Just restored a snapshot of my PS 1.7.8.2 from a good back up and now i'm trying to see how they got in before i do a full rebuild
i have these entries in /var/logs/prod.log - which was after i noticed the compromise:
[2022-09-22 08:39:09] request.INFO: Matched route "admin_module_manage_action". {"route":"admin_module_manage_action","route_parameters":{"_controller":"PrestaShopBundle\\Controller\\Admin\\Improve\\ModuleController::moduleAction","action":"enable","module_name":"ps_wirepayment","_route":"admin_module_manage_action"},"request_uri":"https://www.mysite.com/admin7dsflksdf77/index.php/improve/modules/manage/action/enable/ps_wirepayment?_token=bodd3NBZe_-7X7NUMWTiY","method":"POST"} [] [2022-09-22 08:39:09] security.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken"} [] [2022-09-22 08:39:09] security.DEBUG: User was reloaded from a user provider. {"provider":"PrestaShopBundle\\Security\\Admin\\EmployeeProvider","username":"[email protected]"} [] [2022-09-22 08:39:14] app.ERROR: Data from PrestaShop Addons is invalid, and cannot fallback on cache. [] [] [2022-09-22 08:39:14] app.INFO: Protect vendor folder in module ps_wirepayment [] [] [2022-09-22 08:39:14] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []
In the hack my bankwire & paypal payment modules were turned off and a 1-click paypal button was installed.
If anyone can suggest what these entries may mean or suggest any logs to check - will be v helpful.
Thanks