Prestashoped hacked - please help

[Madman_CZ]

Hi everyone,

 

yes, that's right, it is one of those pleeeaaase help me post. I usually don't do this kind of thing as I try to sort out things myself buuuuuut, time has come where I could use some advice from you regarding my recent hacking.

 

Now, this kind of thing has happened before where my store was compromised and code was inserted into my pages. I have been able to clear things up pretty quickly getting rid of the code that was inserted in the past. However, the recent hacking has left me at a loss, I just dont know where the malicious code is inserted and I don't know a way how to find it.

 

Reason I know it is there is if I browse my store, my store connects to other pages like for example

 

www.decktech.com which can be seen in the bottom left corner of my Mozilla browser as it loads a page. Also it is very slow browsing the admin and front end of my store.

 

I would really like your help in indentifying the infected files. I have not uploaded or changed anything in my store for months so it cannot be something which I have personally loaded into prestashop.

 

I just cant find the inserted code anywhere, I know it is there.

 

Can someone recommend a way how to indentify the problematic files, I've tried downloadfing the whole store and scanning it with my antivirus but not luck, says it is clean.

 

my store is www.kendesign.cz

 

Thank you in advance for any tips

 

Pete

Edited August 4, 2014 by Madman_CZ (see edit history)

[Dh42]

It looks like the issue is coming from your http://www.svicky-zapalky.cz/js/jquery/jquery-1.7.2.min.js  and http://www.svicky-zapalky.cz/js/jquery/plugins/jquery.easing.js  I would back those files up by renaming them something else, then I would upload the ones that came with your version of PrestaShop to the server to replace them. At the same time I would also regenerate the htaccess file. There have not been any known exploits of back doors in PrestaShop for as long as I can remember, so I would also advise changing your hosting account login information. That is more than likely how they got in. 

[Madman_CZ]

Hi, thank you for your reply. I have replaced your suggested files, infact, I have replaced the whole folder "js" but still my store is throwing a link to www.decktech.com. I dont get where it could be this piece of code. One thing I have noticed, on my home page, the left category menu is all unfolded (uncollapsed) before it was collapsed. Maybe this has something to do with the inserted code?

 

I would be glad if you could again check to see if the piece of malicious code is inserted anywhere else. Thank you!

 

Regards

 

Pete

Edited August 6, 2014 by Madman_CZ (see edit history)

[El Patron]

if you feel that the shop still has malicious code, typically that code can be identified by downloading (using ftp).

 

this requires an up to date anti-virus program on your local machine.

 

this would in most cases identify any hacked code.

 

tip: change ftp password(s) | review all folder and file permissions, typically good setting for most hosts is 775 for folders, 644 for files and .htaccess 664

 

after you have found/removed malicious code, reviewed/fixed any file permission issues and changed ftp passwords review my module that will monitor your shop files, and allow for restore of individual files, PrestaVault.

[acc_azteca]

I think the easiest way to find the modified file is, using the Linux Terminal, install ack, then go to your prestashop directory and type "ack 'www.decktech.com'" this will return any file in which the program found the string www.decktech.com. Then after having a list of the corrupted files you can restore them to their original state.

[Madman_CZ]

Hi, thanks for your suggestions. It is possible to use the ack without admin rights to the main server. My hosting provider only gives me certain permissions within my hosting space. It is possible to install in in windows , then download the site and scan the folder with the downloaded shop files?

 

Regarding the antivirus scan, I have downloaded the whole site but my Eset internet security has niot picked it up. It did before with my previous intusion last year but not this time. This is why I am kinda lost as to where to look.

 

Thanks for more info on the ack.

 

Pete

[acc_azteca]

Yes, as far a I know ack doesn't require admin rights, but I don't know it it is installed in your server. If it isn't you should be able to install it on Windows.

[acc_azteca]

If it isn't installed you can use grep too. The command would be something like grep "www.decktech.com" /path/of/your/site

[El Patron]

Hi, thanks for your suggestions. It is possible to use the ack without admin rights to the main server. My hosting provider only gives me certain permissions within my hosting space. It is possible to install in in windows , then download the site and scan the folder with the downloaded shop files?

 

Regarding the antivirus scan, I have downloaded the whole site but my Eset internet security has niot picked it up. It did before with my previous intusion last year but not this time. This is why I am kinda lost as to where to look.

 

Thanks for more info on the ack.

 

Pete

 

I checked your shop and did not see link.  Can you post the page with the link please.

[Bill Dalton]

Also, if you have downloaded the site you can scan it locally using http://www.wingrep.com/ a free program.

[Madman_CZ]

Hi, thanks for your reply.

 

See attachment, there are elements missing in my shop that where there before the link started to appear. Also, in the back office there are things that no longer funtion correctly, for eg. the filter under products. Something is effecting the code somewhere as there are things in my store that no longer work properly.

 

Thanks for the GREP tip, I will try that today. I hope to find it.

 

The link displays in your browser when you browse my store, it keeps saying waiting for decktech.org before it loads any page.

 

Regards

 

Pete

Edited August 8, 2014 by Madman_CZ (see edit history)