Prestashop site index.php hacked

[chahidkhan]

Hello ,

 

yesterday someone hack my index.php file and he upload a page that show hes email with text said hacked by ... , now i fixed the problem all works fine , can you help me to protect my site for next time ??

 

Thanks in advance

Edited September 15, 2014 by chahidkhan (see edit history)

[vekia]

hello

do you use some other CMS like wordpress / joomla on the same hosting ?

[chahidkhan]

No , only prestashop installed !

[vekia]

have you got an access to apache access log file?

im really interested in this case because of security of whole prestashop engine.

 

you're on shared hosting or on VPS / dedicated ?

[vekia]

btw. you hired someone recently and granted an access to ftp / back office?

also, are passwords for your back office, ftp service  easy to break with rainbow tables? 

rainbow table is a list of easy passwords like "qwerty1234" "1234567890" etc.

 

this is why it is worth to use passwords with special characters, captions etc.

[chahidkhan]

I'm on shared hosting , and always I use difficult passwords like SH125...jdh/*/ , and i didn't give anyone to access to my ftp or administration . the hacker doesn't access to anything because he change only index.php , and my passwords still same and not changed ! everything works fine after restoring index.php file !!

Edited September 15, 2014 by chahidkhan (see edit history)

[chahidkhan]

Hi ,

after contacting my hosting company i get some informations about the bug :

 

After investigating this report, we found that an improperly secured file upload script on the account was exploited and used to upload malware. This script does not properly verify uploaded file types and/or content prior to saving the file. We have removed all of the malicious content from the account. We recommend updating this script to the latest version which may include security updates designed to prevent this type of abuse.

Please keep in mind that it is your responsibility to ensure the security of your account(s). If we detect another account compromise or you request for us to scan the account for malware within 6 months of this notification, we reserve the right to assess an Account Cleanup fee before performing any scans or removing malware from the account. In cases where a 3rd party reports malicious content or actions to us, we also reserve the right to disable the site to protect the integrity of our network.

============TIMESTAMPS========

=====
File: `/home2/unlockon/public_html/upload/x.php'
Size: 150 Blocks: 8 IO Block: 4096 regular file
Device: 811h/2065d Inode: 62653810 Links: 1
Access: (0644/-rw-r--r--) Uid: (32934/sitename) Gid: (32936/sitename)
Access: 2014-09-16 06:22:40.954135836 -0500
Modify: 2014-09-14 16:10:36.345366860 -0500
Change: 2014-09-14 16:10:36.345366860 -0500

============ACCESS LOG=============
114.79.0.1 - - [14/Sep/2014:16:10:35 -0500] "POST /modules/blocktestimonial/addtestimonial.php HTTP/1.1" 200 11840 "http://agussugiharto.net/wp-content/tes.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"

===========CLEANED FILES===========
removed `/home2/sitename/public_html/upload/an.php'
removed `/home2/sitename/public_html/upload/x.php'
removed `/home2/sitename/public_html/upload/535135801b94et.txt'

=========OUTDATED SOFTWARE=========

Vulnerable Applications:
========================================
Prestashop :: 1.5.4.0 :: /home2/sitename/public_html

 

as i see he exploit testimonials module to upload his file ?? now i removed this module from my site ..

 

Best Regards !
 

[bellini13]

is this a module packaged with Prestashop?  I can't seem to locate this module in PS v1.5 or PS v1.6

[chahidkhan]

Not packaged with prestashop , i found this module here in forum in free modules and i installed in my site .

[El Patron]

for future awareness, I have little module that will tell you when a file has been modified including permission level, and allows you to roll back the change

http://www.prestashop.com/forums/topic/303132-module-prestavault-malware-trojan-virus-protection/

 

tip: after you have this experience, make sure to change 'all' FTP passwords and check that your folder/file permission are not to low.

[bellini13]

always good advise from Fred

 

In this case however, the module being used has a security flaw unrelated to FTP passwords and permissions.  The flaw may have even been design intentionally by the module author...

 

Lesson learned hopefully... Free modules?  Not so free perhaps

 

Might be a good idea to identify the forum topic that has this free module and remove it... what do you think?

Edited September 17, 2014 by bellini13 (see edit history)

[El Patron]

if 'free module' and not in vekias pinned list of 'trusted' free modules list.  then don't use it.  If you do ensure that others have had good experience.  Any solution forum topic that doesn't have anything but thanks responses should be avoided. 

