 7, 2023 Author Share Posted April 7, 2023 Hello, thank you everyone, I have for the moment found and deleted the malicious code but only with a backup. I couldn't find how it happened... I will monitor the website and see if it comes back. Franck Link to comment Share on other sites More sharing options...
itman 1,760 Posted April 7, 2023 Share Posted April 7, 2023 (edited) 5 hours ago, franck said: I couldn't find how it happened... I assume this is a magecart attack: Quote What Can Merchants Do to Prevent Magecart Attacks? To reduce the risk of Magecart and other types of client-side attacks, take the following steps: Identify third-party JavaScript – prepare an inventory of all third-party JavaScript code on your website. Ask third-party vendors to audit their code – to ensure it is their original code and does not contain any malicious instructions or malware. Switch from third-party to first-party services – whenever possible, prefer to run software on your own servers and not use third-party services. This can prove to be a challenge, as most storefronts today are heavily reliant on third-party vendors. Implement HTTP Content-Security-Policy headers – provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks. Today, there are dedicated solutions that handle client-side protection and help prevent Magecart attacks. https://www.imperva.com/learn/application-security/magecart/ . Here's details on one of the recent magecart attack methods: Quote The recent attack aimed to steal sensitive information from visitors on checkout pages and forms. The attackers were able to inject a malicious inline JavaScript code into the targeted websites by exploiting a vulnerability. The skimmer used techniques such as impersonating a legitimate third-party vendor, like Google Tag Manager, and hiding the malicious code through Base64 encoding. https://www.akamai.com/blog/security/magecart-attack-disguised-as-google-tag-manager Also, this technique which is a new one: Quote To evade detection, the threat actors are now injecting malicious scripts directly into the site's payment gateway modules used to process credit card payments on checkout. As these extensions are usually only called after a user submits their credit card details and checks out at the store, it may be harder to detect by cybersecurity solutions. https://www.bleepingcomputer.com/news/security/hackers-inject-credit-card-stealers-into-payment-processing-modules/ For a starter mitigation, you need to update your php software: https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html BTW - the malware is still present on your web site which can be verified as shown here: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=165005 Edited April 7, 2023 by itman Link to comment Share on other sites More sharing options...
franck 0 Posted April 12, 2023 Author Share Posted April 12, 2023 Hello, my client informs me that the malicious code is still present, my antivirus does not detect it and I no longer have the JS code that marcos had found. is the site still infected? thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,307 Posted April 12, 2023 Administrators Share Posted April 12, 2023 The malware is still there and is detected. Link to comment Share on other sites More sharing options...
franck 0 Posted April 12, 2023 Author Share Posted April 12, 2023 (edited) Marcos could you give me a part of the js code ? to allow me to detect it because I have no other solution ? quttera says 0 malware ... many thanks for your help Edited April 12, 2023 by franck Link to comment Share on other sites More sharing options...
rotaru 10 Posted April 12, 2023 Share Posted April 12, 2023 5 minutes ago, franck said: quttera says 0 malware ... Out of curiosity I tested it with Kaspersky Free and BitDefender Free: both of them would detect the link as "malicious" Link to comment Share on other sites More sharing options...
Administrators Marcos 5,307 Posted April 12, 2023 Administrators Share Posted April 12, 2023 It's the same javascript as before: Link to comment Share on other sites More sharing options...
julen 2 Posted May 19, 2023 Share Posted May 19, 2023 ESET detected this Trojan on the website https://cosmeticosors.com, and after scanning the server filesystem with several tools, no trace of malware was detected. We're almost sure it's a false positive, Can you consider that? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,307 Posted May 19, 2023 Administrators Share Posted May 19, 2023 9 minutes ago, julen said: ESET detected this Trojan on the website https://cosmeticosors.com, and after scanning the server filesystem with several tools, no trace of malware was detected. The website is indeed infected: Link to comment Share on other sites More sharing options...
julen 2 Posted May 19, 2023 Share Posted May 19, 2023 Thank for he information. Can tell me in which file(s) found the infection? thanks in advance Link to comment Share on other sites More sharing options...
julen 2 Posted May 19, 2023 Share Posted May 19, 2023 Don't understand what is happened: I scanned the site with VirusTotal right now and the result is not the same: Link to comment Share on other sites More sharing options...
Administrators Marcos 5,307 Posted May 19, 2023 Administrators Share Posted May 19, 2023 10 minutes ago, julen said: Don't understand what is happened: I scanned the site with VirusTotal right now and the result is not the same: You have checked if the website is blacklisted by particular security products. ESET did not blacklist the website just because malware was found there. What you should do is upload an infected file to VT. Quote Can tell me in which file(s) found the infection? You may not find the malicious code easily since it's injected runtime when specific conditions are met. I'd recommend contacting a website cleaning service such as sucuri.net. Link to comment Share on other sites More sharing options...
