nvd1210 Posted August 22, 2024 Share Posted August 22, 2024 (edited) My site has a problem when new customer checks out a product. It doesn't happen with the registered account so I can't know until a customer reports this. Luckily in my country filling in credit card information is not common. the hacker use href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" to collect Customer payment information. I tried to search that code in public_html but not have any clue. Edited August 23, 2024 by nvd1210 (see edit history) Link to comment Share on other sites More sharing options...
imjulien.dev Posted August 22, 2024 Share Posted August 22, 2024 Hello, This file is just a CSS file, which is used for styling the page. It cannot add elements to your page. I encountered a similar issue with a customer, and I used a script to clean the website. You can refer to this post for more details: Have a nice day, Julien 1 Link to comment Share on other sites More sharing options...
Eolia Posted August 22, 2024 Share Posted August 22, 2024 Css file can add element^^ ex: background-image: url('xxxx-infected'); 1 Link to comment Share on other sites More sharing options...
nvd1210 Posted August 22, 2024 Author Share Posted August 22, 2024 Like a magic, everything was back to normal after i run /cleaner.php . Thank you very much Link to comment Share on other sites More sharing options...
imjulien.dev Posted August 22, 2024 Share Posted August 22, 2024 2 hours ago, Eolia said: Css file can add element^^ ex: background-image: url('xxxx-infected'); Yes, you're right, I forgot that, but in this case, it was the classic Bootstrap CDN Link to comment Share on other sites More sharing options...
alex.br Posted August 22, 2024 Share Posted August 22, 2024 Like magic, it can return. You should identify the hacking entrance and fix it to protect your customers data. 1 Link to comment Share on other sites More sharing options...
nvd1210 Posted August 22, 2024 Author Share Posted August 22, 2024 4 hours ago, alex.br said: Like magic, it can return. You should identify the hacking entrance and fix it to protect your customers data. you are right, i changed the admin password, removed some 3rd party modules that i suspect. it includes seachreplace module, protectcontent module, HTMLbox and a module that i don't know and don't remember installing. But i am still not sure if i did enough Link to comment Share on other sites More sharing options...
alex.br Posted August 23, 2024 Share Posted August 23, 2024 Look into your http logs before the first hack reporting, you should find dozen of suspicious http requests those failed with 4xx until some request success on exploitation (this is the entrance that you need to fix, much probably a module), then you should see many successfull requests to suspicious endpoint (/b2b.php for example), from here you were hacked and everything is possible. 1 Link to comment Share on other sites More sharing options...
alex.br Posted August 23, 2024 Share Posted August 23, 2024 And look here in the forum, you are not alone, there are people being hacked every week at least. Prestashop users are being pushed, keep alert and updated. 1 Link to comment Share on other sites More sharing options...
imjulien.dev Posted August 23, 2024 Share Posted August 23, 2024 Usually this kind of hack use a base64 encoded script to inject elements. You should look for base64_decode function in your PHP files 2 Link to comment Share on other sites More sharing options...
Mediacom87 Posted August 23, 2024 Share Posted August 23, 2024 Hi, Cleaning up a hacked store quickly is a good thing, but identifying and correcting the flaw that allowed the hacking is better, because if your store was hacked once, it will be hacked again and again, either by the same flaw or by another one, so it is necessary to analyze and correct all this, some articles to help: https://www.mediacom87.fr/en/post/security/ 1 Link to comment Share on other sites More sharing options...
nvd1210 Posted August 23, 2024 Author Share Posted August 23, 2024 45 minutes ago, imjulien.dev said: Usually this kind of hack use a base64 encoded script to inject elements. You should look for base64_decode function in your PHP files Do you mean I can search "base64_decode" keyword in all code files at root directory /public_html? Link to comment Share on other sites More sharing options...
nvd1210 Posted August 23, 2024 Author Share Posted August 23, 2024 6 hours ago, alex.br said: Look into your http logs before the first hack reporting, you should find dozen of suspicious http requests those failed with 4xx until some request success on exploitation (this is the entrance that you need to fix, much probably a module), then you should see many successfull requests to suspicious endpoint (/b2b.php for example), from here you were hacked and everything is possible. Unfortunately the first time it was reported was in May, and my account could not see the form. Now a customer took a screenshot, so I used incognito mode and saw it. The access log and error log can only be viewed back to July Link to comment Share on other sites More sharing options...
Eolia Posted August 23, 2024 Share Posted August 23, 2024 il y a une heure, imjulien.dev a dit : Usually this kind of hack use a base64 encoded script to inject elements. You should look for base64_decode function in your PHP files Cleaner already does this job and is more complete. 1 Link to comment Share on other sites More sharing options...
nvd1210 Posted August 23, 2024 Author Share Posted August 23, 2024 14 minutes ago, Eolia said: Cleaner already does this job and is more complete. If i'm not mistaken you are the creator of the cleaner script. Thanks for helping many prestshop users like me. 1 Link to comment Share on other sites More sharing options...
alex.br Posted August 23, 2024 Share Posted August 23, 2024 Check your files everyday after wake up, or automate it, because you will be hacked again soon. The web is full of rats, and your website is smelling like cheese now. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now