 

again only use modules that rock. 

 

btw: it's not really your fault, ps module distribution on the forum is horrible. 'all' other cms'es have central place where they can be rated and remarked on and independent of offical forum.  So this leads to 'da shit' being accessed by the unsuspecting .

 

Please provide link to where you obtained any suspect module for internal 'investigation'.

[chahidkhan]

You can find module here :  (removed by moderator) i don't remember exactly where i found the link before , now i searched in google and found it again . i have deleted it from my site is very dangerous !!

 

Thank you all for your interesting .

[El Patron]

You can find module here :  (removed by moderator) i don't remember exactly where i found the link before , now i searched in google and found it again . i have deleted it from my site is very dangerous !!

 

Thank you all for your interesting .

 

I emailed the developer with forum link.

 

I remove the link, as we can only take your word that this is the issue.

 

thanks, el

[bellini13]

so you left a possibly flawed free module available in the forums while this is researched?

[El Patron]

so you left a possibly flawed free module available in the forums while this is researched?

 

it's not on the forum, it's on 3rd party site with good reputation.  nor do I or can I discuss how things might get moderated.

 

Michael did you replicate the original posters result with this module?  I have not had the time to review myself.

[bellini13]

ah, i was under the impression the module was provided in the free modules forum.  I don't have the module to try to replicate the issue, but the details provided by the hosting company are pretty clear

[El Patron]

ah, i was under the impression the module was provided in the free modules forum.  I don't have the module to try to replicate the issue, but the details provided by the hosting company are pretty clear

 

http://www.prestashop.com/forums/topic/70089-free-module-testimonials-manager/

[WebMadeFun]

Hi All!

Great forum and help!

 

I just created my account in order to be able to post in this topic.

 

Unfortunately, I have to confirm the issue.

 

Prestashop 1.5.6.2 with the same module used, hacked few hours ago (check the screenshot http://prntscr.com/4qu73p) by indonesian haxor

 

I resolved the issue almost immediately by replacing the index.php and after reading this topic, I located and removed the an.php that was located at public_html/uploads root.

[El Patron]

Hi All!

Great forum and help!

 

I just created my account in order to be able to post in this topic.

 

Unfortunately, I have to confirm the issue.

 

Prestashop 1.5.6.2 with the same module used, hacked few hours ago (check the screenshot http://prntscr.com/4qu73p) by indonesian haxor

 

I resolved the issue almost immediately by replacing the index.php and after reading this topic, I located and removed the an.php that was located at public_html/uploads root.

 

the module was removed by moderator September 17, 2014...we contacted the poster, no response.

 

In the future, do not load free modules that are not supported or that are 'not' in vekia's list of proven solutions or from official addon's.

[sicompqro]

the module was removed by moderator September 17, 2014...we contacted the poster, no response.

 

In the future, do not load free modules that are not supported or that are 'not' in vekia's list of proven solutions or from official addon's.

Hi, i send you a P.M. about this, but now is clear for me, the module is high risk, Thank You.

[siomosp]

Hello , 

the same happens to me...

The free testimonial module allows uploading of php scripts.

Someone uploaded an.php in my case.... , fixed fast by re uploading index.php

I hope he didnt get critical information. If someone knows what the hacker can get , or what i have to change at my passwords please advice. I kept the php file , It is an Cpanel + FTP Cracker ....

Edited December 23, 2014 by siomosp (see edit history)

[bellini13]

Hard to say what they can get without knowing what the index.php was updated with.  But assume if they went that far to upload a script using a security hole in the module, it is likely that they grabbed your database username/password and potentially exported the data in your database.

 

That means they may have your customer data, and severe privacy issue...

 

I would change your passwords to your cpanel, database, ftp and back office etc...

[siomosp]

Thanks a lot for the suggestions!

[vekia]

do you remember what kind of php script they uploaded?

i bet that some webshell like wso 

[siomosp]

Hi , in case you want to take a look i have it. 

[vekia]

if it is possible send it to me, you know my mail :-)
do you have also some logs where you have the ip address of this script-kiddie ?

[El Patron]

if you have up to date anti-virus on your local computer, then using ftp download your files, this will help identify the hack, note: this is typically a .js file so if you fix index.php then it will just be updated again.

