Recently, a client reached out to us with a serious problem on their site: all folders were filled with suspicious files such as wp-load.php
and similar. This is an unusual approach for hacking, as attackers usually modify core files and install phishing payment forms on the checkout page. However, this time the core files were not altered, and only the main page of the site was loading. The .htaccess
and index.php
files were modified, and even after deletion, they were quickly recreated. Attempts to trace the script actions via shell commands were ineffective, as the commands were hidden, and no cron tasks were set up.
After a thorough analysis, we discovered the ybc_blog
folder in the cache
directory. After deleting it, the folder would automatically reappear. This folder likely served as a flag for the attacker, and it was through this that the hack was executed. Further investigation led us to the CVE-2023-43979 record, which described a vulnerability in the ybc_blog
module up to version 4.4.0.
For more detailed information about this vulnerability, you can visit the link: ybc_blog SQL Injection Vulnerability.
CVE-2023-43979: Important Details of the Vulnerability
The SQL injection vulnerability in the ybc_blog
module allows attackers to access the database and execute arbitrary SQL queries. This can lead to serious consequences, including data theft, site content modification, and the installation of malicious code. Due to this vulnerability, hackers can gain full control over your site, and in some cases, even the server on which it is hosted.
Solution to the Problem
An archive of the old version of the backup was found on the client’s server. It was decided to reinstall the operating system, restore the data from the backup, and fix or remove the ybc_blog
module.
Recommendations for Protecting Your Site
To avoid similar situations, it is important to follow several key recommendations:
-
Timely Updates: Always update all components of your site, including modules and the PrestaShop platform itself. New versions contain patches and fixes that address known vulnerabilities.
-
Installing Only Necessary Modules: Do not install unnecessary modules. Each additional module is a potential attack vector.
-
Downloading Modules from Trusted Sources: Use only official platforms or trusted sources to download modules. Avoid suspicious sites and offers.
-
Regular Backups: Regularly back up your site and database. This allows for quick recovery of the site in case of an attack.
-
Security Audits: Conduct periodic security audits of your site. Use vulnerability scanners and monitoring tools to detect problems in a timely manner.
If you have the ybc_blog
module installed, let us know in the comments if you have experienced hacks or suspicious activities. If this topic interests you, we can write additional articles about how viruses are uploaded and what needs to be done to protect your site.
If your site has been hacked, feel free to contact us. We will try to help you restore your site and eliminate vulnerabilities. Support and consultation from specialists will help you protect your business in the digital space.