YanK1973 Posted May 1 Share Posted May 1 Hi, i run a 1.6.1.12 shop without any security issues for yeas and suddenly in last 4 -5 months site has been hacked with malicious code at least 3 times: few days ago with JS/CoinMiner.FC trojan which added browser crypto-mining script in almost all footer.tpl files few weeks ago index.php files were redirecting to other website few weeks ago also redirection to other website from home page I only access website through my pc and every time after every incident i changed passwords for ftp and admin, also changed my a pc's AV to ESET which helped but still got issues I know how to clean and bring up a backup to temporarily solve issue but i feel there is a loophole somewhere that needs to be fixed, upgrading shop is not an option right now so if you have an experience in security issues and you are available pm me, thanks Link to comment Share on other sites More sharing options...
Daresh Posted May 1 Share Posted May 1 1. do you have any WordPress blogs installed on the same server? 2. install this module and check if you have any modules installed with known vulnerabilities: https://github.com/prestaalba/fop_publishedvulnerabilityscan/releases In case you need some more help, let me know. 1 Link to comment Share on other sites More sharing options...
Coach G Posted May 1 Share Posted May 1 I've encountered multiple hacked PrestaShop installations. From my experience, cleaning vulnerable modules only solves the issue temporarily, in order to solve the issue permanently, all PrestaShop core vulnerabilities must be patched up Link to comment Share on other sites More sharing options...
YanK1973 Posted May 1 Author Share Posted May 1 5 hours ago, Daresh said: 1. do you have any WordPress blogs installed on the same server? 2. install this module and check if you have any modules installed with known vulnerabilities: https://github.com/prestaalba/fop_publishedvulnerabilityscan/releases In case you need some more help, let me know. Ηello Daresh and thank you for reply. I will ask j=hosting about WP installations. I installed module and here is the report: { "module": "ultimateimagetool", "summary": "In the module \u201cImage: WebP, Compress, Zoom, Lazy load, Alt & More\u201d (ultimateimagetool) in versions up to 2.2.01 from Advanced Plugins for PrestaShop, a guest can update all configurations of the PrestaShop.", "url": "https://security.friendsofpresta.org/modules/2024/03/12/ultimateimagetool", "version": "1.5.60", "installed": false, "active": false }, { "module": "hsmultiaccessoriespro", "summary": "In the module \u201cMulti Accessories Pro\u201d (hsmultiaccessoriespro) up to version 5.2.0 from Presta Monster for PrestaShop, a guest can perform SQL injection in affected versions.", "url": "https://security.friendsofpresta.org/modules/2024/02/08/hsmultiaccessoriespro", "version": "4.2.0", "installed": true, "active": true }, { "module": "ybc_blog", "summary": "In the module \u201cBLOG - Drive High Traffic & Boost SEO\u201d (ybc_blog) in version up to 3.3.8 from PrestaHero (ETS Soft) for PrestaShop, a guest can perform SQL injection in affected versions.", "url": "https://security.friendsofpresta.org/modules/2023/11/14/ybc_blog", "version": "1.0.3.1", "installed": true, "active": true }, { "module": "hicarouselspack", "summary": "In the module \u201cCarousels Pack - Instagram, Products, Brands, Supplier\u201d (hicarouselspack) up to version 1.5.0 from HiPresta for PrestaShop, a guest can perform SQL injection in affected versions.", "url": "https://security.friendsofpresta.org/modules/2023/10/19/hicarouselspack", "version": "1.4.8", "installed": true, "active": true }, { "module": "ultimateimagetool", "summary": "In the module \u201cImage: WebP, Compress, Zoom, Lazy load, Alt & More\u201d (ultimateimagetool) in versions up to 2.1.02 from Advanced Plugins for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.", "url": "https://security.friendsofpresta.org/modules/2023/07/20/ultimateimagetool", "version": "1.5.60", "installed": false, "active": false }, { "module": "faqs", "summary": "In the module \u201cFrequently Asked Questions (FAQ) page\u201d (faqs) for PrestaShop, an attacker can perform SQL injection up to 3.1.5. Release 3.1.6 fixed this security issue.", "url": "https://security.friendsofpresta.org/modules/2023/03/28/faqs", "version": "3.0.3", "installed": true, "active": true } Do you recommend updating if possible or deleting these modules? Link to comment Share on other sites More sharing options...
Nickz Posted May 1 Share Posted May 1 7 hours ago, YanK1973 said: few weeks ago also redirection to other website from home page There could be an injection from the hoster, where do you host? Some staff earns that little they need to make extra money, happened to me. You need to monitor your shop. Accesslogs and see who is doing that. 1 Link to comment Share on other sites More sharing options...
Mediacom87 Posted May 1 Share Posted May 1 (edited) Hi, A site that has been hacked will remain hacked permanently if the flaw that authorized the hacking is not corrected. Of course, it's essential to correct the flaws in modules that have been identified as problematic. Delete all unused modules, and uninstall all deactivated and useless modules. And, of course, clean up anything that doesn't belong there. Change passwords for all employee accounts after removing unnecessary employees. Change FTP passwords. Change the database table prefix if it's named ps_. And if you need any help, please don't hesitate to contact me. I'll be happy to make you a customized offer. I've just added an article on the subject if a PrestaShop store is hacked. Edited May 1 by Mediacom87 (see edit history) 1 Link to comment Share on other sites More sharing options...
Daresh Posted May 1 Share Posted May 1 I would start from applying this patch: https://security.snyk.io/vuln/SNYK-PHP-PRESTASHOPPRESTASHOP-2959890 and making sure there are no vurnelable modules, update, patch (some programming knowledge may be requires) or delete them (don't just uninstall, remove totally). Link to comment Share on other sites More sharing options...
Mediacom87 Posted May 1 Share Posted May 1 il y a 35 minutes, Daresh a dit : I would start from applying this patch: https://security.snyk.io/vuln/SNYK-PHP-PRESTASHOPPRESTASHOP-2959890 and making sure there are no vurnelable modules, update, patch (some programming knowledge may be requires) or delete them (don't just uninstall, remove totally). Who in their career has ever come across a site configured to manage its cache on MySQL? Link to comment Share on other sites More sharing options...
Daresh Posted May 1 Share Posted May 1 It does not need to be configured this way to be hacked. Link to comment Share on other sites More sharing options...
Nickz Posted May 2 Share Posted May 2 (edited) When a shop is hacked, the very best method is to make a it raise like phoenix from the ashes. Make 2 or more shops from one big one, get more servers, build up. If smaller, use the hindernis- and rebuild, make new, update. if you apply patches, there is a 50/50 chance the opening is still there. Edited May 2 by Nickz (see edit history) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now