Malicious site attack - need help

[tommynay]

Hi Everyone,

 

My hosting provider has taken my site offline and asked me to resolve the malicious content on my site.

Please can anyone help or let me know what these error messages below are and how to fix this? Any advice really appreciated.

 

Thank you.

 

report.txt

 

./adminer-3.7.1-en.php

./cache/smarty/cache/blockmegamenu_address_1_3_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_addresses_1_3_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_authentication_1_1_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_bestsales_1_1_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_cart_1_1_1_0_0_0_0_17/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_category_1_1_1_101_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/uni2cid_ak12.php

./modules/attributewizardpro/file_uploads/0.php

./modules/attributewizardpro/file_uploads/204ef16736b318db184375df534d3d24.php

./modules/attributewizardpro/file_uploads/3e61ccac2167068ec793fb804bdb2e50.php

 

./tools/tcpdf/fonts/dejavusans.php

./tools/tcpdf/fonts/freeserif.php

./tools/tcpdf/fonts/uni2cid_ag15.php

./tools/tcpdf/fonts/uni2cid_aj16.php

./tools/tcpdf/fonts/uni2cid_ak12.php

 

 

 

 

 

 

 

[banga]

 

Hi Everyone,

 

My hosting provider has taken my site offline and asked me to resolve the malicious content on my site.

Please can anyone help or let me know what these error messages below are and how to fix this? Any advice really appreciated.

 

Thank you.

 

report.txt

 

./adminer-3.7.1-en.php

./cache/smarty/cache/blockmegamenu_address_1_3_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_addresses_1_3_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_authentication_1_1_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_bestsales_1_1_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_cart_1_1_1_0_0_0_0_17/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_category_1_1_1_101_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/uni2cid_ak12.php

./modules/attributewizardpro/file_uploads/0.php

./modules/attributewizardpro/file_uploads/204ef16736b318db184375df534d3d24.php

./modules/attributewizardpro/file_uploads/3e61ccac2167068ec793fb804bdb2e50.php

 

./tools/tcpdf/fonts/dejavusans.php

./tools/tcpdf/fonts/freeserif.php

./tools/tcpdf/fonts/uni2cid_ag15.php

./tools/tcpdf/fonts/uni2cid_aj16.php

./tools/tcpdf/fonts/uni2cid_ak12.php

 

 

 

 

 

 

 

 

./cache/smarty/cache/blockmegamenu_address_1_3_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_addresses_1_3_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_authentication_1_1_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_bestsales_1_1_1_0_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_cart_1_1_1_0_0_0_0_17/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

./cache/smarty/cache/blockmegamenu_category_1_1_1_101_0_0_0_0/1a/0f/7e/1a0f7ee32298b20c5b555ce6de864d0c46f82e99.blockmegamenu.tpl.php

 

You can delete above files since it is cache. 

 

./tools/tcpdf/fonts/dejavusans.php

./tools/tcpdf/fonts/freeserif.php

./tools/tcpdf/fonts/uni2cid_ag15.php

./tools/tcpdf/fonts/uni2cid_aj16.php

./tools/tcpdf/fonts/uni2cid_ak12.php

 

These looks weird. Have you looked what is inside?

 

./adminer-3.7.1-en.php

 

This also looks weird since it is in the root folder 

[tommynay]

Thanks for your reply!

 

I am not a developer so not sure which files to look in?

 

There are these errors also? It looks like some kind of upgrade issue or spam attack, but not sure where to look to find the bugs, any ideas?

 

./iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/uni2cid_ak12.php

./modules/attributewizardpro/file_uploads/0.php

./modules/attributewizardpro/file_uploads/204ef16736b318db184375df534d3d24.php

./modules/attributewizardpro/file_uploads/3e61ccac2167068ec793fb804bdb2e50.php

./modules/attributewizardpro/file_uploads/c8b6b7013efa7af3d2e0d603c345257b.php

./modules/attributewizardpro/file_uploads/d5e3c50977488ed4dff7f5416004aae1.php

./modules/attributewizardpro/file_uploads/dc85cfb5a14f59d33a2a8be005b19598.php

./modules/newsletteradmin/functions.php

./modules/newsletteradmin/scripts/files/track.php

./modules/newsletteradmin_old/functions.php

./modules/newsletteradmin_old/import.php

./modules/statsregistrations/translations/es.php

./test/adminer-3.7.1-en.php

./test/iadmin/autoupgrade/latest/prestashop/install/langs/br/install.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/cid0cs.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/cid0jp.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/cid0kr.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/dejavusans.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/freeserif.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/uni2cid_ag15.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/uni2cid_aj16.php

./test/iadmin/autoupgrade/latest/prestashop/tools/tcpdf/fonts/uni2cid_ak12.php

./test/modules/newsletteradmin/functions.php

./test/modules/newsletteradmin/scripts/files/track.php

./test/modules/newsletteradmin_old/functions.php

./test/modules/newsletteradmin_old/import.php

./test/modules/statsregistrations/translations/es.php

./test/tools/tcpdf/fonts/cid0cs.php

./test/tools/tcpdf/fonts/cid0jp.php

./test/tools/tcpdf/fonts/cid0kr.php

./test/tools/tcpdf/fonts/dejavusans.php

./test/tools/tcpdf/fonts/freeserif.php

./test/tools/tcpdf/fonts/uni2cid_ag15.php

./test/tools/tcpdf/fonts/uni2cid_aj16.php

./test/tools/tcpdf/fonts/uni2cid_ak12.php

./tools/tcpdf/fonts/cid0cs.php

./tools/tcpdf/fonts/cid0jp.php

./tools/tcpdf/fonts/cid0kr.php

[banga]

I do not know whether it is infected files or not.

 

However

 

• What is your prestashop version?
• Are you using default theme?
  • If yes Are there any custom improvements in theme?
• Since you said you are not developer are you still using ./test/ enviroment for test purposes?

[tommynay]

Hi,

 

It is heavily customised from asylum theme, my developer has asked me to check on the PS forum to see if anyone has any ideas. 

My site has been running with PS for 3 years then this happened, I am using 1.5.4 version so could be it needs update to 1.6 or so but that is so much work for my dev to do as it's all custom.

[tommynay]

do you know what this file is? my host says this:

 

I just ran another scan on your site files and the scan result shows only one malicious file x0.php

[banga]

do you know what this file is? my host says this:

 

I just ran another scan on your site files and the scan result shows only one malicious file x0.php

 

 

Your developer should check it to see what does that file do and probably delete it.