Sites hacked repeatedly

[pb4sc]

Hi.
I have three seperate Prestashop installs. I am getting repeatedly hacked. The scary thing is that the hackers are getting more bold, and attaching viruses to the site, so when my customers visit, it tries to download a virus onto their computer. I have upgraded all the sites to v1.3.1. and they were still able to get in. I am sure they do not have my password to my host, because my host reset it, and did not give it to me. I also scanned both my computers and they came out clean. They were able to deface the sites, even though I did not have the password. I went through the folders and made sure they were CHMOD to 755. These are my questions.

1) Should I change my host?? and If I do, can I transfer my current back up? I do not want to rebuild from scratch. Is there a risk that something that is letting the hackers in, is embedded into my backup?

2) One site is getting a strange IP address for Saudi Arabia. When I tried to block it, I got an error saying .htaccess could not be found.

3) The last time they defaced my site, the text was there, but the background image was missing. On the bottom of the page was a message that said "link to database cannot be established" Does this mean they have their background images in my database somewhere??

4) If you were in my shoes, what would be the next steps that you would take to solve this problem?


Thanks,

pb4sc

[uddhava]

It maybe helps if you look trough your http logs to see how they got in?
Since you know the IP it should not be hard to find.

[Burhan BVK]

Download all the files from your server, then compare it with the default 1.3.1 files. Check for any php file that is not supposed to be there or different than the original presta files.

[Scott Meyers]

Seek professional help. Find a different host and re-build your e-com sites from scratch. It is clear that the hacker got into your database and it is infected with all sorts of viruses.

[tomerg3]

I've seen similar cases before, and the root of the hack was the client's PC, many hackers try to attack your PC and retrieve passwords from it (they target FTP programs with saved passwords).

I would make sure your PC is properly secure, and possibly avoid saving passwords in FTP / SSH programs.

Needless to say you need to change all your passwords, and make sure all the files on your server are clean.

[jhnstcks]

What software did you use to scan your pc? Something decent I hope like Eset, Bitdefender or AVG (not the free version). Your scanner might not be picking up any virus' or trojans on your pc if it isnt good enough.

[pasko]

Hi,

How can I look trough your http logs?

[Stаn]

As the other guys already stated - most of such problems come from a stolen password from your FTP client preserved passwords.
1. See if the files from the FTP are the same as the ones from the PrestaShop distribution.
2. Change your FTP password and do nto preserve it in the ftp client (type it manually)

Also, analyze your logs to see the entry point, IP addresses, country, etc.

[orangeslice]

I think you have a virus on your PC! Do you use filezilla?
Our testpc was infected trough filezilla! luckely there was 1 testaccount saved in mozilla, but everytime we booted the pc a hackattempt was charged to our server!

So, try to reset all your passwords AND a virusscanner / or clean pc install...

better... get a mac

[trudyaffair]

Hi,
Do you think my site has been hacked? This has just happened a few minutes ago and I have not got a clue how to fix it?
Warning: Unknown: open_basedir restriction in effect. File() is not within the allowed path(s): (/home/trudyaff/:/usr/lib/php:/usr/local/lib/php:/tmp) in Unknown on line 0

Warning: include() [function.include]: open_basedir restriction in effect. File() is not within the allowed path(s): (/home/trudyaff/:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/trudyaff/public_html/index.php on line 3

Warning: Cannot modify header information - headers already sent in /home/trudyaff/public_html/config/config.inc.php on line 9

Warning: include() [function.include]: open_basedir restriction in effect. File() is not within the allowed path(s): (/home/trudyaff/:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/trudyaff/public_html/config/config.inc.php on line 31

Warning: include() [function.include]: open_basedir restriction in effect. File() is not within the allowed path(s): (/home/trudyaff/:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/trudyaff/public_html/config/config.inc.php on line 154

Warning: include() [function.include]: open_basedir restriction in effect. File() is not within the allowed path(s): (/home/trudyaff/:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/trudyaff/public_html/index.php on line 8

Warning: Cannot modify header information - headers already sent in /home/trudyaff/public_html/header.php on line 4

Warning: Cannot modify header information - headers already sent in /home/trudyaff/public_html/classes/Cookie.php on line 263

Fatal error: Uncaught

XML_Feed_Parser_Exception: Invalid input: this is not valid XML in /home/trudyaff/public_html/modules/blockrss/blockrss.php on line 106
Exception trace
#	Function	Location
0	XML_Feed_Parser->__construct('<br /> <b>Warnin…')	/home/trudyaff/public_html/modules/blockrss/blockrss.php:106
1	Blockrss->hookLeftColumn(Array)	unknown:unknown
2	call_user_func(Array, Array)	/home/trudyaff/public_html/classes/Module.php:421
3	Module::hookExec('leftColumn')	/home/trudyaff/public in /home/trudyaff/public_html/tools/pear_xml_parser/Parser.php on line 101

[moonmosaic]

The error message regarding module blockrss can be fixed if you uninstall the rss feed block. I used to have this problem too so I no longer use this module.

[shoulders]

Are you using the default database prefix. If so this is how they are hacking you so quick using SQLi attacks. Change it, make a new users an admin and disable the first admin account created. These on a default install are 2 things a hacker already knows. also change all passwords.

hope this helps

[Mephivio]

Check with a software like ACUNETIX if your web server or web site is clean !

Hope it helps !

[Sanis]

Change it, make a new users an admin and disable the first admin account created. These on a default install are 2 things a hacker already knows. also change all passwords.

hope this helps

What do you mean by default admin account?
AFAIK there is only 1 admin created during the installation with own custom details.

[shoulders]

create a new admin account, then disable the first one. it is someting that is done on joomla for security reasons.

http://magazine.joomla.org/topics/item/148-62-reasons-to-fire-your-super-admin

[jhnstcks]

Prestashop doesnt create a default admin account, you create it yourself during the installation process using your own specified email and password.

Although I have done something similar. I have created another admin user but removed any important functions from that user, db functions etc, anything that could be used to hack the site badly. Then I only use that account to run the store. The other account is only used in emergencies and is conneted to a obscure email and password.

create a new admin account, then disable the first one. it is someting that is done on joomla for security reasons.

http://magazine.joomla.org/topics/item/148-62-reasons-to-fire-your-super-admin

[Candra Kurniawan]

Use this software to scan your web server. This software can scan over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers. You can download this software here http://www.cirt.net/nikto2. This software use Perl, use the documentation for installation purpose in here http://cirt.net/nikto2-docs/installation.html#id2487167.

Maybe this can help you to analyze your website.

Thanks