julen 2 Posted May 19, 2023 Share Posted May 19, 2023 Quote You have scanned the website for the presence on blacklists. What you should do is upload an infected file to VT. Site don't allow upload any file. Quote You may not find the malicious code easily since it's injected runtime when specific conditions are met. I'd recommend contacting a website cleaning service such as sucuri.net. Well, seems as fi ESET was OK, understand. So, if code is injected at runtime (let say, when js bundle is generated), Which is the responsible for this injection, I supose should be a code that resides on the site, right? I found'nt any information about this "injector" On the other hands, file scanned Administrators Posted 1 hour ago 1 hour ago, julen said: ESET detected this Trojan on the website https://cosmeticosors.com, and after scanning the server filesystem with several tools, no trace of malware was detected. The website is indeed infected: that appear as infected, has 762,67 KB. In any case the site generate a bundle with this size, so where is from the scanned file? Link to comment Share on other sites More sharing options...
itman 1,760 Posted May 19, 2023 Share Posted May 19, 2023 (edited) 2 hours ago, julen said: OK, understand. So, if code is injected at runtime (let say, when js bundle is generated), Which is the responsible for this injection, I supose should be a code that resides on the site, right? I found'nt any information about this "injector" Your web site is being injected with magecart malware. It will only manifest when an order is placed; at which time, Eset will detect the malware and block any further communication; Refer to this article for further details: https://www.bleepingcomputer.com/news/security/hackers-inject-credit-card-stealers-into-payment-processing-modules/ Additional magecart malware references posted previously in this thread; https://www.imperva.com/learn/application-security/magecart/ https://www.akamai.com/blog/security/magecart-attack-disguised-as-google-tag-manager Edited May 19, 2023 by itman Link to comment Share on other sites More sharing options...
julen 2 Posted May 21, 2023 Share Posted May 21, 2023 Well, thanks a lot for the information. Finally, found infected files and remove the malicious code. I want to congratulate ESET. It's the only antivirus application on the client side (from all aour clustomers) that detected the infection. And, most important, I want to apologize if I have defended the "false positive" option too much, the tools we have used to scan the server have confused us Once again, THANKS Link to comment Share on other sites More sharing options...
Administrators Marcos 5,307 Posted May 21, 2023 Administrators Share Posted May 21, 2023 26 minutes ago, julen said: Finally, found infected files and remove the malicious code. Could you please share information about what files contained the malicious code that could help other users with this infection on their website? Link to comment Share on other sites More sharing options...
julen 2 Posted May 21, 2023 Share Posted May 21, 2023 Quote Could you please share information about what files contained the malicious code that could help other users with this infection on their website? Of course. Platform is Prestashop 1.7 files infected was: classes/Product.php classes/Store.php classes/Dispatcher.php classes/Hook.oho classes/Tools.php classes/controller/ModuleFrontController.php classes/controller/Controller.php classes/controller/FrontController.php classes/shop/Shop.php Best way to clean infected files is to restore them from a backup. If is not posible or not have a recent backup (!!!!!!), download Prestashop from offical site (same version) and overwrite infected files. I hope this can help other users, as Marcos says peteyt and Nevermind 2 Link to comment Share on other sites More sharing options...
itman 1,760 Posted May 21, 2023 Share Posted May 21, 2023 (edited) 29 minutes ago, julen said: Platform is Prestashop 1.7 You might find this article informative: https://www.getastra.com/blog/911/prestashop-malware-infection/ . 29 minutes ago, julen said: Best way to clean infected files is to restore them from a backup. There are numerous vulnerabilities in Prestashop 1.7 noted in the above linked article that need to be addressed, lest you get infected again. Edited May 21, 2023 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,307 Posted May 21, 2023 Administrators Share Posted May 21, 2023 33 minutes ago, julen said: files infected was: classes/Product.php classes/Store.php classes/Dispatcher.php classes/Hook.oho classes/Tools.php classes/controller/ModuleFrontController.php classes/controller/Controller.php classes/controller/FrontController.php classes/shop/Shop.php Please compress them with the password "infected" and upload them here (only ESET staff can access attachments). Link to comment Share on other sites More sharing options...
julen 2 Posted May 21, 2023 Share Posted May 21, 2023 itman, thanks for the link. I will read it carefully, don't hesitate. As I know, Prestashop forums and Prestashop itself published (well, is the developer, so not the best tester or critic about their software), version 1.7.8.2 (and greater) prevent SQL injection and XSS attacks. Nevertheless, no one is safe from Zero-day vulnerabilities, and hackers are faster than developers founding it. Link to comment Share on other sites More sharing options...
julen 2 Posted May 21, 2023 Share Posted May 21, 2023 1 minute ago, Marcos said: Please compress them with the password "infected" and upload them here (only ESET staff can access attachments). Ooops, to late to found all of them (most are deleted), I saved a pair (I think those contans logic to infect, the deleted had a script to include in html to send to browsers as response). I will compress and send as you ask for. infected.zip Link to comment Share on other sites More sharing options...
itman 1,760 Posted May 21, 2023 Share Posted May 21, 2023 Here's a list of known Prestashop vulnerabilities: https://stack.watch/product/prestashop/prestashop/ . Link to comment Share on other sites More sharing options...
Recommended Posts