During our incident response to the client's website, we found a vulnerability in the VTEM Skitter module of Prestashop CMS.
Here is the code snippet of the uploadimage.php:
$uploaddir = ‘./img/’;$uploadfile = normalize(pregreplace(‘/ /’, ‘’, basename($_FILES[‘userfile’][‘name’])));if (move_uploaded_file($_FILES[‘userfile’][‘tmp_name’], $uploaddir.$uploadfile))
echo ‘success:‘.$uploadfile;
else
echo ‘error’;
To test if your site is vulnerable, try going to your favourite browser and enter the following in the address bar: http:///modules/vtemskitter/uploadimage.php. An output of "error" string just means that the module is exploitable.
Note: is the name of your website.
In the above snippet, you can see that by using form POST method and 'userfile' variable, hackers can upload malicious code and manipulate your site.
Here is the snippet of the access log:
82[.]145[.]219[.]169 - - [16/Oct/2016:01:46:45 +0200] “GET /modules/vtemskitter/uploadimage.php HTTP/1.1” 200 475 “-” “Opera/9.80 (Android; Opera Mini/7.6.40234⁄37.8993; U; ar) Presto/2.12.423 Version/12.16”134[.]0[.]15[.]54 - - [16/Oct/2016:01:47:14 +0200] “POST /modules/vtemskitter/uploadimage.php HTTP/1.1” 200 5992 “-” “-”
197[.]253[.]251[.]208 - - [16/Oct/2016:01:47:30 +0200] “GET /modules/vtemskitter/img/a.php HTTP/1.1” 200 5409 “-” “Mozilla/5.0 (Linux; U; Android 4.2.2; ar-ae; GT-S7580 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”
197[.]253[.]251[.]208 - - [16/Oct/2016:01:48:05 +0200] “GET /modules/vtemskitter/img/ICS.php HTTP/1.1” 200 8470 “-” “Mozilla/5.0 (Linux; U; Android 4.2.2; ar-ae; GT-S7580 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”
Here is the algorithm of the above snippet:
- Hacker checks if there is an "error" message string.
- Sends a POST form method to upload a.php file containing PHP shell.
- Uploads ICS.php file that contains Spam mailer.
What you can do:
If you have this module, we advise you to check if you are infected or not.
If you're already infected, you can do the following:
- Restore from backup.
- Delete ALL FILES and start from a clean state.
- Change your passwords, back office password, and that of other admin accounts.
- Change your SQL password.
- Change your FTP password.
- Change your banking and payment modules' usernames and passwords.