Prestashop 1.4.5.1 hacked

[NeilD]

My prestashop site has been hacked and a bunch of random links have appeared on the home page for viagra..... nice.

 

I had to reset my password so I assume they managed to get in via the prestashop install not the Server.

I've changed my passwords the admin url i re-generated the htaccess file and I'm currently checking the server for malware/virus'.

I've searched the mysql database for the term http:// on its own, as well as the full url of the links i want removed (which i won't post here for obvious reasons).

I've also downloaded and searched the whole public_html folder and searched through that.

 

I can't seem to find where the links are coming from. They only appear on the home page of the site any ideas and help very welcome

 

Many Thanks

Neil

[cocothecat]

Is that folder set to 777 ? Something has let them get in. You can contact your host they maybe able to offer support and its good practise to alert them as your site might not be the only one hacked.

[tomerg3]

There are some malwares that sit on your local computer and add ads to any website, those are often confused with a real server side hacks.

 

Can you post a link to the site? did you see if any files on the server have been touched?

[NeilD]

@cocothecat

I have contacted my host, they are checking into it as well but as i say I can't see any obvious malware myself. My public_html is set to 750.

 

@Tomerg3

I've checked the site on two different computers and the links appear on both so i believe its on the website.

The site url is https://www.mypinkelephant.co.uk The links appear just before the closing body tag.

 

I've also disabled and re-enabled all the plugins the site uses but the links remain and switched to the standard theme but to no avail.

 

I was originally called to look at the site after a customer complained that they couldn't connect to paypal. Paypal plugin seems fine but i guess it might somehow be connected.

[cocothecat]

Are they there? as I cant see them before the closing body tag? what was the last module to be added / changed or updated?

Edited March 22, 2013 by cocothecat (see edit history)

[NeilD]

They are there yes, after the <div id="page"> closes and before the </body> have tested this on 2 different Macs in chrome FF safari and opera.

the links float to the right of the slider if your monitor is wide enough.

[cocothecat]

27" widescreen... cant see them in the source or on the page. Give a link example?

[NeilD]

Copied from firebug

<div id="page">.....</div>

<a href="http://genericviagraonlinenvi.com">generic viagra</a>

<a href="http://mypinkelephant.co.uk/ylobflorenenceombudsman/the-journal-of-bone-and-joint-surgery-inc-sash.html">The journal of bone and joint surgery, inc</a>

 

appears on my android phone as well

[tomerg3]

Looks fine to me too http://screencast.com/t/FI8V2Ob4deRA

[NeilD]

Also just checkd it in a virtual machine running vista same thing

[cocothecat]

100% not there for me.... This module

<!-- wozia custom module : SocialMod -->

 

Inserts html /html again into the page, if you solve that I think it might remove whatever your seeing, but I honestly can't see any outside links or nothing

[NeilD]

that screen shot only shows the top of the screen, the links appear at the bottom of the code can you see it there?

[NeilD]

actually when i bring up the source with cmd u in firefox the link appears after the closing html tag Tabbed quite far to the right.

 

Thank you for helping me with this by the way

[cocothecat]

thats what i see

 

The code

 

<!-- MODULE JQuerySlider Galery -->
<!-- www.tiendasvirtuales.com.ve -->
<script type="text/javascript" src="/modules/jqueryslider/js/easySlider1.5.js"></script>
<link rel="stylesheet" type="text/css" href="/modules/jqueryslider/css/jqueryslider.css" />
<div id="container">
 <div id="slider">



	    <a href='/category.php?id_category=1'><img src='/modules/jqueryslider/en0.jpg'alt="" class="active" /></a>


	    <a href='/category.php?id_category=1'><img src='/modules/jqueryslider/en1.jpg'alt="" class="active" /></a>


	    <a href='/category.php?id_category=1'><img src='/modules/jqueryslider/en2.jpg'alt="" class="active" /></a>


	    <a href='/category.php?id_category=1'><img src='/modules/jqueryslider/en3.jpg'alt="" class="active" /></a>



   </div>
</div>
<script type='text/javascript' id='slider'>
$(function() {
$("#slider").easySlider()
  });
</script>
<!-- /MODULE JQuerySlider Galery -->

<!-- Module Editorial -->
<div id="editorial_block_center" class="editorial_block">

