Card hack...

[PF22]

Hi there, I am using 1.7.6.1 Prestashop version and at the bottom of order page there is a strange block asking for payment information... while it should not look like that.
Avast even noticed a malware with js/TudkM.js and a customer got robbed bank card information.

I deleted that file and it was solved, but what to do if I don't want that to happen again.
Update Prestashop ? Really ? Scarry...
Any idea is welcomed!

thanks

[Vardas]

Hello
1. nstall pc antivirus
2. change all passwords, website, ftp, hosting
3. save database
4. delete all files from ftp
5. install newest prestashop version
6. install security modules

[PF22]

Thanks @Vardas for the answer, but I absolutely don't want to install the latest version of Prestashop.
Each time I did, big trouble with several modules...

[PrestaHeroes USA]

Hi we are just in the process of releasing our paid modules to PS Free Module section.

Our PrestaVault module will monitor and alert you of changes to your PS file system.  Has restore capability and many other features.

 

 

[PrestaHeroes USA]

we had client come in where 'every' cc transaction including customer infos were being transmitted to multiple IP's.  they sell about 400kusd a month, we found the hack, the hack insertion....and now monitor his shop for any untrusted change.  

immunyav can help from hosting side for plesk/cpanel.

we are writing actually the above module as a plesk extension, cybersecurity is like porn except you have to buy it. 

[Nickz]

22 hours ago, El Patron said:

.and now monitor his shop for any untrusted change.  

about the only reliable way to avoid hacks, infiltrations. 

[PF22]

Same problem again.
A new js file in my main js folder...

[PF22]

On 6/7/2022 at 5:49 PM, El Patron said:

Hi we are just in the process of releasing our paid modules to PS Free Module section.

Our PrestaVault module will monitor and alert you of changes to your PS file system.  Has restore capability and many other features.

 

 

Thanks but the module doesn't protect the website from any attack, right ?
It only shows you system modules changes ?

 

[PrestaHeroes USA]

5 hours ago, PF22 said:

Thanks but the module doesn't protect the website from any attack, right ?
It only shows you system modules changes ?

 

Yes, it protects any files that you have not specifically told it to ignore.  I don't develop half ass solutions.  Also you could have found this out yourself by installing, it's free and well vetted.

Edited June 16, 2022 by El Patron (see edit history)

[Nickz]

5 hours ago, PF22 said:

Thanks but the module doesn't protect the website from any attack, right ?

An attack is only protected if you monitor your site. SQL Injection is within the biggest thread.

[PrestaHeroes USA]

Just now, Nickz said:

An attack is only protected if you monitor your site. SQL Injection is within the biggest thread.

it's not the biggest threat, corrupting code or adding code to do sql injection is root cause.  get with it man

[PF22]

9 hours ago, El Patron said:

Yes, it protects any files that you have not specifically told it to ignore.  I don't develop half ass solutions.  Also you could have found this out yourself by installing, it's free and well vetted.

thanks for the answer, I prefer to ask before testing because I had some many problems installing new module on Prestashop before...
Last question, no need to have the latest Prestahsop version? I am using 1.7.6.1 and here again some many problem when updating.

[PrestaHeroes USA]

4 hours ago, PF22 said:

thanks for the answer, I prefer to ask before testing because I had some many problems installing new module on Prestashop before...
Last question, no need to have the latest Prestahsop version? I am using 1.7.6.1 and here again some many problem when updating.

The important part you are not doing is having a copy of your production shop to test things before moving to production.   Every PS admin should be doing this.  Go learn to build a copy of your shop there is plenty of information on how to do so.  Then you can admin with confidence.  

[PF22]

1 hour ago, El Patron said:

The important part you are not doing is having a copy of your production shop to test things before moving to production.   Every PS admin should be doing this.  Go learn to build a copy of your shop there is plenty of information on how to do so.  Then you can admin with confidence.  

Thank for your answer, I don't see the link with my post, but of course I have a copy of my production shop...

[PrestaHeroes USA]

1 hour ago, PF22 said:

Thank for your answer, I don't see the link with my post, but of course I have a copy of my production shop...

then get to it, it's annoying when people ask dev nicky questions to put them on the hook for 'what if', use the test system ask dev then if you have questions, so boring.

I can certainly understand your lack of confidence in modules etc.  that is not because of our works, the best of us gets thrown in with the mediocre.

[Maxflor]

On 6/16/2022 at 6:36 PM, PF22 said:

Same problem again.
A new js file in my main js folder...

Please did you solve it? We have the same problem, after deleting the hacked files, updating prestashop + changing all passwords and again a week later the same problem + we cannot log in to the admin panel at the same time. Viruses detected on the server /classes/db/Db.php - /classes/Hook.php - /controllers/admin/AdminLoginController.php - /classes/Dispatcher.php - /classes/Hook.php and inserts file /app/Mage. php
But we still don't know where it's rooted so that the same problem doesn't keep coming back to us.
well thank you

[PF22]

34 minutes ago, Maxflor said:

Please did you solve it? We have the same problem, after deleting the hacked files, updating prestashop + changing all passwords and again a week later the same problem + we cannot log in to the admin panel at the same time. Viruses detected on the server /classes/db/Db.php - /classes/Hook.php - /controllers/admin/AdminLoginController.php - /classes/Dispatcher.php - /classes/Hook.php and inserts file /app/Mage. php
But we still don't know where it's rooted so that the same problem doesn't keep coming back to us.
well thank you

Unfortunately I did not find any solution so far.
One thing to notice, it seems there is a problem on our VPS, that could be the first problem of the hacked files.
Hope it could help...

