V1.6 Malware XsamXadoo in a customer's store

[_aNoNiMo_]

Good afternoon, a client has contacted me, who has the store infected, at least since 06/30/2022, which is the date of the last backup that he has access to.

In the database, at a quick glance, the tables are missing: ps_info and ps_info_lang

There are installed modules that are searched for, and they do not appear in the list to be able to configure or copy, and at least copy the configuration to make a clean installation of the online store.

I had the explorerpro module installed, and that's where the whole problem will come from.

We have deleted that module through the FTP server, and deleted the other files in the root of the site.

Replaced the files with malicious code by the original ones from Prestashop

Still, we still don't have access to the installed modules.

In all the database backups that are saved, they are missing those tables.

The version of Prestashop installed is 1.6.1.24

Could someone help us solve the problem?

Thank you very much

 

[freiserk]

Good afternoon, a client has contacted me, who has the store infected, at least since 06/30/2022, which is the date of the last backup that he has access to.

In the database, at a quick glance, the tables are missing: ps_info and ps_info_lang

There are installed modules that are searched for, and they do not appear in the list to be able to configure or copy, and at least copy the configuration to make a clean installation of the online store.

I had the explorerpro module installed, and that's where the whole problem will come from.

We have deleted that module through the FTP server, and deleted the other files in the root of the site.

Replaced the files with malicious code by the original ones from Prestashop

Still, we still don't have access to the installed modules.

In all the database backups that are saved, they are missing those tables.

The version of Prestashop installed is 1.6.1.24

Could someone help us solve the problem?

Thank you very much

My experience two months ago:

Also with Prestashop 1.6.1.24, with the provider I identified the input and how they inserted it in "worm" and I had two options.

1st Restore recovering the data (something tedious and terrible).
2nd Use the backup that was valid at that time and luckily.

In my case, the problem is that the communication with Prestasho was corrupt but I had all the data correctly, but recovering them step by step was not feasible.

P.S. The problem was generated, of course, by Wordpress!

Good luck and take as little work as possible.

 

[_aNoNiMo_]

My experience two months ago:

Also with Prestashop 1.6.1.24, with the provider I identified the input and how they inserted it in "worm" and I had two options.

1st Restore recovering the data (something tedious and terrible).
2nd Use the backup that was valid at that time and luckily.

In my case, the problem is that the communication with Prestasho was corrupt but I had all the data correctly, but recovering them step by step was not feasible.

P.S. The problem was generated, of course, by Wordpress!

Good luck and take as little work as possible.

Good afternoon, the easiest thing would be to restore everything, but what I am finding is that all the saved backups, files and databases, are infected, so that step is already ruled out

I don't know how to solve it, the only thing that is happening to me is to migrate all the data to a new version of Prestashop 1.7 to prevent the customer from losing products, customers and orders

I don't know if this will be the best solution

 

[freiserk]

Good afternoon, the easiest thing would be to restore everything, but what I am finding is that all the saved backups, files and databases, are infected, so that step is already ruled out

I don't know how to solve it, the only thing that is happening to me is to migrate all the data to a new version of Prestashop 1.7 to prevent the customer from losing products, customers and orders

I don't know if this will be the best solution

For security, it would be the best option, as it cannot be recovered from the backup.
I had the backup with https://www.akeeba.com/ in that format they couldn't play or they didn't know how that saved me.

Let's see what he says @d-shilko !!!

 

[_aNoNiMo_]

Data migration is the only thing I can think of, I'm doing it through the ETS-Soft connector

I have migrated data from several stores without any problems.

But in this case, I try to install the module, and it does go up, but it doesn't appear in the list of modules, it's incredible, the truth is that I'm going a little crazy...

Since if the modules will work correctly I would already have everything done.

 

[d-shilko]

Data migration is the only thing I can think of, I'm doing it through the ETS-Soft connector

I have migrated data from several stores without any problems.

But in this case, I try to install the module, and it does go up, but it doesn't appear in the list of modules, it's incredible, the truth is that I'm going a little crazy...

Since if the modules will work correctly I would already have everything done.

DEBUG MODE ON through setting file in folder config
The development console opened with "Disable cache"
and provide a screenshot from the module catalog page!
By the way ps_infor from the ps_customtext module

Post automatically merged: Aug 7, 2022

Contact me for the conversation, please.

Hi guys! @_aNoNiMo_ @aslankhan @jarom Contact me for the conversation, please. I and @freiserk have a suggestion for you!

www.nulledfrm.com

 

[hxcode]

The importance of backup work. I use 2NT to backup and send to google drive and remote server. works well

 

[_aNoNiMo_]

Thank you all very much for the help, in the end I was able to solve it, lucky malware...