HELP! I am hacked!!!

[vsn]

Hi all, since several weeks the number of orders have been repidly dropping. I checked the ordering process and was shocked to see the payment options. Instead of classical paypal and bank transfer methods there is strange payment method asking you to enter your credit data, see below. I guess this is a fake code :((( What should I do? 

TB 1.1, the shop is now in the maintanence mode.

 

[the.rampage.rado]

If you are hacked and the bad actor installed this to your site there should be some traces in Modules folder (most likely). If you have not updated recently you can FTP there and sort by date and check the most recent entries.


Desinfecting is really hard.

You can try the following:
1. Change your cpanel/hosting/ftp password (use only secure ftp)

2. Change your backoffice password. Install recaptcha module and activate it for BO.

3. Install antivirus on your device and check for keyloggers (least likely).

4. If during your investigation you or your hosting receive info when the penetration occured you can revert to earlier backup. Don't mind the lost orders or user registrations. The backup is important as you're never sure where the bad actor put their files that allow them to regain access. It can be in img folder too, go ahead anf find anything there, it might be renamed as normal system file too...

5. If you manage to trace the malicious code please send it to @Datakick so he can investigate

6. If you have hosting antivirus you can run this also to try and trace the bad code but removing this file is not always enough, it's good or tracking the issue. 

After you trace the infection you should update to the latest edge, update all your modules to their latest version also the theme. Most likely it's some sort of code injection.

In order to try and check if there is code injected in the core files you can go to BO->Advanced-> Configuration information and look for changed files.

After that depending on your location and regional law requirements you should contact the authorities and anounce this incident.

[toplakd]

Most likely this is modified payment page template, just to collect data and when clicking on "place order" data gets sent out but no real order is placed and therefore not visible in backoffice.

Are your first 4 order steps steps working normally?

It yes, than at least one of the following templates were modified:

order-payment.tpl
order-payment-advanced.tpl
order-payment-classic.tpl

 

 

Edited May 11, 2023 by toplakd

[datakick]

Oh, that's scary. 

Stage 1) remove the infection.

• use core updater and/or  Configuration information to figure out if core files were modified. Use core updater to fix that
• look for any modules that you didn't installed
• check your overrides. You can use overridecheck module to list all existing overrides. 
• check the theme for any modification.
• Take note of all modified or new files. Write down file creation/modification dates.

Stage 2) strengthen your store

• update core to latest bleeding edge 1.5, if possible. There were a lot of security fixes
• rename your admin directory
• change all sensitive information in /config/settings.inc.php, including

  • _DB_PASSWD_ - you will need to change password for your database user first

  • _COOKIE_KEY_, _COOKIE_IV_

  • _PHP_ENCRYPTION_KEY_

  • _RIJNDAEL_KEY_, _RIJNDAEL_IV_ 

• Delete all modules that you don't use. Even if they are not installed, they can pose security risk. Delete them.

Stage 3) figure out attack vector

• updating your store to latest version and deleting unused modules may or may not fixed the vulnerability. If not, attacker can use it once again to get access to your store. You need to figure out how they got access
• look into your server Access logs
• It will help if you know the approximate time of attack (from file modification time)
• search for group of weird requests. Something like this

nginx_1  | [29/Apr/2023:03:43:02 +0000] "GET /.git/HEAD HTTP/1.1" 403 153 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /nmaplowercheck1682739782 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /localstart.jhtml HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /CSS/Miniweb.css HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /5Mrh HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /Portal0000.htm HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET / HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET / HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bbbb0100000001" 400 157 "-" "-" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "POST /sdk HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /Portal/Portal.mwsl HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /robots.txt HTTP/1.1" 200 36 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /__Additional HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /HNAP1 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"
nginx_1  | [29/Apr/2023:03:43:03 +0000] "POST /scripts/WPnBr.dll HTTP/1.1" 302 5 "-" "curl/7.54.0" "-"

• within this group, search for requests that succeeded - response code 200. POST and PUT requests should be the first to investigate. check the php scripts for requests that succeeded
• check requests with response code 500. it can be indication of some vulnerability

If you are unsure how to do all that, you can and should hire somebody to help you with all that. 

[vsn]

Hi all, thanks a lot for your replaies, very appreciate!

My logic is the following. I have code what is somehow modified/hacked. Backups form the hoster are affected as well (only 10 day backed up, what is not enought). But I have my own backup 1 year old. During this time, I have not changed anything (still the same TB version, the same Panda theme... I just added maybe 5 new products...), so from code perspective this should be fine. And I am sure this backup was not modified. So I can use the back up to restore the shop. Correct?

Next, the database. My assumption, this is not affected. Generally, I think such hacks are done in code, not in database. Hence I can use the current one just connecting it to the restored code. It has huge advantures that all data (users, stock, orders, payments etc.) are there.

 Is this correct? Can this replase / short-cut "Stage 1) remove the infection" @datakick

[the.rampage.rado]

@vsn , please write back with any findings you have. This might help make the platform more secure! 😉

[e-com]

There are a lot of prestashop modules that have security vulnerabilities and make it possible to attack the store:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=prestashop

[datakick]

1 hour ago, vsn said:

So I can use the back up to restore the shop. Correct?

Yes, as long as it's a full backup. You shouldn't do merge into current root directory, but delete everything (or rename your root directory) and replace with your backup.

 

[Mediacom87]

Hi,

If you restore your entire backup, it will solve the problem of the current hacking, but will not prevent the hacking of your site again, you must secure your entire site by identifying and fixing the flaw that is certainly present in the code of a module that allowed the hackers to set up this hacking.

