Jump to content

Edit History

karcharoth

karcharoth

My sites keep getting hacked with following trojan mentioned in this thread Prestashop 1.6 trojan. New method. I have searched the logs and found the part responsible for the attack: 

spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:12 +0200] "POST /admin123/ajax-tab.php?rand=1668337335767 HTTP/1.1" 200 1110 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123 HTTP/1.1" 301 496 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123/ HTTP/1.1" 302 1027 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:15 +0200] "GET /admin123/index.php?controller=AdminDashboard&token=7480da1f86d8f689ef56741572277611 HTTP/1.1" 200 28914 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:17 +0200] "POST /admin123/index.php?controller=AdminModules&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1156 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 792 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123/?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 200 1155 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 752 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123/?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1190 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:46 +0200] "GET /admin123/index.php?controller=AdminModules&conf=22&token=02c1b073920cf96f1b62560fc2f0bad5&tab_module=others&module_name=doofinder HTTP/1.1" 200 137033 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:51 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:52 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:54 +0200] "GET /api_1.php HTTP/1.1" 200 4479 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:55 +0200] "POST /api_1.php HTTP/1.1" 200 4557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:57 +0200] "POST /api_1.php HTTP/1.1" 301 4536 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:58 +0200] "GET /api_1.php HTTP/1.1" 200 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:00 +0200] "POST /api_1.php HTTP/1.1" 200 4631 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:00 +0200] "POST /api_1.php HTTP/1.1" 200 349 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:01 +0200] "POST /api_1.php HTTP/1.1" 200 386 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:01 +0200] "POST /api_1.php HTTP/1.1" 200 390 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:02 +0200] "POST /api_1.php HTTP/1.1" 200 338 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:02 +0200] "POST /api_1.php HTTP/1.1" 200 336 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:02 +0200] "POST /api_1.php HTTP/1.1" 200 328 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:03 +0200] "POST /api_1.php HTTP/1.1" 200 351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:03 +0200] "POST /api_1.php HTTP/1.1" 200 382 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:04 +0200] "POST /api_1.php HTTP/1.1" 200 364 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:04 +0200] "POST /api_1.php HTTP/1.1" 200 366 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:04 +0200] "POST /api_1.php HTTP/1.1" 200 356 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:05 +0200] "POST /api_1.php HTTP/1.1" 200 370 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:05 +0200] "POST /api_1.php HTTP/1.1" 200 367 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:06 +0200] "POST /api_1.php HTTP/1.1" 200 369 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:06 +0200] "POST /api_1.php HTTP/1.1" 200 359 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:07 +0200] "POST /api_1.php HTTP/1.1" 200 373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:07 +0200] "POST /api_1.php HTTP/1.1" 200 379 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:07 +0200] "POST /api_1.php HTTP/1.1" 200 377 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:08 +0200] "POST /api_1.php HTTP/1.1" 200 377 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:08 +0200] "POST /api_1.php HTTP/1.1" 200 336 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:08 +0200] "POST /api_1.php HTTP/1.1" 200 335 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:09 +0200] "POST /api_1.php HTTP/1.1" 200 339 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:09 +0200] "POST /api_1.php HTTP/1.1" 200 335 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:09 +0200] "POST /api_1.php HTTP/1.1" 200 394 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:10 +0200] "POST /api_1.php HTTP/1.1" 200 379 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:10 +0200] "POST /api_1.php HTTP/1.1" 200 339 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:11 +0200] "POST /api_1.php HTTP/1.1" 200 334 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:11 +0200] "POST /api_1.php HTTP/1.1" 200 353 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:12 +0200] "POST /api_1.php HTTP/1.1" 200 352 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:12 +0200] "POST /api_1.php HTTP/1.1" 200 352 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:12 +0200] "POST /api_1.php HTTP/1.1" 200 355 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:13 +0200] "POST /api_1.php HTTP/1.1" 200 367 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:13 +0200] "POST /api_1.php HTTP/1.1" 200 354 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:14 +0200] "POST /api_1.php HTTP/1.1" 200 353 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:14 +0200] "POST /api_1.php HTTP/1.1" 200 341 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:14 +0200] "POST /api_1.php HTTP/1.1" 200 351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:15 +0200] "POST /api_1.php HTTP/1.1" 200 357 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:15 +0200] "POST /api_1.php HTTP/1.1" 200 334 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:15 +0200] "POST /api_1.php HTTP/1.1" 200 339 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:16 +0200] "POST /api_1.php HTTP/1.1" 200 345 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:16 +0200] "POST /api_1.php HTTP/1.1" 200 343 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:16 +0200] "POST /api_1.php HTTP/1.1" 200 357 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:17 +0200] "POST /api_1.php HTTP/1.1" 200 389 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:17 +0200] "POST /api_1.php HTTP/1.1" 200 376 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:20 +0200] "POST / HTTP/1.1" 301 4527 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:21 +0200] "GET / HTTP/1.1" 301 834 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:23 +0200] "GET /pl/ HTTP/1.1" 200 42977 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:24 +0200] "POST /api_1.php HTTP/1.1" 200 349 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:25 +0200] "POST /api_1.php HTTP/1.1" 200 351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:27 +0200] "POST /api_1.php HTTP/1.1" 200 4714 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:29 +0200] "POST /api_1.php HTTP/1.1" 200 8672 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:31 +0200] "POST /api_1.php HTTP/1.1" 200 4622 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:32 +0200] "POST /api_1.php HTTP/1.1" 200 4606 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:34 +0200] "POST /api_1.php HTTP/1.1" 200 4635 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:36 +0200] "POST /api_1.php HTTP/1.1" 200 4585 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:26:39 +0200] "POST /api_1.php HTTP/1.1" 200 4749 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:03 +0200] "POST /api_1.php HTTP/1.1" 200 4626 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:10 +0200] "POST /api_1.php HTTP/1.1" 200 4550 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:17 +0200] "POST /api_1.php HTTP/1.1" 200 4550 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:22 +0200] "POST /api_1.php HTTP/1.1" 200 4579 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:24 +0200] "POST /api_1.php HTTP/1.1" 200 4554 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:25 +0200] "GET /api_1.php HTTP/1.1" 301 4536 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:27:27 +0200] "GET /api_1.php HTTP/1.1" 404 158928 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"

