My Website has been hacked any specialists out there

[The Pellet Guy]

As the title  we had some weird stuff going on yesterday  a 63gig error log filling up the SSD  alerted me to it and i seemed to spend all day fixing and chasing problems only to be greated with this (SEE SCREENSHOT) at 3.15pm GMT

I have a sneaky feeling  the host has problems as over the last 12 hrs things seem to be shutting down there end  client protal access  has gone and a few other things,  all my company websites  are on that dedicated server and all hacked with the same front page.

I just don't know where to start, im reasonably good with moving files around but wouldnt know what files should or should not be on the server  

Is there anyone on here that can offer me a little advice I have packed up and downloaded my entire Home directory as a start  from WHM  in case someone decides to delete all the graft i have put in and im downloading the databases now

 

is there anything else I can do until I gain access to the client log in and get access  to the 10's of tickets I have sent the host

 

Paul

 

 

[MichaelEZ]

Xsamxadoo - bajatax - had it last week 😄 simular issue:

https://www.prestashop.com/forums/topic/1030039-xsamxadoo-malware-through-explorerpro-module/

: $path_exploit_payloads=array("/modules/explorerpro/action.php","/modules/sampledatainstall/sampledatainstall-ajax.php","/modules/colorpictures/ajax/upload.php"

someone stated: 

The impacted files were:

• controllers/front/AuthController.php
• controllers/admin/AdminLoginController.php
• classes/Customer.php
  • In getByEmail function
• classes/Employee.php
  • In getByEmail function

In my case it was fortunatly only AuthController.php (and many uploaded php files that i just deleted) 

Edited September 3, 2020 by MichaelEZ

[zen]

Here are the three modules that people talk about now, source of hacked website, it might help others to look for the culprit faster :

explorerpro

sampledatainstall

colorpictures

Good luck for the clean 🙂

[wakabayashi]

You can try to talk to you server provider. Did they get hacked? My guess would be, that you use other software on this server and the attacker got in there. Or you are using a bad module.

I am no expert on hacking issues. I would strongly consider to "hire" somebody who can understand what happened and probably fix it. The obvious choices would be datakick or traumflug from the forum.

 

[The Pellet Guy]

25 minutes ago, wakabayashi said:

You can try to talk to you server provider. Did they get hacked? My guess would be, that you use other software on this server and the attacker got in there. Or you are using a bad module.

I am no expert on hacking issues. I would strongly consider to "hire" somebody who can understand what happened and probably fix it. The obvious choices would be datakick or traumflug from the forum.

 

Morning wakabayashi

The service providers are being very cagey and not giving much away, however I have noticed access to some of their services have been suspended pending security upgrades which says to me they have problems,  and given the fines for data breaches I can understand that, however that doesnt help me,  not even sure why this group has picked on me when in the past they have targetted companies like Air France and bigger coperates im just a little guy.

I wouldnt know about modules  good or bad  I read up on them before installing and keep them updated I try to follow whats going on but you just can't be everywhere and be on top of everything.

Im not one for hassling people hence why I put this post up  if someone has the time and skill set im happy to pay for their time or just take advice and try to salvage what I can.

One thing im finding quite strange is yesterday the HD on the server was full  I recall having 60gig free  I found a 63gig error log i deleted this so i could continue to work and this morning find a 62 gig file  something is generating this huge file  as it keeps coming back  thats what caused the initial denial of service  

 

 

 

Edited September 2, 2020 by The Pellet Guy

[Gotabor]

First, do you have any clean backup from Cpanel, your host ? The fastest way to get back online would be I think to download your current FTP and database and keep them in an "infected" file on an external disk, so you can access them later. Then delete everything from files to database and reupload the latest non corrupted files. That's what I did a few years back when a wordpress blog was hacked. Usually hackers setup multiple backdoors when/where they can, so a clean install is the safest way. And of course change your admin password + user and password that link the database to your prestashop if you do that. Otherwise your hacker might come back sooner rather than later...

Hackers don't care if you are small or big. Actually, smallest company are more badly hitten when a hack occurs since they don't have the people to simulate attacks and at the ready when something wrong is happening... That's why ransomware are very dangerous.

