On January 2nd, PrestaShop developers discovered malware for PrestaShop version 1.7 named XsamXadoo Bot. This malware can be used to gain access to an online store, take control of it, and for example, steal the customer database (GDPR!). PrestaShop developers believe the malware exploited a known vulnerability in PHPUnit, reported as CVE-2017-9841.
The specific files involved are:
- XsamXadoo_Bot.php
- XsamXadoo_deface.php
- 0x666.php
- f.php
Is my PrestaShop 1.7 at risk?
You can easily check for vulnerabilities. Log in to the server via FTP and check if there is a phpunit directory at the following locations:
<prestashop_directory>/vendor/phpunit <prestashop_directory>/modules/<module_name>/vendor/phpunit
If found, delete the phpunit directory.
The phpunit directory has been proven to be present in the following modules:
- 1-Click Upgrade (autoupgrade): version 4.0 beta and higher
- Cart Abandonment Pro (pscartabandonmentpro): version 2.0.1~2.0.2
- Faceted Search (ps_facetedsearch): version 2.2.1~3.0.0
- Merchant Expertise (gamification): version 2.1.0 and higher
- PrestaShop Checkout (ps_checkout): version 1.0.8~1.0.9
We strongly recommend checking all modules!
If your PrestaShop has been infected, contact us immediately, and we will try to assist you as quickly as possible. Deleting the phpunit directories does not guarantee that the shop has not already been compromised.
We have checked the PrestaShops under our management, and none have been infected.
More information at: PrestaShop Critical Security Vulnerability