Zenhs Posted January 29, 2014 Share Posted January 29, 2014 An email I recieved from my webhost last night. We have received the following PHISHING complaint in reference to an IP hosted on your server. A copy of the complaint is listed below or attached to this ticket for your review. The account associated has been terminated by our security team immediately as this violates state and federal law and is in direct violation of your TOS and AUP.Please update this ticket when you have reviewed the content in question and provide a detailed statement as to the purpose of the website. A second repeat of publishing phishing content may result in permanent termination and legal action. Upon receiving update we will reactivate the web hosting account in a brand new state. We thank you in advance for your quick action and cooperation.iogjzzc/xuxmrrdsmcf.fbtvavxnqbptavgvamlaebmgc --------- Prestashop version 1.5.6.0 My webhost kindly restored the website so I could investigate what happened. I found and deleted 4 folders e.g. iogjzzc and the .htaccess files which redirected to a diet pills website. These folders were created on 2013-12-27 11:47 and 2013-12-23 22:12. Log files before the 29th have been deleted, not sure how. I would be very grateful for any help finding out how this happened. Link to comment Share on other sites More sharing options...
El Patron Posted January 30, 2014 Share Posted January 30, 2014 1. change all ftp passwords, it is very common this is how your shop was modified. 2. review folder | file permissions, this is another popular way in that files have permissions allowing non-owner of file to change it. I have a new module for your review, when these sort of hacks, malware or virus are put in your shop the module will alert you. http://www.prestashop.com/forums/topic/303132-module-prestavault-malware-monitor-alerts-file-manager/ Link to comment Share on other sites More sharing options...
Zenhs Posted January 30, 2014 Author Share Posted January 30, 2014 Thanks for reply, I changed ftp passwords etc. just in case. File and folder permissions all seemed fine. I just wish I could figure out how it happened:( At the time of the intrusion it was a default install of prestashop on a sub-domain no one should of known about and no added modules. I tried a few free online security audits and they weren't able to spot any problems either so it's not looking like I'll ever find out how this happened. Maybe just have to keep a close eye on the logs so I spot it next time. Anyway had a look at your module, not keen on the price;) but it's probably vital. I'm going to give it some serious thought. Thanks again. Link to comment Share on other sites More sharing options...
El Patron Posted January 30, 2014 Share Posted January 30, 2014 I got hacked June 2011. I like you wanted to know what happened but more importantly be notified of file changes to my shop. Day to day your shop files do not change. So they are easy to monitor. Now you have no clue when your files are changed and you really won't know until a search engine tells you. That is not good enough. We think the price is extremely reasonable, five months of development and testing considering 1) what is does 2) how much money a business loses being marked as malicious. Link to comment Share on other sites More sharing options...
indus Posted January 30, 2014 Share Posted January 30, 2014 Are you on a VPS you manage yourself? Or is it shared hosting? Link to comment Share on other sites More sharing options...
peter4661 Posted March 1, 2014 Share Posted March 1, 2014 Hacker ( email address in screencast attachement ) did get access to our CMS, disabled on-line payment options, changed bank info. Customers placing order 'pay w/ bank transfer did get hackers banknumber. Hacker removed admin employee, table ps_employee was deleted and all server backups. Now unable to access back office. We followed all the advice in this columm and found hacker bridge and backdoor plugin. Not sure if we are out danger zone yet. Now trying to recover back office access. We are on dedicated server. We have backup PS 1.5.6.0 ps_employee.sql. Now on PS 1.5.6.2. Having little knowledge in this field, have a question. When we import this, will this recreate ps_employee table? Happy with any help, Peter http://screencast.com/t/xLRBcaKvBBGt Link to comment Share on other sites More sharing options...
vekia Posted March 1, 2014 Share Posted March 1, 2014 if you've got sql code to create ps_employee table - yes, you can do it. you will restore ps_employee table. then you will be able to create admin account Link to comment Share on other sites More sharing options...
peter4661 Posted March 3, 2014 Share Posted March 3, 2014 if you've got sql code to create ps_employee table - yes, you can do it. you will restore ps_employee table. then you will be able to create admin account Follwing vekia's advice, could re-create ps_employee table. However cannot login backoffice. Given login name and pw, screen seems to refresh. Request for new PW give error warning (pars error) . new pw is sent. Login at backoffice with new PW not possible. Also problem with hackers bank information is sent with screen and e-mail confirmation persist. I searched database for presence of traces of hackers bank information, but were not found. I searched and came accross error message *ERROR* 2014/03/03 - 06:32:57: Invalid id_module or hook_name at line 402 in file classes/Hook.php What would be best approach to resolve these issues? Thank you, Peter www.derks-wielersport.nl Link to comment Share on other sites More sharing options...
Recommended Posts