From what you are saying hack could either be coming from you or it could be related to a flaw on your provider part. If it's from the provider, changing would be very wise.

 

And if you are based in Europe, you also have to comply with the GPDR and announce to both customer and the organism responsible to apply the GPDR that you have been hacked (I believe it's 48/72H to the organism after you have discover the hack)...

 

I'm no expert in hacking issues but I hope you'll find a few useful tips in there. Good luck with solving your issue.

[The Pellet Guy]

Thanks Gotabor  some good tips there

No database dump has taken place as far as we can see  just a defacing of all sites I have on that server, its the first issue i have had with this host to date, i have asked the host for a rollback which they are being awkward about, I will lose some sales data,  but can compare the rollback directory structure to the downlaoded one i have  on my removable drive.

This is a real pain in the backside  

[pauld]

Backup everything. Analyze all backuped files and database for backdoors. 60G log file may or may not give you some hints..

Also consider possibility that your computer may be hacked..

I would also restore your backup in isolated environment without internet access..

From what you said about your provider, I wouldn't rely on their help. Are you using Cloudflare or similar service?

When you found something strange in your backed/log files, Notepad++ can help you with bulk search, even with regex search, to speed up recovery..

Also chceck all non thirtybees modules for security flaws..

What PHP version is running your stores? Is there something on your dedicated host what needs to be updated for security flaws?

 

[zen]

Yes, the best option for you is to scan files with some tools, and inspect all directories that seems suspect.

Otherwise you can just use you database (cleaned from any new admins or employees created) and install a brand new instance of TB.

It will take time anyway to be confident again on your system, but there might be a module that was the Hole for this to happen or your provider is just not secure at all.. change it fast !

 

Best regards 🙂 and Good Luck !

 

[Traumflug]

5 hours ago, The Pellet Guy said:

not even sure why this group has picked on me

Usually they don't pick anybody. They simply try their intrusion scripts everywhere. At least first steps are automated.

Everybody running a bare bones server is well aware that a server receives hundreds of hacking attempts every day just because this server happens to be connected to the internet.

[Traumflug]

3 hours ago, Gotabor said:

Actually, smallest company are more badly hitten when a hack occurs since they don't have the people to simulate attacks and at the ready when something wrong is happening... That's why ransomware are very dangerous.

Not really. Hacking as well as ransomware is dangerous to those not updating their operating system only.

Everybody can keep the system up to date. It's "just" a matter of actually doing it. However, most people see their system working and are unwilling think beyond that. There's more necessary than "works for me".

If there's something making small companies more vulnerable, it's that small companies are typically using managed hosting and there's not much influence on how carefully hosters keep updating the OS.

[The Pellet Guy]

3 hours ago, Traumflug said:

However, most people see their system working and are unwilling think beyond that. There's more necessary than "works for me".

 

I must admit to falling into that catagory, I far too often sit on my laurels, However once i get back up  things will change 

Thanks for all the tips guys  

apreciate it

[The Pellet Guy]

I think i found one of the issues somehow the hacker has uploaded a folder called bajatax via one of my Presta sites the day the problem started it looks like it was uploaded via a prestashop module,  they just defaced everything a couple of hours after this was installed,  now to find out what module they used  I found a lot of php files installed the same time  

[Madbits]

P.M. if you still need help.

Edited September 3, 2020 by Madbits

[pauld]

19 hours ago, The Pellet Guy said:

I think i found one of the issues somehow the hacker has uploaded a folder called bajatax via one of my Presta sites the day the problem started it looks like it was uploaded via a prestashop module,  they just defaced everything a couple of hours after this was installed,  now to find out what module they used  I found a lot of php files installed the same time  

Could you archive somewhere affected files? Im interested in finding a way and more in how/what their code can do to TB...

[The Pellet Guy]

4 hours ago, pauld said:

Could you archive somewhere affected files? Im interested in finding a way and more in how/what their code can do to TB...

