During our incident response to the client's website, we found a vulnerability in the VTEM Skitter module of Prestashop CMS.
Here is the code snippet of the uploadimage.php:
$uploaddir = ‘./img/’;
$uploadfile = normalize(pregreplace(‘/ /’, ‘’, basename($_FILES[‘userfile’][‘name’])));
if (move_uploaded_file($_FILES[‘userfile’][‘tmp_name’], $uploaddir.$uploadfile))
To test if your site is vulnerable, try going to your favourite browser and enter the following in the address bar: http:///modules/vtemskitter/uploadimage.php. An output of "error" string just means that the module is exploitable.
Note: is the name of your website.
In the above snippet, you can see that by using form POST method and 'userfile' variable, hackers can upload malicious code and manipulate your site.
Here is the snippet of the access log:
82[.]145[.]219[.]169 - - [16/Oct/2016:01:46:45 +0200] “GET /modules/vtemskitter/uploadimage.php HTTP/1.1” 200 475 “-” “Opera/9.80 (Android; Opera Mini/7.6.40234⁄37.8993; U; ar) Presto/2.12.423 Version/12.16”
134[.]0[.]15[.]54 - - [16/Oct/2016:01:47:14 +0200] “POST /modules/vtemskitter/uploadimage.php HTTP/1.1” 200 5992 “-” “-”
197[.]253[.]251[.]208 - - [16/Oct/2016:01:47:30 +0200] “GET /modules/vtemskitter/img/a.php HTTP/1.1” 200 5409 “-” “Mozilla/5.0 (Linux; U; Android 4.2.2; ar-ae; GT-S7580 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”
197[.]253[.]251[.]208 - - [16/Oct/2016:01:48:05 +0200] “GET /modules/vtemskitter/img/ICS.php HTTP/1.1” 200 8470 “-” “Mozilla/5.0 (Linux; U; Android 4.2.2; ar-ae; GT-S7580 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”
Here is the algorithm of the above snippet:
- Hacker checks if there is an "error" message string.
- Sends a POST form method to upload a.php file containing PHP shell.
- Uploads ICS.php file that contains Spam mailer.
What you can do:
If you have this module, we advise you to check if you are infected or not.
If you're already infected, you can do the following:
- Restore from backup.
- Delete ALL FILES and start from a clean state.
- Change your passwords, back office password, and that of other admin accounts.
- Change your SQL password.
- Change your FTP password.
- Change your banking and payment modules' usernames and passwords.
Your eCommerce website is infected with the malware or is blocked by search engines?
Here at Quttera we are cleaning this and other kinds of malware on a daily basis. If you would like our malware analysts to help you, just select appropriate ThreatSign! Anti-Malware plan and get back online.
For other issues and help: Quttera help-desk