A'm I alone?

[jgk-dk]

I have installed v 1761 and for the second time it was spoiled from a hacker - I have his IP and also log file from my server as well from prestashop.

Is it possible that some has a interest in finding out why Prestashop don't tell that there are a backdoor open in Prestashop or the module they sell.

 

[PrestaHeroes USA]

why do you assume it's PS?  most often hacks are via ftp, maybe you loaded a free module, run wp on same hosting and any number of other reasons,   I'm not convinced that it's a PS issue.

[jgk-dk]

Well I'm sure that PS is open since this is number 2 installation there has same visit..

The first was a remove of a theme where the seller never had access to BO but he anyhow succed to remove it...

Same IP was again yesterday on my site and now it's not working, so there are a backdoor in other places than the theme.

 

[Henrik41]

General rules for my shops:

     1. I always audit my servers. I have a VPS and do my own security audits. My operating system is always uptodate too. Maintenance is key.

     2. I never download nulled stuff. If you do please scan it for Malware ad virus online.

    3. I constantly run a scan on my server for any signs of Malware/virus via clam scan.

    4. I try to keep Prestashop up to date though not easy since I have customized lots of stuff. I document every single deviation I do on the core files.

    5. I do not give access to my server to anyone I do not physically know or trust.

    6. I change my passwords at least every 3 months. My passwords are complex.

    7. I have httpauth unabled.

    8. Obviously I have a firewall that I monitor.

 

Maintenance is key if you do not want to get hacked. Even with all that I monitor my server and tons of hackers try to get in.

Hope this helps.

 

 

[jgk-dk]

Hi

Thx a lot but first of all both version there was hacked was new installation, 1.7.2 and 1.7.6.1.

The first was with a bought theme from prestashop and i try in 4 month to get help with it from the seller and in the end I got a refund, suddenly the IP i know has removed it.

Pls I didn't give any access to my backend. So there must be a back door.

The second installation without the theme (new 1761) again he came in without the  theme installed through a backdoor - so prestashop has a back door,

pls look at spy.shop.dk 

But it's so strange that none show any interest in finding this backdoor not even Prestashop themself......

Are we as user just in the hands of people there risk our shops?

 

[Antoine F]

Hello everyone,

@jgk-dk I don't think that this issue is related to the PrestaShop solution.
As you mentioned in this thread, you think that it's due to a specific theme. I'm going to send you a private message to get more details (edit: PM sent). This way, our team will be able to look into it. 

To fix the issue that you encountered, I suggest you contact a freelance/agency.

Best,
Antoine

[PrestaHeroes USA]

my last comment, we buy from PS addons whenever possible, they have a very good module validation that helps us make secure themes/modules and also gives us confidence when we buy from addons for our clients.

[jgk-dk]

Hi all

It seems that you don't understand the issue.

First of all the theme and module I use is all from PS - and AGAIN there have been none with access to BO.

The Theme was removed from a IP 37.120.131.142 and this IP spoiled mu shop.

I started all over with latest 1761 and again without the theme and new password ect he come back in.

latest today at 

Back Office forbindelse fra 37.120.131.14200 2019-10-31 18:51he uses my new admin account????

It seem that none have any interest in solving this backdoor since all I here is irrelevant feedback - none has been asking about log or other proof for my problems there endeed are all prestashops

 

[PrestaHeroes USA]

then you have corrupted hosting or bad file permissions are someone has your ftp credentials...loads of ways they can hack you.....you should hire ps person with linux to review your setup....100's of shops built,  loads of dev shops and we have never seen a hack.

none interested, dude you think with your vague description and no really detail someone can solve this in forum, that's ridiculous.  You should say thanks to anyone that trys to help and provide advice and not be so rude.

 

 

[jgk-dk]

No he catsch my admin direct from ps

[jgk-dk]

Back Office forbindelse fra 37.120.131.142    00 2019-10-31 18:51login with my admin account

When I change the admin account and admin folder he find it again

37.120.131.142 - - [31/Oct/2019:18:49:13 +0100] "GET /2402/index.php?controller=AdminDashboard&token=616d74ed259e9b392873a57f33bc8b8f" 404 43431 "https://spy-shop.dk/2402/index.php?controller=AdminLogin&token=532845ffdaeb7b62b8840a5deae79604&redirect=AdminDashboard" "Mozilla/5.0 (Android 9; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"

Here he started to login with the old admin folder

[Henrik41]

Hey jgk-dk,

    I just checked your server IP and it is 93.191.156.197

    This is a shared server running Apache!  There are 246 domains hosted on this server. Even I could get in easily.

    Shared server are not secured by definition. https://willem.com/blog/2019-02-28_understanding-the-security-concerns-in-shared-hosting/

     This is your problem you need to solve first. This also explains why he gets your admin address since it is easy to find it when in the server. 

     Take a VPS or dedicated server if you want to increase your security.

     Also check your router for any malware and never ever go to Starbucks or any other public free Wifi with your Prestashop admin opened (It happened once to me and I catched the guy!).

     I highly encourage you to learn about security and build your ecommerce accordingly.

Regards

 

[jgk-dk]

Hi Henrik

Yes I don't host it myself, to start with it was a backdoor in my theme since when I got a refund he get in and removed it.

This is the issue and the log file show how he do it step by step.

I'm sure my host is doing what they can to provide security to there customer.

But I'm also sure that there are a backdoor in Prestashop and the module/theme they sell.

I'm not a fool and i don't use cellphone to my shop or wifi.

I know that a line is more secure than wifi.

But tell me why you have no interest in see the logfile????

I have changed all yesterday and again today he came in also after I removed a module he was very interested in.

Now it seems that he use:

37.120.131.142 - - [31/Oct/2019:18:49:14 +0100] "GET /js/jquery/plugins/growl/jquery.growl.css" 200  "https://spy-shop.dk/2402/index.php?controller=AdminDashboard&token=616d74ed259e9b392873a57f33bc8b8f" "Mozilla/5.0 (Android 9; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"
 

Then he find the new folder of admin.

[Henrik41]

Log file is not useful since he is using probably a proxy. 

What your log says is just that he got in your admin.

Like I said the less people in your server the best it is.

If you think the module or prestashop has an issue just run a security scan on it. You can use clam software as it catches most of the malware. Also you can do it online via virus scan.

 

[selectshop.at]

@jgk-dk The IP you are mentioning is a known fraud/spam IP. You should use better server security. If you are on shared server, than ask for help of your provider. If you are on VPs than add the range or IP to your firewall our make use of ip-routing. Change also your mail-account and login details for your Shop-Admin. The attacker is scanning your server for mail-accounts and passwords. It's not really a Prestashop problem, but a mailserverproblem and the database he is attacking/reading.

https://ipinfolookup.com/37.120.131.174

https://cleantalk.org/blacklists/37.120.131.142

[jgk-dk]

Thank you for your info.

Again he has removed a theme from my server without having any legal access to my host - so there are a backdoor.

[selectshop.at]

For to remove something, he need to have access details (login details). So there are only two possibilities for this. You told him login details, or your server is having a severe security hole in the system and the attacker can read database where login details are stored. It's not a Prestashop problem, but a system security problem, if attacker can read data stored into database.

Check also your FTP for any file or folder with permissions 777. This is high security risk. In this case you are giving to the whole world permissions, for to read, write and execute things on your server as well. You should not give more chmod than 0750/0755.

Change server login credentials. Change shop-admin credentials. Change FTP credentials. Change database credentials. If you don't know how to do all this, than ask for assistance of your provider.