I could zip these up and put them into a dropbox folder  not sure how safe that is  

The good news is i have one shopping cart back up and running its back in business and making sales my 3 retail stores now have a working POS and we can move forward,  all the malicious files have now been removed from the server and Im working on the  thirty bees site now it looks like this site was hit a little harder I Have got the site visable but all the product prices have been changed to zero cost, and I cannot get the catergory images to load, all other images are fine itried regenerating images but that didnt work,  in debug mode its chucking up a lot of errors mostly based around  config/defines_uri.inc.php  can i copy a fresh version across of this file or is it site specific and changes depending on the installation 

 

[datakick]

core updater --> bleeding edge 1.1.x. 

[The Pellet Guy]

You guys have been life savers   each and every one of you, both sites are now working as they should be.

Thank you for all the offers of help but I had to do this myself otherwise I will never learn,  4 hrs sleep in 2 days has taken its toll im shatterred and im going to have a beer and bed

I would like to share this little peice of gold i came across during this journey,  Astra firewall and malware scan module  its helped me get back up and running and works fine on Thirty bees  I was scepticle at first as it isnt the cheapest module but then what price do we put on our business, and now its sitting there in the background monitoring for issues.

Thanks guys It meens a lot having you guys on the end of a keyboard

 

 

Edited September 3, 2020 by The Pellet Guy

[The Pellet Guy]

My Bees site has gone wrong again all the prices vanished at around 12.30 BST  today  looks like I still have a rogue script doing some damage in the background,  I tried the core updater and this time i wasnt so lucky  so back to maintanence mode while I dig through it all again, whats strange this time is all the prices of the products appear and are correct when i open the back office products tab,  it just isnt transferring to the front end and there is no option to add to cart,  its almost as if the site is in catalogue mode  although that feature is clearly off

Im also not getting any errors in debug mode

Anyone have any clues?

 

 

[haylau]

Are pelletguys.co.uk and pelletguys.com both you?

[The Pellet Guy]

1 hour ago, haylau said:

Are pelletguys.co.uk and pelletguys.com both you?

yes

[haylau]

2 minutes ago, The Pellet Guy said:

yes

Just checking a rival was not playing silly beggars

[The Pellet Guy]

2 minutes ago, haylau said:

Just checking a rival was not playing silly beggars

I think we still have a rogue script or two 

[zen]

I the worst scenario, you can start again from "scratch", just keep the img folder after being scanned and be sure it's clean, and use just fresh files from TB, same version your database works with for now, inside the DB also check employees, be sure to not have added or modified account,  then modify the config file to connect to DB, then you are good to go for the first step, if it's working in BO and front.. you can start to rebuild the theme you used once cleaned or with new fresh files and add modules you need also from fresh sources.

This takes time, but if you have no clean backup and keep on being stucked it's almost the only way to be sure there is nothing left anymore.

Best regards.

[The Pellet Guy]

Thanks Zen  

 

A little update on this,  A deep server scan found over 170 instances of malware, thats additional to the files Astra removed from the two main website directories files were installed mainly in log folders in examining some of those files the content was quite shocking and it also looked like I was running some kind of sports tv server.

I have been removing these and rescanning periodically and it looks as if I have removed everything thats bad from the server Im just doing a final scan to check  the integrity of the server hopefully thats the end of it,  what was happening is I missed a couple of bad scripts and everything was back again the next day, lesson learnt!

 

This still leaves me with 1 small issue and im pulling my hair out over this one

I mentioned before that all the prices are missing from the website, so I made a test product followed the same route as before and no prices are visable,  I have checked and re checked show prices, turn off catalogue mode etc etc  and still no prices. please note all the prices are still intact and correct from the individual products page  and the master products page

My question is  would this be a database  issue?  (my concern of course is im trying to avoid a total rebuild)  and if yes using a fresh set of files with the old database would result in the same issue  or is this more likely to be a core file thats been over written and if so which one,  I have used the core updater a couple of times to replace changed files  and it fixed the issue first time round but not this time.

I can't help thinking Im somehow locked in Catalogue mode

 

Paul

 

 

Edited September 7, 2020 by The Pellet Guy

[haylau]

Prices being shown is also part of groups. Check the settings in Groups