Thirtybees hardening + new Presta hacks / scams

[Acer]

Hi

So the Magecart thing was one scary thing (for Magento) - now there are reports that there is a Presta 'hack' that bypasses / or fakes the 'flyover' for a third-party payment gateway... Scary.
I wonder how the site was infiltrated in the first place?
How do we prevent or mitigate this?
https://arstechnica.com/information-technology/2019/11/scammers-try-a-new-way-to-steal-online-shoppers-payment-card-data/
 

Also, are there any 'hardening' or security tools out there for TB / PS 1.6? Ideally free (similar to Akeeba AdminTools for Joomla, etc)

Mind sharing any TB hardening techniques?

With the festive season coming up + what happened to this PS site and the Magento sites - understandably I'm a bit nervous (I'm sure I'm not the only one).
So how do we protect our TB sites from these f**kers?

 

Edited November 22, 2019 by Theo

[Traumflug]

Core Updater checks validity of all thirty bees core files. Just click 'compare' without changing  the version. This calculates all the distinctions between files on your disk and the official distribution. Files not matching get reported as in need of modification.

Note, however, there are modules out there which do such infiltration as part of their operations, so one always sees changes.

[Acer]

Please see original post. How do we prevent this, are there hardening tools or techniques available? 

Also as there will likely be changes to files anyway as part of the course of normal development, as you say as well, the core updater will not be useful here. And checking manually is not practical...

Any suggestions, thoughts and ideas re this and 30Bz site security? 

Edited November 23, 2019 by Theo

[datakick]

38 minutes ago, Theo said:

Please see original post. How do we prevent this, are there hardening tools or techniques available? 

When somebody hacks your site, then can do anything then want. On prestashop, the most common attack vector are badly written modules that allows users to upload some files, but does not check its type. For example, instead of uploading video, user can actaully upload php file, and thus gain complete access to your site.

There are, of course, other vulnerabilities. Like sql injections, xss,... Again, they can be in core, or in modules. 

There is no silver bulet here. This is a catch-up game.

38 minutes ago, Theo said:

Also as there will likely be changes to files anyway as part of the course of normal development, as you say as well, the core updater will not be useful here. And checking manually is not practical...

That is not normal developement. You should never modify core files. Never ever. If you need modification, use tools designed to do that (overrides, modules, hooks). 

[Acer]

Thanks for the reply. Are there any hardening tools available? 

Like Akeeba admin tools  - Joomla, Sucuri monitor - WordPress etc for TB / PS 1.6?

[lesley]

These attacks have been around for years, but they all rely on someone getting file system access. If they have that access they can do anything they want. 

 

If you are looking for an easy way to be alerted if something happens git could be a good early warning system. You can trigger an email if changes are staged, alerting you to an issue with your site being compromised. 

[musicmaster]

On 11/23/2019 at 8:31 AM, Theo said:

Also as there will likely be changes to files anyway as part of the course of normal development, as you say as well, the core updater will not be useful here. And checking manually is not practical...

With a tool like Winmerge you can compare whole directory trees. And you can also rather easily the content of the differences. Only problem is that the compared trees have to be on the same (Windows) system.

[datakick]

14 hours ago, lesley said:

but they all rely on someone getting file system access.

Not necessarily. SQL injection, for example, can do the trick as well.

[Briljander]

20 hours ago, lesley said:

 

If you are looking for an easy way to be alerted if something happens git could be a good early warning system. You can trigger an email if changes are staged, alerting you to an issue with your site being compromised. 

How does this work?

Do you mean if someone do change a file in on my server with ftp access I could still get a notice from git that something has changed

[lesley]

@datakick The attacks that we were referring to generally require file system access. Like the one mentioned in the article that was posted, I have seen that one on a few prestashop sites. Basically they either upload a malformed paypal module or edit the existing, then point it to a local directory with a fake paypal login page that sends the creds to the hackers email. 

 

@Briljander its not the easiest thing in the world to set up, but you can use local git or github, with hooks and have an email sent to you when there has been a change. You might be able to accomplish it with a shell script as well, just running every 30 minutes or so, staging files and if there is anything to stage, trigger an email. 

[Pedalman]

I bought some years ago a module called: PrestaVaultMalware | Virus | Trojan Protection

by prestashopaddons.prestaheroes.com .

 

What I bought was the Prestaversion. Since ca. two years he or they support also THIRTYBEES !

Sad for me is he wanted me to buy the module again extra for Thirtybees. I denied and use since years the Presta version on my Thirtybees shop.

Thing is it seems to work. If I could I would enhance the module with the function to show also who used the back office and when. You can see this of course in logs but I 'd like to have it in once place.

File monitoring (size and date) that is what the module does and also a view for backoffice use times. Best would be a detailed view that could break down if files where changes when xzy was logged into bo. Best would be if you could also implement FTP connection via server log 🙂

 

Oh, and btw the module seems to do its job via doing a backup of all files, storing some hash in db with the original files (your table for the module will grow very big in db 😉 ) and the do a comparrison check.

In a nutshell you got also a back up you can restore from module gui. All in all a very fine module that is worth its price!

 

 

Edited November 25, 2019 by Pedalman

[Acer]

10 hours ago, Pedalman said:

I bought some years ago a module called: PrestaVaultMalware | Virus | Trojan Protection

by prestashopaddons.prestaheroes.com .

Pedalman, please update the link (I think it's linking to your shop).

This is exactly what I was interested in - will check it out, thanks!

Any other suggestions guys?