These attacks are important on PrestaShop for more than a year, I have devoted several articles on the subject.

https://www.mediacom87.fr/en/how-to-prevent-hacking-on-prestashop-and-thirty-bees/

[wakabayashi]

I am not sure if it's coincidence, but I am being under attack right now. Also got an email about a security hole. Not sure, if it's real or not...

The attacker sends all kind of forms. Has even opened a customer account (in my case this removes captcha). The customer account was even opened two times with same (email). So this was probably also due to any kind of form submission...

Edited May 12, 2023 by wakabayashi

[the.rampage.rado]

I have captcha on everywhere all the time, not that it helps but at least distracts spammers.

[vsn]

@Mediacom87 you are absolutelly right. Once it is done, it can be done again and agtin. That is why I am looking for the modified code.

In your link there is a script proposed by Eolia. Did you use it? What is your feedabck?

[the.rampage.rado]

I see that eolia is pushing his custom PS1.6.2.x version why not offer him join TB and implement the imrpovements/fixes here. Our core is still very compatible to PS1.6 but has plenty of fixes and new features.

[Mediacom87]

1 hour ago, vsn said:

In your link there is a script proposed by Eolia. Did you use it? What is your feedabck?

Perfect for PrestaShop but i didn't test it on TB.

[Mediacom87]

1 hour ago, the.rampage.rado said:

I have captcha on everywhere all the time, not that it helps but at least distracts spammers.

The captcha protects from spam not from hacker attacks.

[Mediacom87]

51 minutes ago, the.rampage.rado said:

I see that eolia is pushing his custom PS1.6.2.x version why not offer him join TB and implement the imrpovements/fixes here. Our core is still very compatible to PS1.6 but has plenty of fixes and new features.

Eolia knows TB, if it has not switched to it, it must have its reasons, PhenixSuite is an alternative that it has developed internally to make its customers evolve while remaining on the basis of PS 1.6 and it offers this version as it is with the risks of problems inherent to a solitary development

[Mediacom87]

an other article about the security on PrestaShop https://www.mediacom87.fr/en/proactive-or-corrective-prestashop-security/

[the.rampage.rado]

9 minutes ago, Mediacom87 said:

an other article about the security on PrestaShop https://www.mediacom87.fr/en/proactive-or-corrective-prestashop-security/

Yes, I know captchas don't help with hacking 😛

Regarding this article - thanks, nice information. Have you tested this security module with TB, I see it's compatible with 1.6 and 1.5?

[Mediacom87]

58 minutes ago, the.rampage.rado said:

Have you tested this security module with TB

No

[wakabayashi]

@datakick helped me, to investigate my issue. It's not related to @vsn, I believe. In my case 'ph_simpleblog' module had a severe security hole. I must say, that I haven't updated this module for years. I would expect, that there were fixes as the issue of this module was actually officially known. Btw the dev of this module is now working for prestashop company. I am sure, he wouldn't make this error again, but I it reminded me on a few things:

• It can hit everyone (I use only a handful external modules) -> make sure you have uptodate backups.
• Update your store (with core updater bleeding edge) and modules regularly 
• Delete all stuff (especially modules) you don't need.
• Make sure, you have a contact person, who can help you in such a situation. Such a finding will lead to a lot of stress. It's very important, to have an expert, who knows, what is going on and whom you can trust. @datakick is the obvious choice for all tb users.

[the.rampage.rado]

6 hours ago, Mediacom87 said:

No

Just tested it - the majority of the good stuff is not working - it shows lots of security fixes despite we don't run PS1.7.

The idea is good.

[Mediacom87]

I have just worked on the site of a client who is undergoing attacks and it is quite impressive the list of all the modules tested to take advantage of the flaws present on some.

The list is getting longer and longer and the techniques are more and more devious since the hacker identifies the visitors who are also connected to the backoffice in order not to present them the pirate payment form, in order to make the detection longer and thus maximize the stolen bank details.

As TB is identified as PrestaShop, it is easy to understand that the attacks against TB will increase and affect the whole community.

 

[the.rampage.rado]

In the end can you tell what point are they using to enter?

[Mediacom87]

In this case, I have my opinion, but I am not 100% sure.

In order to do this, you need to get all the access logs.

 

[vsn]

Hi all,

good news, I was able to restore the web space based on a my private back up. Unfortunatelly, my hoster keeps back-ups only for the last 10 days, what was not enought >> so keep your backups!!!

1. After restoring I am facing a folder / files server permission issue. Theay are somehow mixed. It is currently like this. Is this correct? Is there any way to fixed them by a script?

2. @datakick thanks a lot for a greate guidience! This is really helpfull! I am on the stage two. How / to which values should I change the following?
    • _COOKIE_KEY_, _COOKIE_IV_
    • _PHP_ENCRYPTION_KEY_
    • _RIJNDAEL_KEY_, _RIJNDAEL_IV_ 

[datakick]

12 hours ago, vsn said:

2. @datakick thanks a lot for a greate guidience! This is really helpfull! I am on the stage two. How / to which values should I change the following?
    • _COOKIE_KEY_, _COOKIE_IV_
    • _PHP_ENCRYPTION_KEY_
    • _RIJNDAEL_KEY_, _RIJNDAEL_IV_ 

You can download this php script, upload it to your store root directory, and then open https://www.yourstore.com/genkeys.php

genkeys.php

Keys for rijndael should not be needed. Just ensure you are using Use the PHP Encryption library as you ciphering algorithm (in Advanced Parameters > Performance)