[SOLVED] My site has been compromised - is this related to the recent vulnerability?

[NixxxoN]

Hello there, I use PS 1.6.1.7, and my site has been recently compromised in the last few days, and I didnt do anything or install any strange module... the site had been working perfectly fine for almost 3 years!.... Those are the things that have been messed up:

-Categories shows no product (but indicates there are products, and there are still visible in back office), all the products are still acessed through direct link. Products seem all OK in backoffice, I can edit them no problem, and they are associated correctly in the categories and manufacturers.
-Categories section in back office messed up... When you go to the categories page in back office you see nothing, but when you create one, you can still see them in the options (to place the new category into an existing one, etc)
-Left column gone from everywhere
-Home image slider gone (the images are still in the FTP directory but in backoffice it shows nothing)
-CMS in backoffice appears to be blank (but the files can still be accessed through direct link)
-Top horizontal menu messed up (many links are gone), but everything looks fine in backoffice
-Shop search statistics all gone (backoffice)
-When you look products by each manufacturer, it still tells how many products for each one are there, but when you click any manufacturer, it says no product at all.
 

This is the website: http://www.taller-reyes.com
This is how to used to look like (archive.org): https://web.archive.org/web/20190413194617/http://www.taller-reyes.com/ca/

I have checked the FTP and all, there seems to be no PHPunit there, I haven't seen any obvious changes in files but many folders  strangely say "last modification" to today but files arent...

I have checked "modified files" and those are the following:

adminXXXXXXXXX/backups/.htaccess
adminXXXXXXXXX/export/.htaccess
adminXXXXXXXXX/import/.htaccess
adminXXXXXXXXX/themes/default/js/tree.js
adminXXXXXXXXX/themes/default/template/error.tpl
adminXXXXXXXXX/themes/default/template/controllers/cart_rules/product_rule.tpl
adminXXXXXXXXX/themes/default/template/controllers/modules/index.php
adminXXXXXXXXX/themes/default/template/controllers/modules/tab_modules_list.tpl
adminXXXXXXXXX/themes/default/template/controllers/products/helpers/form/form.tpl
adminXXXXXXXXX/themes/default/template/controllers/themes/helpers/view/importtheme_view.tpl
classes/cache/index.php
controllers/front/ContactController.php
js/jquery/plugins/jquery.validate-creditcard.js
js/jquery/plugins/alerts/jquery.alerts.css
js/jquery/plugins/alerts/jquery.alerts.js
js/jquery/plugins/jstree/jquery.jstree.js
js/jquery/plugins/jstree/themes/apple/style.css
js/jquery/plugins/jstree/themes/classic/style.css
js/jquery/plugins/jstree/themes/default/style.css
js/jquery/plugins/jstree/themes/default-rtl/style.css
js/jquery/plugins/smartWizard/jquery.smartWizard.js
js/jquery/plugins/treeview-categories/jquery.treeview-categories.async.js
js/jquery/plugins/treeview-categories/jquery.treeview-categories.sortable.js

 

Please I need urgent help, we have invested so much time and effort into the website!! Thanks in advance...

Edited January 8, 2020 by NixxxoN (see edit history)

[adversor]

Did you try to upload an earier database backup? Maybe something was messed up in your database only.

Edited January 8, 2020 by adversor (see edit history)

[NixxxoN]

Just now, ndiaga said:

Hi,

So no need  to worry.

I think  you just  change  the  module configurations  without  nowing it.

A new theme installation can change the module configurations.

 

I haven't changed anything for months...
I just added some products from time to time, thats it. Very strange

I have the default theme, how can I install the default theme again?? No clue...

[NixxxoN]

9 minutes ago, adversor said:

Did you try to upload an earier database backup? Maybe something was messed up in your database only.

 

I thought about this, its very strange, the files seem ok in the FTP, I have been using filezilla and file comparison and all files are there and no strange stuff is there, or no important files missing...

How can I know if my database is messed up?

[JBW]

Maybe your webhoster has changed the PHP version or some other server setting? Have you used SSL Certificate earlier - at least I see there is nothing available now...

[NixxxoN]

10 minutes ago, JBW said:

Maybe your webhoster has changed the PHP version or some other server setting? Have you used SSL Certificate earlier - at least I see there is nothing available now...

I already asked them about this, and no they haven't changed anything at all.
I also haven't used SSL.

The only thing I did recently was install the "PS Rich Snippets and Breadcrumbs" and I saw that I didnt work so I disabled it.... Thats the only thing I can remember doing lately...