[Prestachamps]

Hi,

To find out the source of this you should ask the hosting to monitor these files, and check when and how are these files created on the server.

Also the hosting should scan all your files for viruses/threats.

Have a nice day, Leo.

[Nickz]

the only way to be sure is redoing you site on a new server.
To look up or over your site we need your files plus the DB.

Edited July 11, 2022 by Nickz (see edit history)

[Ali Samie]

There are basically two ways to inject messy and creapy files to a server. One is using a FTP account, and the other is a file uploader other than FTP.

If you have been under attacks, you should check for the source that the file is bening uploaded to your server, if it is a FTP account it is too scary, you should ask your hosting for a guide. If it is not FTP, so there might be some corrupted modules that you have installed which they open a backdoor for the hackers to upload more files. Just like the JS file that you have mentioned. A best practice is to monitor your files, and get alerted if any changes happens which are not from your side. The other thing is, you better keep multiple backups in series. Some times hackers just put a backdoor, wait for a while until all your old backups are replaced with new, corrupted backups, and then do the nasty stuff.

[PF22]

34 minutes ago, stifler97 said:

There are basically two ways to inject messy and creapy files to a server. One is using a FTP account, and the other is a file uploader other than FTP.

If you have been under attacks, you should check for the source that the file is bening uploaded to your server, if it is a FTP account it is too scary, you should ask your hosting for a guide. If it is not FTP, so there might be some corrupted modules that you have installed which they open a backdoor for the hackers to upload more files. Just like the JS file that you have mentioned. A best practice is to monitor your files, and get alerted if any changes happens which are not from your side. The other thing is, you better keep multiple backups in series. Some times hackers just put a backdoor, wait for a while until all your old backups are replaced with new, corrupted backups, and then do the nasty stuff.

Thanks a lot @stifler97 ! At least a clear answer that explains what is the problem and ideas to find a solution ! Great help !

[Ali Samie]

Hey. Check out this article. Seems related! Stay safe.

@PF22

https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/

[BlackCrow]

On 6/7/2022 at 5:49 PM, El Patron said:

Hi we are just in the process of releasing our paid modules to PS Free Module section.

Our PrestaVault module will monitor and alert you of changes to your PS file system.  Has restore capability and many other features.

 

 

 El Patron, where is your PrestVault Addon to download?

I couldnt find it.

[PrestaHeroes USA]

12 hours ago, BlackCrow said:

 El Patron, where is your PrestVault Addon to download?

I couldnt find it.

https://www.addons.prestaheroes.com/products/prestavault-malware-trojan-virus-protection?variant=40653346635983

 

we no longer offer for free but is still the only significant defense for malware or other untrusted change for 'any' open source.

 

[BlackCrow]

Thank you El Patron, i downloaded the module yesterday when it was still free

 

I'll try it tomorrow.

[PrestaHeroes USA]

8 hours ago, BlackCrow said:

Thank you El Patron, i downloaded the module yesterday when it was still free

 

I'll try it tomorrow.

That's perfectly fine, enjoy.  I originally wrote this when my ps module shop was hacked back in 1.4 days.  Funny, we submitted to addons but rejected because we have html in code but that is because ps helpers do not work when cron job.  It's a French thing, me?  my country walked on the moon 6 times 50 years ago.

[Maxflor]

So prestashop itself has figured out what's going on. I got an email.
https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/?utm_campaign=Emailing_Addons&utm_medium=email&_hsmi=220505576&_hsenc=p2ANqtz--k8wT7HJb9cnat_S4QkyntU68162zykPwEDEojMOv1SINTWmu1kpXxqp1vvogyAN88zZ35tqBBK1Cp40ux02BbVNoYcA&utm_content=220505576&utm_source=hs_email

[PF22]

On 7/22/2022 at 8:40 PM, stifler97 said:

Hey. Check out this article. Seems related! Stay safe.

@PF22

https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/

Yes I received that Issue Flag too.
I modified the smarty.config.inc.php file, wait and see !

[Ali Samie]

Every one. Here is another module from a community member @MathiasReker

 

[Netagent]

@El Patron

why has the module just now become chargeable? Yesterday it was free and now - after a massive problem was detected - it can only be purchased. Your module was available for free for years.
I have nothing against good paid modules. But as soon as a massive problem occurs, to make a module chargeable... is a NoGo for me, sorry.

[PrestaHeroes USA]

1 hour ago, Netagent said:

@El Patron

why has the module just now become chargeable? Yesterday it was free and now - after a massive problem was detected - it can only be purchased. Your module was available for free for years.
I have nothing against good paid modules. But as soon as a massive problem occurs, to make a module chargeable... is a NoGo for me, sorry.

Because those that downloaded for free are not very appreciative of the work.  Not one like, thanks, use fake emails only to realize they need link sent to them. Not much satisfaction on my side for to provide free works.  I never developed modules for money but for my own shops and my clients.

No go?  Don't care and you are good example why I won't be offering free works.  

You can guess what I'd really like to tell you.

[Netagent]

As I already wrote: I have nothing against good paid modules. And also there I recognize the performance AND even help with problems. But either I give a module for free or I sell a module directly commercially.  Making a module chargeable only from the time when obviously many need it - while it was just free for years before - is not the fine way.
What you want to tell me, I can already guess...
But that doesn't change my attitude.