Jump to content

Hacked & restored but with issues


Bill8g

Recommended Posts

We got hacked some weeks ago. Google marked us as harmful. Not only that by other sites I host for some friends also got hacked. The hack was actually a white line on the top of the sites. In that line there were hiden boxed (frames) that lead to other sites. Something like DNS sites etc.

I don't know what it was suppose to do. My friends sites went down for reconstruction.

 

The prestashop site I need some help with was on and running after my host cleaned it but some files were somehow crashed. The menu letter size was huge and some features I had added by hand (some lines and extra images and banners) were gone.

 

I fixed the banners and the menu by just droping in with FTP an old backup.

 

The site indeed got fixed and it was running fine. But just 10 minutes later the white line appeared again. Again I uploaded the backup but still about 10-20 minutes later the line came back.

 

As far as I have found the problem is the file: site-domain.com/js/jquery/jquery-1.4.4.min.js

 

When I remove or rename the file, the white line disapears but also some importan features of the site fail.

 

Is there somehing I can do to fix that?

Link to comment
Share on other sites

I run sucuri sitecheck and it says it is clean. I don't understand.

 

Is there a fast way to clean it? Some add on or app or something? The site is hude and I am a starter on web development. Don't know much php/html etc.

Link to comment
Share on other sites

it's so easy it's not always obvious...

 

1. change your ftp password

2. make sure your pc has a decent viurs detector

3. using ftp download your root files

4. your antivirus should pick up infected files as they are downloaded via ftp

5. replace infect file with back up or from same version native ps file...

 

but first change your ftp password...

Link to comment
Share on other sites

We have changed the FTP pass a few days ago. I do recover an old backup (three months old) and the pages fixes its self but a few minutes later the problems reapear for no reason. I scanned the files as you said and they come up clean. I used fully updated AVAST.

Link to comment
Share on other sites

We have changed the FTP pass a few days ago. I do recover an old backup (three months old) and the pages fixes its self but a few minutes later the problems reapear for no reason. I scanned the files as you said and they come up clean. I used fully updated AVAST.

 

ave maria pues (omg)....typically this is from a java file that is infecting the other files..and generally but now always in a module folder...if you can't isolate the file that is re-infecting the other files...well you know what happens....

 

you could try comparing using bcompare on another program your root files native ps of same version...

 

you could also just export your shop...rebuild with clean native ps

 

all in all sorry for your problems...this happened to me in June....sucked

  • Like 1
Link to comment
Share on other sites

Yeah I thought so. Exporting the catalog and users and make a clean install. But listen to that.

 

My shop is set up as domain.com/pro/ and it is running 1.4.9

 

I set up a shop as domain.com/professionals/ with 1.5 and guess what... it got infected!

 

How the hell can this be true? Just tell me! :blink:

Link to comment
Share on other sites

If you problem is coming back like that more than likely your computer is infected as well. Scan your computer and see if it has a virus. That could be how the virus is getting in. I would clean again, notify my host to get logs and see how the person is getting in. Don't access your cpanel or ftp for a couple days and see if it gets hacked again. Then look at the logs, if someone accessed your cpanel and or your ftp, then you know they are getting in with your password. If no one does and it is still getting infected, someone has found a hack in prestashop, which is pretty unlikely.

 

Also, have your host change your user name. More than likely if you are hosted on cpanel you user name is the first 8 letters of your domain name, it makes it easy to guess.

Link to comment
Share on other sites

Yeah I thought so. Exporting the catalog and users and make a clean install. But listen to that.

 

My shop is set up as domain.com/pro/ and it is running 1.4.9

 

I set up a shop as domain.com/professionals/ with 1.5 and guess what... it got infected!

 

How the hell can this be true? Just tell me! :blink:

 

holy crap!...I'd follow dh's advice on the hosting...but if it was me an mine...I'd move hosting....

Link to comment
Share on other sites

My host is actually one of the best in Greece. He uses custom cpanel with command lines. With putty or something like that.

