Hacked & restored but with issues

[Bill8g]

We got hacked some weeks ago. Google marked us as harmful. Not only that by other sites I host for some friends also got hacked. The hack was actually a white line on the top of the sites. In that line there were hiden boxed (frames) that lead to other sites. Something like DNS sites etc.

I don't know what it was suppose to do. My friends sites went down for reconstruction.

 

The prestashop site I need some help with was on and running after my host cleaned it but some files were somehow crashed. The menu letter size was huge and some features I had added by hand (some lines and extra images and banners) were gone.

 

I fixed the banners and the menu by just droping in with FTP an old backup.

 

The site indeed got fixed and it was running fine. But just 10 minutes later the white line appeared again. Again I uploaded the backup but still about 10-20 minutes later the line came back.

 

As far as I have found the problem is the file: site-domain.com/js/jquery/jquery-1.4.4.min.js

 

When I remove or rename the file, the white line disapears but also some importan features of the site fail.

 

Is there somehing I can do to fix that?

[Dh42]

More than likely your files are infected on your site. The last site I cleaned had 1045 infected files.

[Bill8g]

I run sucuri sitecheck and it says it is clean. I don't understand.

 

Is there a fast way to clean it? Some add on or app or something? The site is hude and I am a starter on web development. Don't know much php/html etc.

[Bill8g]

Can you please help me locate the file that these lines have been injected into? (look picture here) Thanks.

 

My site as I have said its hacked a few weeks now and it keeps bugging me. Could you please help?

Edited December 11, 2012 by Bill8g (see edit history)

[Dh42]

It looks like it is in your header.tpl file. But without looking through the whole site, it is hard to know what all files are infected.

[Bill8g]

It strike like 4 sites that I host and they are completely down. Do you mind posting the adress here? Can anyone please help I can't stand that thing any more really!

[El Patron]

it's so easy it's not always obvious...

 

1. change your ftp password

2. make sure your pc has a decent viurs detector

3. using ftp download your root files

4. your antivirus should pick up infected files as they are downloaded via ftp

5. replace infect file with back up or from same version native ps file...

 

but first change your ftp password...

[Bill8g]

We have changed the FTP pass a few days ago. I do recover an old backup (three months old) and the pages fixes its self but a few minutes later the problems reapear for no reason. I scanned the files as you said and they come up clean. I used fully updated AVAST.

[El Patron]

We have changed the FTP pass a few days ago. I do recover an old backup (three months old) and the pages fixes its self but a few minutes later the problems reapear for no reason. I scanned the files as you said and they come up clean. I used fully updated AVAST.

 

ave maria pues (omg)....typically this is from a java file that is infecting the other files..and generally but now always in a module folder...if you can't isolate the file that is re-infecting the other files...well you know what happens....

 

you could try comparing using bcompare on another program your root files native ps of same version...

 

you could also just export your shop...rebuild with clean native ps

 

all in all sorry for your problems...this happened to me in June....sucked

[Bill8g]

Yeah I thought so. Exporting the catalog and users and make a clean install. But listen to that.

 

My shop is set up as domain.com/pro/ and it is running 1.4.9

 

I set up a shop as domain.com/professionals/ with 1.5 and guess what... it got infected!

 

How the hell can this be true? Just tell me!

[Dh42]

If you problem is coming back like that more than likely your computer is infected as well. Scan your computer and see if it has a virus. That could be how the virus is getting in. I would clean again, notify my host to get logs and see how the person is getting in. Don't access your cpanel or ftp for a couple days and see if it gets hacked again. Then look at the logs, if someone accessed your cpanel and or your ftp, then you know they are getting in with your password. If no one does and it is still getting infected, someone has found a hack in prestashop, which is pretty unlikely.

 

Also, have your host change your user name. More than likely if you are hosted on cpanel you user name is the first 8 letters of your domain name, it makes it easy to guess.

[El Patron]

Yeah I thought so. Exporting the catalog and users and make a clean install. But listen to that.

 

My shop is set up as domain.com/pro/ and it is running 1.4.9

 

I set up a shop as domain.com/professionals/ with 1.5 and guess what... it got infected!

 

How the hell can this be true? Just tell me!

 

holy crap!...I'd follow dh's advice on the hosting...but if it was me an mine...I'd move hosting....

[Bill8g]

My host is actually one of the best in Greece. He uses custom cpanel with command lines. With putty or something like that.

 

I did change my FTP password a few days ago. My PC was formated 2-3 days ago and it is totally clean. Not only that but other sites that I host in the same host account got infected the same day and everything is down. At the moment the site is running ok.

 

Update: btw YES some times when I extract old backup it AVAST alarms me. But I don't use these files that it alerts me for.

Edited December 11, 2012 by Bill8g (see edit history)

[El Patron]

ave maria pues...Medellin, Colombia for OMG...jajajaja....

 

custom cpanel with putty...

 

sort of like any system I've ever worked on...works great until someone modifies it...