It seems that the hackers somehow accessed the back-office, installed the module named `doofinder` and posted compromised file api_1.php, which has been executed and has infected the PrestaShop files. But I can't find out how they entered - I guess the most probable cause is a broken password, right?

We are still using the old PS 1.6.1.20 PS (we are updating all the shops to PS 8.1.7 soon, but need aprox. a month to finish the migration). So we need to secure shops for this period of time to prevent attacks from happening.

We have already changed the admin folder name and all the user passwords.

Any thoughs/hints about the issue?

 

karcharoth

karcharoth

My sites keep getting hacked with following trojan mentioned in this thread Prestashop 1.6 trojan. New method. I have searched the logs and found the part responsible for the attack - first lines enclosed below (the whole file attached): 

spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:12 +0200] "POST /admin123/ajax-tab.php?rand=1668337335767 HTTP/1.1" 200 1110 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123 HTTP/1.1" 301 496 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123/ HTTP/1.1" 302 1027 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:15 +0200] "GET /admin123/index.php?controller=AdminDashboard&token=7480da1f86d8f689ef56741572277611 HTTP/1.1" 200 28914 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:17 +0200] "POST /admin123/index.php?controller=AdminModules&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1156 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 792 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123/?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 200 1155 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 752 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123/?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1190 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:46 +0200] "GET /admin123/index.php?controller=AdminModules&conf=22&token=02c1b073920cf96f1b62560fc2f0bad5&tab_module=others&module_name=doofinder HTTP/1.1" 200 137033 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:51 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

It seems that the hackers somehow accessed the back-office, installed the module named `doofinder` and posted compromised file api_1.php, which has been executed and has infected the PrestaShop files. But I can't find out how they entered - I guess the most probable cause is a broken password, right?

We are still using the old PS 1.6.1.20 PS (we are updating all the shops to PS 8.1.7 soon, but need aprox. a month to finish the migration). So we need to secure shops for this period of time to prevent attacks from happening.

We have already changed the admin folder name and all the user passwords.

Any thoughs/hints about the issue?

hack_log.txt

karcharoth

karcharoth

My sites keep getting hacked with following trojan mentioned in this thread Prestashop 1.6 trojan. New method. I have searched the logs and found the part responsible for the attack - first lines enclosed below (the whole file attached): 

spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:12 +0200] "POST /admin123/ajax-tab.php?rand=1668337335767 HTTP/1.1" 200 1110 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123 HTTP/1.1" 301 496 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123/ HTTP/1.1" 302 1027 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:15 +0200] "GET /admin123/index.php?controller=AdminDashboard&token=7480da1f86d8f689ef56741572277611 HTTP/1.1" 200 28914 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:17 +0200] "POST /admin123/index.php?controller=AdminModules&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1156 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 792 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123/?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 200 1155 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 752 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123/?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1190 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:46 +0200] "GET /admin123/index.php?controller=AdminModules&conf=22&token=02c1b073920cf96f1b62560fc2f0bad5&tab_module=others&module_name=doofinder HTTP/1.1" 200 137033 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:51 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

It seems that the hackers somehow accessed the back-office, installed the module names `doofinder` and posted comprimised file api_1.php, which has been executed and infected the PrestaShop files. But I can't find out how they entered - I guess the most probable cause is a broken password, right?