 

I did change my FTP password a few days ago. My PC was formated 2-3 days ago and it is totally clean. Not only that but other sites that I host in the same host account got infected the same day and everything is down. At the moment the site is running ok.

 

Update: btw YES some times when I extract old backup it AVAST alarms me. But I don't use these files that it alerts me for.

Edited by Bill8g (see edit history)
Link to comment
Share on other sites

ave maria pues...Medellin, Colombia for OMG...jajajaja....

 

custom cpanel with putty...

 

sort of like any system I've ever worked on...works great until someone modifies it...

 

btw: I am currently writing a ps antivirus module...as I can only sell my current modules to nerds...I want to sell into fear...:)

 

rock on

Link to comment
Share on other sites

ave maria pues...Medellin, Colombia for OMG...jajajaja....

 

custom cpanel with putty...

 

sort of like any system I've ever worked on...works great until someone modifies it...

 

btw: I am currently writing a ps antivirus module...as I can only sell my current modules to nerds...I want to sell into fear... :)

 

rock on

 

elpatron don't missunderstand it. It really works fine. There is nothing more or less that you could ask from it. It is lite and safe.

Right now I am checking my backup files and I am finding infected files that I haven't found before. I think I found a way to fix it finally.

 

Thanks for the support!!! :)

Edited by Bill8g (see edit history)
  • Like 1
Link to comment
Share on other sites

Sorry for double posting. The site works fine now but I am looking for a way to search inside the site's files for these keywords that may hit in the future. I will download them with FTP but is there a way to search for a string inside thousands of files?

Link to comment
Share on other sites

What I would do is download the whole site into a folder. Then uses a text editor like sublime text that allows you to search for text in a folder of files. You can find the string that is bad, and do a find and replace automatically. Just replace the string with nothing. I have used that method several times.

 

Elpatron.

I actually had a user from this forum ask me to price designing their site. After about a week of back and forth they said it was too high. Then they sent me a msg to ask what a design like this was cost, and sent a url. I went to the url, and was stupid and allowed a java applet. It used a java exploit and stole all of my passwords. The guy basically tried to lock me out of my clients shops and extort me for designing them a site. It was a grueling 1 hour before I got everything changed, luckily nothing was deleted.

  • Like 2
Link to comment
Share on other sites

Sorry for double post. This may sound stupid but I haven't been able to use sublime. Can you please give me a quick info on how I find lines? I tried "go to" and "find" but still it doesnt show what I need. I tried some simple find rules lke a word I added myself in a tpl file but nothing. :wacko:

Link to comment
Share on other sites

Ok by saying "I hate" I mean that I once found it difficult to learn so I turned into more easy WYSIWYG sollutions.

 

@Dh42

There really is no way to say enough thanks for your help! I was thinking that no one will help me and this forum is a waste of time but you proved me wrong. Take a look! The problem is that "freewww" line. I was like omg they are so many!

 

So now I just click them remove the lines and save. I suppose. Thank you both. I wouldn't make it without you! :)

 

http://s10.postimage.org/fekvw2w6x/lines.jpg

Link to comment
Share on other sites

No problem. With the js files, if you have the original for your theme, I would use those to replace them with. Also it more than likely infected your js folder in the root of your site, I would replace them with the js files from a clean version of the same version of Prestashop.

  • Like 1
Link to comment
Share on other sites

It seems like I have finished with the fixes but there is only one small problem. The images of the buttom fly off the line. (see printscreen here)

 

That was happening in the begining (a few weeks ago) and I fixed it somehow but now I can't remember what file I replaced to fix this. And on the other hand I am afraid to move anything there. I feel like the shop is very much unstable. I removed 5 modules that they were infected. All the paysafecard and paypal folders were infected and others too. I replaced them with original clean files from prestashop and the theme.

 

Is there a way to fix the images or even better hide them? That line isn't really important.

 

Huge thanks.!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...