 

btw: I am currently writing a ps antivirus module...as I can only sell my current modules to nerds...I want to sell into fear...

 

rock on

[Bill8g]

ave maria pues...Medellin, Colombia for OMG...jajajaja....

 

custom cpanel with putty...

 

sort of like any system I've ever worked on...works great until someone modifies it...

 

btw: I am currently writing a ps antivirus module...as I can only sell my current modules to nerds...I want to sell into fear...

 

rock on

 

elpatron don't missunderstand it. It really works fine. There is nothing more or less that you could ask from it. It is lite and safe.

Right now I am checking my backup files and I am finding infected files that I haven't found before. I think I found a way to fix it finally.

 

Thanks for the support!!!

Edited December 11, 2012 by Bill8g (see edit history)

[Bill8g]

Sorry for double posting. The site works fine now but I am looking for a way to search inside the site's files for these keywords that may hit in the future. I will download them with FTP but is there a way to search for a string inside thousands of files?

[Dh42]

What I would do is download the whole site into a folder. Then uses a text editor like sublime text that allows you to search for text in a folder of files. You can find the string that is bad, and do a find and replace automatically. Just replace the string with nothing. I have used that method several times.

 

Elpatron.

I actually had a user from this forum ask me to price designing their site. After about a week of back and forth they said it was too high. Then they sent me a msg to ask what a design like this was cost, and sent a url. I went to the url, and was stupid and allowed a java applet. It used a java exploit and stole all of my passwords. The guy basically tried to lock me out of my clients shops and extort me for designing them a site. It was a grueling 1 hour before I got everything changed, luckily nothing was deleted.

[Bill8g]

Really? I didn't know there are editors that can search in folders. I am using Notepad++ btw.

 

I will try it right away and post the results. Thanks Dh42.

[Bill8g]

Sorry for double post. This may sound stupid but I haven't been able to use sublime. Can you please give me a quick info on how I find lines? I tried "go to" and "find" but still it doesnt show what I need. I tried some simple find rules lke a word I added myself in a tpl file but nothing.

[El Patron]

get dreamweaver...30 day free...it's bomb

[Bill8g]

get dreamweaver...30 day free...it's bomb

 

You mean for building a website? I hate it! Really.

[El Patron]

You mean for building a website? I hate it! Really.

 

it's not healthy to hate inanimate objects.

[Dh42]

With sublime go to find and at the bottom it says "In files" it brings up a bar at the bottom that looks like this http://screencast.com/t/wiS3fft9GBOP

[Bill8g]

Ok by saying "I hate" I mean that I once found it difficult to learn so I turned into more easy WYSIWYG sollutions.

 

@Dh42

There really is no way to say enough thanks for your help! I was thinking that no one will help me and this forum is a waste of time but you proved me wrong. Take a look! The problem is that "freewww" line. I was like omg they are so many!

 

So now I just click them remove the lines and save. I suppose. Thank you both. I wouldn't make it without you!

 

http://s10.postimage.org/fekvw2w6x/lines.jpg

[Dh42]

No problem. With the js files, if you have the original for your theme, I would use those to replace them with. Also it more than likely infected your js folder in the root of your site, I would replace them with the js files from a clean version of the same version of Prestashop.

[Bill8g]

Is it possible that while I update the files, some infected ones will go infect clean ones? Like a chain reaction I mean. I am saying that because more than one sited were infected. (4 sites are down right now)

[Dh42]

What version of PS are you using by the way?

 

They should not, it doesnt look like that are trying to write to each other.

[Bill8g]

I am using 1.4.9

Edited December 13, 2012 by Bill8g (see edit history)

[Bill8g]

It seems like I have finished with the fixes but there is only one small problem. The images of the buttom fly off the line. (see printscreen here)

 

That was happening in the begining (a few weeks ago) and I fixed it somehow but now I can't remember what file I replaced to fix this. And on the other hand I am afraid to move anything there. I feel like the shop is very much unstable. I removed 5 modules that they were infected. All the paysafecard and paypal folders were infected and others too. I replaced them with original clean files from prestashop and the theme.

 

Is there a way to fix the images or even better hide them? That line isn't really important.

 

Huge thanks.!

[Dh42]

More than likely you are having an js/ ajax problem too. What happens when you add an item to the cart, is it animates like normal or does it reload that page?

[Bill8g]

It animates.

Edited December 13, 2012 by Bill8g (see edit history)

[Bill8g]

Update: I have tried a loOOot of files but nothing can fix it. Is there a way to put some "//" that - as far as I know - they are used for not using lines? But at what file?

[Dh42]

I don't understand what you mean.

[Bill8g]

I thought that a file is damaged and I replaced a lot of files trying to fix it but still nothing.

[Dh42]

More than likely it is your product.tpl file. Does the page generate a javascript error?

[Bill8g]

I don't see it generating any error. Do you mind posting the URL? I'm really sorry I don't know much.