[Juan Rios1]

I noticed all my folders had a last motified yesterday at 12:30am which was odd, but no files had changes in them

[NixxxoN]

Just now, Juan Rios1 said:

I noticed all my folders had a last motified yesterday at 12:30am which was odd, but no files had changes in them

So same thing happened to you? Is your website ok?

[Juan Rios1]

1 minute ago, NixxxoN said:

So same thing happened to you? Is your website ok?

Everything seems fine. I checked everything you wrote above, and I found no problems, but now I'm a bit more curious. I didn't find any files with the PHPunit so I figured I was fine.

[NixxxoN]

1 minute ago, Juan Rios1 said:

Everything seems fine. I checked everything you wrote above, and I found no problems, but now I'm a bit more curious. I didn't find any files with the PHPunit so I figured I was fine.

So, maybe any expert here can tell if the folders thing is normal or not because I find it very strange and makes no sense...

[Juan Rios1]

I found a module by csoft. It's free! https://boutique.comonsoft.com/gb/free-prestashop-modules/31-phpunit-remove.html

I ran it and got the following messeges:

Your Prestashop appears not to have been compromised.

No vendor/phpunit folder found in modules PrestaShop directory. Your Prestashop appears to be safe.

 

[NixxxoN]

10 minutes ago, Juan Rios1 said:

I found a module by csoft. It's free! https://boutique.comonsoft.com/gb/free-prestashop-modules/31-phpunit-remove.html

I ran it and got the following messeges:

Your Prestashop appears not to have been compromised.

No vendor/phpunit folder found in modules PrestaShop directory. Your Prestashop appears to be safe.

 

Yes I checked manually if there was a folder like that, I dont have it either, PHPUnit is discarded in my case.

[razaro]

Can you check in Advanced Parameters >  Configuration Information 

what is your PHP version. Could be hosting switched to some new one like PHP 7.

 

Also you can try to turn debug mode and see if there is any clear error

 

And do you have WordPress or Drupal on same sever ?

[NixxxoN]

35 minutes ago, razaro said:

Can you check in Advanced Parameters >  Configuration Information 

what is your PHP version. Could be hosting switched to some new one like PHP 7.

 

Also you can try to turn debug mode and see if there is any clear error

 

And do you have WordPress or Drupal on same sever ?

PHP version hasnt changed, its an old one... 5.2.6

The site is in a shared server hosting along with many other websites (not from us)

I just enabled debug mode... errors all over the place!!
Can you tell me what is this about?

[razaro]

First do try to use at least 5.6 even that is obsolete right now.

That error is strange  but seams to have connection with /tmp folder permissions

Few first links from Google

https://serverfault.com/questions/84890/cant-create-write-to-file-tmp-sql-xxxx-myi-errcode-13

https://www.digitalocean.com/community/questions/can-t-create-write-to-file-tmp-sql_1f98_0-myi-errcode-28

https://www.cyberciti.biz/faq/mysqld-innodb-error-unable-to-create-temporary-file/

Not sure if you have access to that folder but try mentioned changes. Or ask your hosting company to help.

 

And shared hosting is generally not recommended.

[NixxxoN]

7 minutes ago, razaro said:

First do try to use at least 5.6 even that is obsolete right now.

That error is strange  but seams to have connection with /tmp folder permissions

Few first links from Google

https://serverfault.com/questions/84890/cant-create-write-to-file-tmp-sql-xxxx-myi-errcode-13

https://www.digitalocean.com/community/questions/can-t-create-write-to-file-tmp-sql_1f98_0-myi-errcode-28

https://www.cyberciti.biz/faq/mysqld-innodb-error-unable-to-create-temporary-file/

Not sure if you have access to that folder but try mentioned changes. Or ask your hosting company to help.

 

And shared hosting is generally not recommended.

PHP 5.6 is the recommended version for 1.6.1.7?
We want to keep this site as it is for now, so just want to fix this issue, It is a small company, no resources for updating all the time.
I'll consider moving to a not shared hosting, but a cloud one, if the problem doesn't get solved.
The hosting company is not really the best and most competent I've worked with, really... but now that I have more clues on what is the exact problem I'll call them again to see if this gets solved.
Thanks, the debug mode really helped I dont know why I didnt think about it earlier...

Edited January 8, 2020 by NixxxoN (see edit history)

[razaro]

Think from version 1.6.1.18 you can switch to PHP 7.0 with no issues  and that gives some boost in speed.

So yes 5.6 for your version.

Good luck with hosting company and hope you resolve issue soon enough.

[NixxxoN]

@razaro

The problem is fixed. It was an internal problem of the hosting as you suggested (mysql part)
Thank you very much for the help!