 

another tip: using ftp, look at your files and see what has been recently modified, especially /js folder.

[siomosp]

if it is possible send it to me, you know my mail :-)

do you have also some logs where you have the ip address of this script-kiddie ?

Yes , i have the ip also 

( it is 114.124.34.89 )

I send  the file at your mail

Edited December 23, 2014 by siomosp (see edit history)

[siomosp]

if you have up to date anti-virus on your local computer, then using ftp download your files, this will help identify the hack, note: this is typically a .js file so if you fix index.php then it will just be updated again.

 

another tip: using ftp, look at your files and see what has been recently modified, especially /js folder.

I think that i have search everything , nothing strange at my server now. And the js files are not changed the last months. But i will search more, Thanks!

[frank_jarle]

This thread has become quite interesting, may i suggest something to the moderators here? Can you guys make a new thread and pin it and call it something like "High risk modules and add-ons - Use at own risk"

 

I am proably not the only PS admin here that is not into PHP development and not always able to determine if something is wrong until it actually happen or pointed out by the hosting company as in this case. Maybe it would be a good idea to actually "identify" high risk modules and let people know about it? Just like Vekia's "Approved" list, i would like to know about modules that might fall under "high risk" and avoid it for all cost.

[siomosp]

If you have SSH access to server this is the command to find the  files with extension .php modified the last 48 hours.

I found the an.php using it

 

find /pathtoserver/ -maxdepth 6 -name "*.php" -mtime -2 -ls

 

options short explanation

 

path to server is something like that in my case  find /var/www/vhosts/xxxxxx.com/httpdocs/

-maxdepth 6 // is for searching folder depth (with 6 , is not looking at image folders like img/p/1/2/3/4/5/)

-mtime   // the time in 24h . With option 2 it is searching 48 hours)

[bellini13]

This thread has become quite interesting, may i suggest something to the moderators here? Can you guys make a new thread and pin it and call it something like "High risk modules and add-ons - Use at own risk"

 

They take the opposite approach.  As Fred already stated previously in this thread, below is a list of 'proven free solutions'.  http://www.prestashop.com/forums/topic/233442-free-modules-list-only-valuable-and-proven-solutions-31032014/

 

Prestashop is not going to vet every single free module out there, so it is 'user beware'.  Every module should be considered 'use at own risk'

[frank_jarle]

I get your point, but in this case this has become a "well known security risk". My point was that as people report back just as in this case, i see nothing wrong as people report back as "known problem module" and what it actually does or potentially might do to your site.

 

Lets say there is about 1000 Presta Modules out there from both prestashop.com repository and others, Vekia's list contain a small list in the big ocean and to fool proof all of them is beyond what one man can do (hands down to what he have done already). I think Presta Community has a bit to learn from Wordpress community in this way, but this is just my opinion. ;-)

 

To make my point clear, i would probably have installed the same module on my site if it was not for this thread, it does not matter if there exist a list of "approved" modules, if the list does not contain modules that i i am looking for, so i don't see the "hassle" of actually just creating a post where people can just report back, "can you add xxxxxxxxx to the list, my site just got hacked because of security issues with it". Wouldnt it be good to have a list where people can double check if a given module is in a "high risk list" or approved list?

 

Merry Christmas to all of you :-D

[El Patron]

if there is a 'bad' module, click report on the original topic post for moderator and community manager review.

[bellini13]

In addition, the module was already removed from the forums, you are not able to download it anyways

[sandipchandela]

Great information and views for fake modules mentioned over here.

 

Is there any criteria for any module registration?

 

Merry Christmas to all of you guys

[ilovekutchi.com]

I believe a spanish version of the module is available here: https://www.prestashop.com/forums/topic/236211-aporte-testimonios-para-prestashop-15/

 

BTW, can this module be changed to make it safe?! Is not a complex module...

 

 

EDIT: another version is here: https://www.prestashop.com/forums/topic/385149-support-needed-with-customer-testimonials-v142/

Edited April 1, 2015 by ilovekutchi.com (see edit history)

[parduodudu]

Hello,

My prestashop eshop is hacked. For some time it was uploading malware which i was checking daily and deleting. Now it started sending emails for paypal users to get their logins. Maybe someone could help me resolve this problem? Or atleast maybe it is possible to copy all directorys and products to fresh eshop?