PrestaShop Issued a Warning Against "XsamXadoo" Malware

PrestaShop has released an advisory to warn about a potential threat in the shape of a malware named XsamXadoo on its stores.

Hackers are, allegedly, using this malware to gain access to your PrestaShop Store. Several PrestaShop store owners have already been comprised by this malware.

From what we came to know of, this malware exploits known vulnerabilities in PHP tool – PHPUnit, which is present in several of the PrestaShop modules.

You will find more details of the vulnerability as you read on. Moreover, we will also discuss the steps to take to check the vulnerability in your stores.

If you are hacked, get immediate malware cleanup with Astra right now.

Dissection of the PrestaShop vulnerability

The vulnerability in the PHP tool PHPUnit is identified as CVE-2017-9841. According to what has been reported of the vulnerability, it affects file “Util/PHP/eval-stdin.php” in the PHPUnit folder.

People on PHPUnit versions prior to 4.8.28 as well as those using versions 5.x prior to 5.6.3 are mostly at risk.

An attacker is able to execute arbitrary PHP code on your website due to this vulnerability. Further, the folder – ‘/vendor‘, which houses the vulnerable file, has become ground zero of the attack.

How to check if you are vulnerable?

Checking your store for risk is easy. Just follow these simple steps:

  1. Access your site via an FTP client like Filezilla.
  2. Create a backup of your website.
  3. Navigate to the /vendor folder in your website’s root directory.
  4. Search for the PHPUnit folder.

Now two cases may arise:

Case 1: PHPUnit folder is there

You are at risk. Go ahead and delete the PHPUnit folder. Deleting the PHPUnit folder will not hinder the workings of your website. In fact, it will reduce your risk of getting infected with the XsamXadoo malware, whatsoever.

Now repeat this process from the start will all your modules. That is, Search, Find & Delete PHPUnit folder in all your PrestaShop modules.

PrestaShop Store hacked? Get immediate malware cleanup!

Case 2: PHPUnit folder is not there

Congratulations! You are safe 🙂

However, you can still go a little extra and secure your PrestaShop Store with proper security measures. This comprehensive PrestaShop Security Guide will prove to be extremely helpful in achieving this.

How to check if you are hacked?

You found the PHPUnit folder in your store. You deleted it. But, how can you confirm that your store has not been compromised?

Well, look at your store for the following hacking symptoms:

  • You are not able to access your website.
  • New/unknown admins added to your website.
  • Store redirecting to unsolicited pages.
  • Your website becomes very slow & shows error messages.
  • Malicious ads & pop-ups appear on your website.
  • Payment manipulated.
  • Customers complaining of credit card misuse.

Astra users need not look for these symptoms, instead, scan your store with the Astra malware scanner.

Malware Detected by Astra Malware Scanner

I am hacked. What to do now?

The faster you act, the faster you are going to control the damage.

The most efficient and foolproof method is to take expert help. You need not get into a complex trial and error method of a self malware cleanup. You just need to:

  1. Sign up for immediate malware removal with Astra.
  2. Fill in your website’s credentials.
  3. Astra Security experts will clean the malware & backdoor in no more than 6-8 hours.
  4. Your website will be perfectly up & running.

If you have an above-average security acumen, you can also attempt to clean the malware on your own. This PrestaShop Malware Removal Guide shall help you with this.

Note: Unless you have superior knowledge of security, we strongly advise against going for this method. An inefficient malware cleanup can end up compromising your site even further.

To sum up – Act quickly

PrestaShop stores have come under the spell of a massive malware attack. Unless you take quick action, you might suffer with a hacked PrestaShop store.

For enhanced security, make sure you implement recommended security measures on your store.

Prestashop security addon

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free Website Security Scanner