[VULNERABILIDAD CRÍTICA] XsamXadoo Bot Malware in Prestashop

Published On: 3 de January de 2020

Since this January 2, 2020, the Prestashop team has detected an important security breach classified as CRITICAL within its files and that is affecting several versions of Prestashop and several modules.

The vulnerability is present in a PHP tool called PHPUnit and it is taken advantage of by the Malware called XsamXadoo Bot . This Malware through the PHPUnit tool gets access to the store and takes control of it, causing irreversible damage to the businesses of all users who have a store with this vulnerability.

What is PHPUnit?

This tool is a Framework that is used to perform unit tests in application development. Although its use is not common in Prestashop nor is it the modules, there are Prestashop modules developed by third parties that do use this Framework. For this reason, the scope of this security breach can be quite wide.

What is the procedure of the XamXadoo Bot Malware?

The way to proceed with this Malware is basically to gain access to the store through the vulnerable code of the PHPUnit tool and the subsequent insertion of files with malicious code into the store’s directory. The code inside these files allows you to take control of the store and thus steal more data.

At the moment it is known that the files created by the Malware are the following:

  • XsamXadoo_Bot.php
  • XsamXadoo_deface.php
  • 0x666.php
  • f.php

You should know that if the store is vulnerable it does not mean that it is infected. But if the Malware attacks the store, then it will gain access and thus infect with malicious code through the mentioned files.

Modules affected by vulnerability

The Prestashop team has reported that the vulnerability is found in the following modules developed by them:

  • 1-Click Upgrade (autoupgrade): version 4.0 beta and later.
  • Cart Abandonment Pro (pscartabandonmentpro): version 2.0.1 ~ 2.0.2
  • Faceted Search (ps_facetedsearch): version 2.2.1 ~ 3.0.0
  • Merchant Expertise (gamification): version 2.1.0 and later
  • PrestaShop Checkout (ps_checkout): version 1.0.8 ~ 1.0.9

They have been able to correct the problem and have updated these modules to the following versions:

  • 1-Click upgrade: version 4.10.1
  • Cart Abandonment Pro: version 2.0.10
  • Faceted Search: version 3.4.1
  • Merchant Expertise: version 2.3.2
  • PrestaShop Checkout: version 1.2.9

IMPORTANT: This list is only of the modules developed by Prestashop and that have detected that they have the vulnerability with PHPUnit. However, as we have mentioned before, there may be many more modules developed by third parties that also have the vulnerability.

If you want more information about this critical problem, click on the following links:

National Vulnerability Database CVE-2017-9841



How to check and fix the vulnerability with PHPUnit

The steps to know if your online store is vulnerable to this Malware are not complicated but require certain knowledge in handling FTP (File Transfer Protocol) software or accessing the server’s file systems through the web hosting panel, in addition to having time to do the checks on a folder-by-folder basis.

Here’s how to check:

First you have to find the vulnerability. This is inside the directories / vendor / phpunit / . It can be found in the root directory of the store or within the folders of the modules.

Go to the root folder of the store and check if the folder exists “Phpunit” inside the directory / vendor / phpunit / . If the “phpunit” folder exists, you must delete it along with all its content.

Go to the folder “ modules “ store and check in each of the modules if the folder exists “Vendor” and if inside this folder is the folder “Phpunit” . If the folder exists “Phpunit” you must also delete it along with all its content.

If the directory does not exist /vendor/phpunit/ in the root directory or modules, then your Prestashop is not vulnerable to malware. XsamXadoo Bot. But if in the previous steps you have found “phpunit” folders, it means that your store has been vulnerable to Malware attack, so it is possible that your store is already infected without knowing it. In this case, the entire store directory should be scanned folder by folder in search of the files with malicious code mentioned above.

This is the most complicated task and requires an automated process only available in modules that have been designed to solve this problem.

At Liewebs we have developed a very easy-to-use module, PRESTASHOP STOP VULNERABILITY.

The module automatically analyzes, detects and corrects if there is this security breach with PHPUnit in your Prestashop store and in the modules you have installed. In addition, if the store has been infected with malicious code, the Prestashop Stop Vulnerability module is able to search and find infected files to delete them automatically.

We have also developed the Search Tool PRO so that you can search for malicious code fragments (Malware), viruses or Phishing code within the store files quickly and efficiently, so that you can detect the threat and neutralize it.



You don’t know if your online store is affected by this vulnerability or has already been infected by this Malware?

We perform web analysis, detection and disinfection services to neutralize this and other threats. Ask us for more information in the following link

Artículos relacionados

Échale un vistazo a estos otros artículos relacionados