bnadauld Posted September 23, 2022 Share Posted September 23, 2022 (edited) Just restored a snapshot of my PS 1.7.8.2 from a good back up and now i'm trying to see how they got in before i do a full rebuild i have these entries in /var/logs/prod.log - which was after i noticed the compromise: [2022-09-22 08:39:09] request.INFO: Matched route "admin_module_manage_action". {"route":"admin_module_manage_action","route_parameters":{"_controller":"PrestaShopBundle\\Controller\\Admin\\Improve\\ModuleController::moduleAction","action":"enable","module_name":"ps_wirepayment","_route":"admin_module_manage_action"},"request_uri":"https://www.mysite.com/admin7dsflksdf77/index.php/improve/modules/manage/action/enable/ps_wirepayment?_token=bodd3NBZe_-7X7NUMWTiY","method":"POST"} [] [2022-09-22 08:39:09] security.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken"} [] [2022-09-22 08:39:09] security.DEBUG: User was reloaded from a user provider. {"provider":"PrestaShopBundle\\Security\\Admin\\EmployeeProvider","username":"[email protected]"} [] [2022-09-22 08:39:14] app.ERROR: Data from PrestaShop Addons is invalid, and cannot fallback on cache. [] [] [2022-09-22 08:39:14] app.INFO: Protect vendor folder in module ps_wirepayment [] [] [2022-09-22 08:39:14] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} [] In the hack my bankwire & paypal payment modules were turned off and a 1-click paypal button was installed. If anyone can suggest what these entries may mean or suggest any logs to check - will be v helpful. Thanks Edited September 23, 2022 by bnadauld typo (see edit history) Link to comment Share on other sites More sharing options...
bnadauld Posted September 23, 2022 Author Share Posted September 23, 2022 From the comparison also. Link to comment Share on other sites More sharing options...
TiaNex Shopping Posted September 26, 2022 Share Posted September 26, 2022 (edited) my sites was hacked once, some bad guys deleted all my products images, for i bought a theme without checking upload permission, they upload a backdoor file then get all admin privilege please also check the web server(mayb apache log of this website) ,especially the POST action lines, there may be some information showing the backdoor files, Edited September 26, 2022 by irder shopping (see edit history) 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now