<h1>Welcome to My Pink Elephant</h1>
 <h2>My Pink Elephant offers quality goods hand sourced from the far east.</h2>
 <div class="rte"><p>
Here you will find Shawls, Trinket boxes, jewellery and beautiful hand crafted ornaments.
<br>
All of the products found at My Pink Elephant are fair trade .
</p>
<p> If you have any questions or queries please contact us <a href="/contact-us">here</a> or email us at:
</p><h3>
<a href="mailto:[email protected]">[email protected]</a>
</h3>
<p>or call</p>
<h3>07943868211 </h3>
</div>
</div>
<!-- /Module Editorial -->

</div> <!--heightspacer-->
<!-- Right -->
   <div id="BottomHook" class="column">

<div class="advertising_block">
<p><a href="https://www.mypinkelephant.co.uk/modules/paypal/about.php" rel="nofollow"><img src="/modules/paypal/img/vertical_US_large.png" alt="PayPal" title="Pay with PayPal" /></a></p>
</div><!-- wozia custom module : SocialMod -->
<div id="socialmod" class="block">
<html>
<h4> Follow us </h4>
  <ul id="social">

  <li class="button facebook">
  <a href="http://www.facebook.com/pages/My-Pink-Elephant/153659358068842" target="_blank" title="Our Facebook Profile"> </a>
  </li>

  <li class="button linkedin">
  <a href=" http://uk.linkedin.com/pub/paula-martin/2a/a65/750 " target="_blank" title="Our LinkedIn Profile"> </a>
  </li>

  <li class="button twitter">
  <a href="https://twitter.com/#!/MyPinkElephant_" target="_blank" title="Our Tweets"> </a>
  </li>
  </ul>

</html>
</div>
<!-- /wozia custom module --><!-- Lastest post -->
<!-- /Lastest post -->
<!-- Blog categories -->
<!-- /Blog categories -->
<!-- Blog tags -->
<!-- /Blog tags -->
   </div>

<div class="clear"></div>
<!-- Footer -->
  <div id="footer">
  <!-- Block footer links module -->
<div class="blockfooterlinks" id="blockfooterlinks">
<ul>
  <li class="first_item"><a href="http://www.mypinkelephant.co.uk/content/1-delivery">Delivery</a></li>
    <li class="item"><a href="http://www.mypinkelephant.co.uk/content/2-accessibility">Accessibility</a></li>
    <li class="last_item"><a href="http://www.mypinkelephant.co.uk/content/3-terms-and-conditions">Terms and Conditions</a></li>
   </ul>
</div>
<!-- /Block footer links module -->
  <div style="text-align:right; margin: 0 auto; width: 755px; "> <a target="_blank" href="http://www.clockworkmoggy.com"> <img style="padding:0 10px 0 0; margin:0; float: right;" src="http://www.clockworkmoggy.com/images/WebSignatureW.png" alt="Clockwork Moggy"> </a> <p style="padding:0 5px 2px; margin:0;font-size:12px; float: right;">Designed By </p> </div>
  </div>
 </div>
 </div>

</body>
</html>

[tomerg3]

Make sure we are looking at the correct URL, as all the links look good.

 

http://screencast.com/t/oj3stWnhXIm5

[cocothecat]

try and remove or disable the Wozia Social Mod. Does your phone pick up the urls if you visit it via the mobile network and not through your local wifi?

[NeilD]

I edited the socialmod so that it doesn't have extra HTML in it and disabled it for now.

 

I see links on

http://www.mypinkelephant.co.uk/

&

https://www.mypinkelephant.co.uk/

on 3 computers and mobile phone (not connected to the network)

 

Thank you both for the screencasts. I'm confused

[NeilD]

ok checked it on a second mobile and no links appear. Does that mean it must be the router/network?

[Bill Dalton]

No links here in Canada.

[NeilD]

Thanks Bill, I'm guessing that it must be my network.

I'm the technical support for my family and friends so people do bring "infected" computers to me and although I'm very careful i guess it is possible that i've caught a virus.

Whats odd is that I have only noticed these links appear on one website. You would think if it were a network infection these sort of things would appear everywhere.

[NeilD]

As unlikely as it seems the Malware was hiding on my router a reset and re-install sorted it. Still seems fishy but all is good so this topic can be closed

[core-]

As unlikely as it seems the Malware was hiding on my router a reset and re-install sorted it. Still seems fishy but all is good so this topic can be closed

I've never heard of infected router.

Did you leave generic user/password for the router access? If so then someone could change DNS, but i can't see how could a malicious code inside router, embed links onto webpages (nor can i see how could malicious code be injected in router's ram in the first place).