About security - site hacked

[drasl]

Hi all.

 

Someone hacked my site, they created php files in random places on my vhost directory then they execute those scripts to send spam by mail php function.

 

I'm setting up more security in whole server, now I have sparing the spam and out of blacklists, but they created a lot of php files that I think I already deleted.

 

The files are like, for example in: /var/www/vhosts/dominio.com/modules/helloworld/asd.php, and they magically can execute it with direct access to http://dominio.com/modules/helloworld/asd.php.

 

So my question is: how can I prevent to direct access to php files??

 

- I have my site full updated.

- I have prestahop 1.6 under ubuntu with all packages updated.

- I have plesk with security modules enabled.

- I recently regenerated de .htaccess file by prestashop.

- I changed the permissions to 644/755 in all the files and folders.

- I will clean up the smarty cache this weekend.

 

Do you have some tips for me guys?

 

Thanks a lot.

[musicmaster]

Don't you have a working copy of your shop on your local pc or a backup so that you can return your file-system to the time when you weren't hacked? 

 

As your database likely isn't hacked you could replace the files and keep running. Deleting all infected files seems an impossible job to me.

[El Patron]

1. change ftp passwords

2. using an up to date anti-virus run against local copy of your files

3. we can tell much about how they hack based on file date/time, typically they will have .js file that creates the other links you see in files.  See file dates with ftp.

 

I was hacked a few years back, made me so mad I wrote this:

https://www.prestashop.com/forums/topic/303132-module-prestavault-malware-trojan-virus-protection/

 

best of luck, el

[drasl]

I can't recover file-system because we don't know when they hacked us exactly, anyways, if i recover it, I will lose thousands of product images .

 

I changed all the passwords, ftp, data base, web access, etc.

 

The hack don't edit files, the hack CREATE files in the httpdocs, with recent date, that files has the same owner than the rest, so the virus is being created via php I guess.

 

Do you know a good tool to examine malware/rootkit?

 

Thanks.

[MacRoy]

Hi Isard!

 

I recommend you this module. https://www.prestashop.com/forums/topic/303132-module-prestavault-malware-trojan-virus-protection/

 

 

Best regards

MacRoy

Edited May 9, 2016 by MacRoy (see edit history)

[vekia]

do you use some other cms engine at the same time, on the same hosting account?

[razaro]

Can you give some more info like what hosting you have ?

Also you mention it is in modules folder so did you install some modules or themes recently ?

 

And for examine well El Patron said already. It is best to copy all your files to your computer and use anti-virus and anti malaware

programs to scan those files.

[drasl]

do you use some other cms engine at the same time, on the same hosting account?

 

Yes, i'm.

 

Can you give some more info like what hosting you have ?

Also you mention it is in modules folder so did you install some modules or themes recently ?

 

And for examine well El Patron said already. It is best to copy all your files to your computer and use anti-virus and anti malaware

programs to scan those files.

 

I have a dedicated server on Professional Hosting.

 

I didn't install modules / themes recently.

 

I'm running antivirus/antimalware directly via ssh at linux, I will try to download to Windows then scan.

 

I'll report the results....

 

Thanks and sorry for my english. : )

[musicmaster]

I can't recover file-system because we don't know when they hacked us exactly, anyways, if i recover it, I will lose thousands of product images .

 

Not necessarily. You can can easily search the image directory and its subdirectories for .php files. normally it should only contain very small index.php files. So you can keep your "new" image directory.

[vekia]

Yes, i'm.

 

 

and this is probably the cause, especially if it is joomla or wordpress.

these cms engines are riddled with more holes than a Swiss cheese

[El Patron]

@vekia lol @cheese....but Joomla?  I'm surprised though it's been a while since I worked in it.  

[vekia]

@vekia lol @cheese....but Joomla?  I'm surprised though it's been a while since I worked in it.  

 

http://www.joomlaexploit.com/ enjoy

[El Patron]

http://www.joomlaexploit.com/ enjoy

 

sorry for 'sort of' off topic...@milos, lol.  it's been a while since I toyed there, webmaster for largest English language news in ColOmbia..pay 0.00 per hour....labor of love, I see they have since gone to wp.....doubt any improvements...happy day....Fred

[drasl]

Hi guys, returning to the post, I have a question:

 

There is a way to control the direct access to php files? for example, tell apache if the www-data user who is calling to domain.com, if the user didn't pass first for the root prestashop index.php, the execution of any other php files will be denied, or something like this. In this case the bot can't directly external access to the php file with the malware code.

 

For a while I'm recoding all the applications that use php mail to phpmailer via smtp then i will disable php mail function to prevent present and future mailspam.

Edited May 10, 2016 by lsard (see edit history)

[vekia]

it is possible, but dont do that - because in some parts of shop prestashop uses ajax queries to php files

this means that browser (you) will try to open .php file, and with configuration you mentioned it will not be possible, so in effect shop will be dead

[El Patron]

it is possible, but dont do that - because in some parts of shop prestashop uses ajax queries to php files

this means that browser (you) will try to open .php file, and with configuration you mentioned it will not be possible, so in effect shop will be dead

 

along with vekias sage advice make sure to validate file ownership, typically group is your domain name.

[drasl]

along with vekias sage advice make sure to validate file ownership, typically group is your domain name.

Already did, in plesk, the owner is the name of the domain whitout tdl, the group is psacln.

[El Patron]

Already did, in plesk, the owner is the name of the domain whitout tdl, the group is psacln.

 

perfect....good  luck!

[parduodudu]

Hello,

My prestashop eshop is hacked. For some time it was uploading malware which i was checking daily and deleting. Now it started sending emails for paypal users to get their logins. Maybe someone could help me resolve this problem? Or atleast maybe it is possible to copy all directorys and products to fresh eshop?

[MathiasReker]

I hope it is solved. But I still think that security is relevant. I made a module to cover a lot of cases:

https://addons.prestashop.com/en/website-security-access/44413-security-pro.html