Security question: what to do after getting hacked?

[Mister Denial]

Hi folks,

 

my website got hacked last night, my hosting company suspects they somehow hacked an FTP account, which rings true with me as they deleted all html files, but left the DB untouched (it seems). They also didn't deface other domains on the same server, so it looks like they only had domain level access, but not access to the full server.

 

I am of course doing the usual steps, and have changed all FTP accounts and passwords, BO passwords, SQL passwords, username and SQL database name.

 

1) What I would also like to do is to changed all table prefixes, but I don't know which query to run to do that?

 

2) IMPORTANT: because I have a legacy PS installation, somehow my DB password is in clear in the settings file. Is there a way to encrypt it? I know from a test installation that the new PS versions have the password replaced by dots instead of showing it in clear. How could I do that?

 

3) What else would you guys recommend (besides having my hosting company do some server hardening - again!).

 

Thanks for your help with this, I'm a bit shaken and not sure how to handle this best.

 

Cheers,

 

Dan

[musicmaster]

Here is the code to rename prefixes. The file was written to be run with Prestools, but you won't find it difficult to adapt it to run without.

rename_prefix.php

Edited June 24, 2016 by musicmaster (see edit history)

[Mister Denial]

Here is the code to rename prefixes. The file was written to be run with Prestools, but you won't find it difficult to adapt it to run without.

 

Thanks for the quick reply, I am going to see if I can figure out how to change the code. And also have a look at Prestools.

[Swedishandsweet]

We had someone from China hack into our website. What happened was that all of a sudden our email account was hacked and started bouncing thousands of emails. The person accomplished this by using the "send a friend" a link from our product page and inserting a script. Our hosting provider has now suspended our account a couple of times so that we can fix the issue, which we have no idea how to do. We have changed all possible passwords and removed the module where you can add a friends email. Our hosting provider copied and sent the script to us but we do not know what to do with it. Also they suggested to set authentication for email sending, but where do you do that or can it be done on Prestashop? Please help anyone who knows what can be done. We have 12hrs to fix the issue before they suspend our account again.

[musicmaster]

We had someone from China hack into our website. What happened was that all of a sudden our email account was hacked and started bouncing thousands of emails. The person accomplished this by using the "send a friend" a link from our product page and inserting a script. Our hosting provider has now suspended our account a couple of times so that we can fix the issue, which we have no idea how to do. We have changed all possible passwords and removed the module where you can add a friends email. Our hosting provider copied and sent the script to us but we do not know what to do with it. Also they suggested to set authentication for email sending, but where do you do that or can it be done on Prestashop? Please help anyone who knows what can be done. We have 12hrs to fix the issue before they suspend our account again.

If you did a Google search you will have found that Send-a-Friend hacks are very common.

 

My advice:

 - replace your passwords - both on the shop and on the database

 - if you want to keep using Send-to-a-friend use a captcha like http://catalogo-onlinersi.net/en/add-ons-prestashop-modules/264-slide-captcha-prestashop-module.html

[El Patron]

check that folder permissions = 755 files = 644 (.htaccess 664)...these are typical permissions, though yours may differ.

 

also it's important that filer owner be you domain name.

 

you should however also run scan on your source code, look  for 777, see if bad programming change permissions for 'some' reason.

[Mister Denial]

Is there a possibility to scan the SQL database, check the integrity? I am worried the hacker might have placed malicious code there.

 

Does anyone know if Prestashop support is able to scan an installation and verify if there is harmful code hidden in the fils or DB?

 

After an incident like this, I want to make sure that everything is iron clad and safe. Restoring a clean installation and SQL backup, I am not sure if that's enough.

[indus]

From this reply by El Patron in this thread

https://www.prestashop.com/forums/topic/541673-malicious-code/?p=2363762

 

1.Download the entire directory of your web root to your local desktop machine and run a malware scan on it. These are pretty good in detecting malicious code in your files. There are no good free tools to do the same on your server.

2.Update all software to the latest version

3. Cut off external access to your website if possible. You need to contact your host or do it yourself if on a VPS.

4. Remove unused modules  and stray files lying around on your server - This is really important along with step 2. I had this issue where even after patching a recent theme vulnerability , malicious code kept getting placed on my server root and other places. Turns out i had an unused module ( image slider  - why am i not suprised )  which had a similar issue as my vulnerable theme. Both image upload or content upload without validation .

5. Monitor traffic via analytics. This will point you to some file on your web server which the attacker might be trying to access and not part of standard prestashop installation. You should monitor traffic for the next few days for any such behaviour.

6. If you have VPS access, check your apache access logs for hits to strange file types or names.

7. Manually scan each folder for suspicious files placed by the attacker. This will let other users view your files, passwords in config files etc etc.Some files might be a mail config program designed to spam emails to users.

8. Change all passwords [ Database, admin backoffice, etc etc ]  after you are reasonably sure all the suspect code has been cleaned.

 

If you still have doubts, use professional help like El Patron;s solution which should be a safe bet if you choose that option.

Edited July 11, 2016 by indus (see edit history)

[Mister Denial]

Thanks for the tip of downloading the entire directory, that is a brilliant idea!

 

I changed all passwords, FTP accounts, logins, access to DB, even the DB name, but I still think someone managed to get access again. I am working with my host to fix that and harden the server (again!). But yeah, your idea with the local malware scan is pure genius, I'll do that right away!

[Andreea S.]

Hi Dan, 

 

How did you sort this out in the end? We had the same issue, it turned out that we had vulnerabilities in 2 of the theme modules which the theme devloper fixed, we've scanned everything for malware multiple times, changed all passwords. No malware is detected in the code itself, no suspicious files are being uploaded, however we keep receiving mail delivery failures for spammy e-mails that we obivously haven't sent out. 

 

Appreciate your support!

Andreea

[Scully]

After a hack ALL passwords and ALL database contents must be considered as leaked or compromised. What about your mail settings - SMTP??

Edited September 18, 2017 by Scully (see edit history)

[Mister Denial]

Hi Dan, 

 

How did you sort this out in the end? We had the same issue, it turned out that we had vulnerabilities in 2 of the theme modules which the theme devloper fixed, we've scanned everything for malware multiple times, changed all passwords. No malware is detected in the code itself, no suspicious files are being uploaded, however we keep receiving mail delivery failures for spammy e-mails that we obivously haven't sent out. 

 

Appreciate your support!

Andreea

 

Hello Andreea,

 

sorry about the late reply, I was on holidays. In the end,we had to resort to several measures, including using Sucuri, as well as changing hosting company, as the hackers were most likely to infect our VPS installation and the hosting company did not manage to solve this.

 

Luckily no vital files were compromised, but they abused our server to send spam.

 

In the end, using Sucuri was what fixed our issues for good. It's 300 Euros per year, and saves lots of headache!

 

Kind regards,

 

Daniel

[Andreea S.]

Many thanks, Daniel, really appreciate this! 

[El Patron]

what did I do after getting hacked?  wrote PrestaVault module.  World you are welcome lol.

[MathiasReker]

Once everything is normal again, I would recommend to install this security module: https://addons.prestashop.com/en/website-security-access/44413-security-pro.html

The module checks for know vulnerabilities and recommend / apply a fix for it.