We are still using the old PS 1.6.1.20 PS (we are updating all the shops to PS 8.1.7 soon, but need aprox. a month to finish the migration). So we need to secure shops for this period of time to prevent attacks from happening.

We have already changed the admin folder name and all the user passwords.

Any thoughs/hints about the issue?

hack_log.txt

karcharoth

karcharoth

My sites keep getting hacked with following trojan mentioned in this thread Prestashop 1.6 trojan. New method. I have searched the logs and found the part responsible for the attack - first lines enclosed below (the whole file attached): 

spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:12 +0200] "POST /admin123/ajax-tab.php?rand=1668337335767 HTTP/1.1" 200 1110 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123 HTTP/1.1" 301 496 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123/ HTTP/1.1" 302 1027 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:15 +0200] "GET /admin123/index.php?controller=AdminDashboard&token=7480da1f86d8f689ef56741572277611 HTTP/1.1" 200 28914 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:17 +0200] "POST /admin123/index.php?controller=AdminModules&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1156 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 792 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123/?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 200 1155 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 752 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123/?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1190 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:46 +0200] "GET /admin123/index.php?controller=AdminModules&conf=22&token=02c1b073920cf96f1b62560fc2f0bad5&tab_module=others&module_name=doofinder HTTP/1.1" 200 137033 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:51 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

It seems that the hackers somehow accessed the back-office, installed the module names `doofinder` and posted comprimised file api_1.php, which has been executed and infected the PrestaShop files. But I can't find out how they entered - the most probable cause is that some user password could be broken.

We are still using the old PS 1.6.1.20 PS (we are updating all the shops to PS 8.1.7 soon, but need aprox. a month to finish the migration). So we need to secure shops for this period of time to prevent attacks from happening.

We have already changed the admin folder name and all the user passwords.

Any thoughs/hints about the issue?

hack_log.txt

karcharoth

karcharoth

My sites keep getting hacked with following trojan mentioned in this thread Prestashop 1.6 trojan. New method. I have searched the logs and found the part responsible for the attack - first lines enclosed below (the whole file attached): 

spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:12 +0200] "POST /admin123/ajax-tab.php?rand=1668337335767 HTTP/1.1" 200 1110 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123 HTTP/1.1" 301 496 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:14 +0200] "GET /admin123/ HTTP/1.1" 302 1027 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:15 +0200] "GET /admin123/index.php?controller=AdminDashboard&token=7480da1f86d8f689ef56741572277611 HTTP/1.1" 200 28914 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:17 +0200] "POST /admin123/index.php?controller=AdminModules&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1156 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 792 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:43 +0200] "GET /admin123/?controller=AdminModules&install=doofinder&tab_module=others&module_name=doofinder&anchor=Doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 200 1155 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 301 752 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:45 +0200] "GET /admin123/?controller=AdminModules&delete=doofinder&tab_module=others&module_name=doofinder&token=02c1b073920cf96f1b62560fc2f0bad5 HTTP/1.1" 302 1190 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:46 +0200] "GET /admin123/index.php?controller=AdminModules&conf=22&token=02c1b073920cf96f1b62560fc2f0bad5&tab_module=others&module_name=doofinder HTTP/1.1" 200 137033 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
spain-sl.ip-ptr.tech - - [02/Aug/2024:12:25:51 +0200] "POST /api_1.php HTTP/1.1" 200 300 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

It seems that the hackers somehow accessed the back-office, installed the module names `doofinder` and posted comprimised file api_1.php, which has been executed and infected the PrestaShop files. But I can't find out how they entered.

We are still using the old PS 1.6.1.20 PS (we are updating all the shops to PS 8.1.7 soon, but need aprox. a month to finish the migration). So we need to secure shops for this period of time to prevent attacks from happening.

We have already changed the admin folder name and all the user passwords.

Any thoughs/hints about the issue?

hack_log.txt

×
×
  • Create New...