Prestashop malware XsamXadoo Bot, critical security vulnerability of PHPUnit

Rate this post

On January 2nd, PrestaShop announces that a malware named XsamXadoo Bot was discovered. This malware can be used to have access to an online Prestashop store and take control of it.

What happen?

The attackers are exploiting a vulnerability in PHPUnit to perform arbitrary code execution in servers running PrestaShop websites. The issue is fixed in PHPUnit 7.5.19 and 8.5.1. All previous versions are vulnerable, at least for certain server configurations.
The bot used a known vulnerability of the PHP tool PHPUnit that has been reported as CVE-2017-9841.

What is PHPUnit?

PHPUnit is a programmer-oriented testing framework for PHP, created by Sebastian Bergmann. It is an instance of the xUnit architecture for unit testing frameworks.

About vulnerability CVE-2017-9841

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a “How to check Your server php version?

1. Create a text document, Save the file and rename it to info.php


2. Move this file to Your public_html folder
3. Run

How to know if Your site is vulnerable?

Connect to your shop via FTP or shell access, and look at the “vendor” directory in the main prestashop folder and inside each one of your modules:

/vendor /modules//vendor If there’s a directory called “phpunit” inside, your shop may be vulnerable. If you did not find any module containing this phpunit folder, your store is not vulnerable

What happens if Your store is compromised?

This vulnerability gives an attacker access to your website: for instance, this means an attacker can potentially steal your data. PHPUnit is a development library and is not needed for the normal function of your site, so you can simply delete all the “phpunit” directories found above.

What to do if Your Prestashop site was compromised with malware XsamXadoo Bot?

If you think your site has been hacked, contact a security expert. It is also recommended to follow the steps below:

1. delete all “phpunit” folders

You can delete “phpunit” folders manually via FTP or Linux servers, run the following bash command line from shop’s modules/ folder:
find . -type d -name "phpunit" -exec rm -rf {} \;

This should help close the attack vector.

Be aware that even if you perform this cleanup, your shop may have already been compromised.

2. Update the PrestaShop modules impacted by this vulnerability

PrestaShop announces that some modules are impacted:

  • 1-Click Upgrade (autoupgrade): versions 4.0 beta and later
  • Cart Abandonment Pro (pscartabandonmentpro): versions 2.0.1~2.0.2
  • Faceted Search (ps_facetedsearch): versions 2.2.1~3.0.0
  • Merchant Expertise (gamification): versions 2.1.0 and later
  • PrestaShop Checkout (ps_checkout): versions 1.0.8~1.0.9

If you have these modules, You need to update them urgently to new versions, which completely remove the related library from their own dependencies!

Be aware that if you installed in the past an impacted version of those modules, PHPUnit files may still be present on your server.

Check your shop files even after you deleted the “phpunit” directory

Most attackers either place new files in the filesystem or modify existing files, therefore it is recommended check if Core PrestaShop files have been modified by looking at the “List of changed files” section at the bottom of the “Advanced Parameters > Information” page in your Back Office.
Carefully check that the attacker didn’t leave any file on your server, e.g hidden in the middle of your shop file.

photo source

Also, consider asking all users of your shop to change their password, which includes back-office users but also customer accounts.

Hello there!

I hope you find this post useful!

I'm Mihai, a programmer and online marketing specialist, very passionate about everything that means online marketing, focused on eCommerce.

If you have a collaboration proposal or need helps with your projects feel free to contact me. I will always be glad to help you!

subscribe youtube

Leave a Comment