Are we getting hacked on 8.1 or is a PS bug?

[tivicrdotcom]

Hello fellow Geeks,

We are running 6 prestashop stores on the 8.1 latest version, every morning we are facing the same issues.

1. Front Office works.
2. Back Office doesn't because is missing file Symfony/Component/Cache/Traits/PhpFilesTrait.php so no biggie, we upload the file again and voilá, access to BO is granted again.
3. Now we navigate through the BO but whenever we click on any admin link it returns another error, this time because is missing vendor/twig/twig/src/Environment.php so no biggie again, we re-upload it and everything is smooth until the next morning.

We are noticing some weird time logs on our server at 4:38:21 am

Anybody has any clue of what's going on? Thanks in advance!

regards,

AJ

Edited October 26, 2023 by tivicrdotcom
added an image (see edit history)

[tivicrdotcom]

Same issue everyday, so, is there a way to maybe automatically schedule those files to automatically upload every morning? I would just need to upload the index.php main file, also this one Symfony/Component/Cache/Traits/PhpFilesTrait.php and this one vendor/twig/twig/src/Environment.php

[Nickz]

Where do you host?

In some hosts staff likes to make extra money.

[tivicrdotcom]

Greetings Nickz, appreciate your response. Currently, we're using Godaddy shared hosting, but we're in the process of transitioning to a VPS within Godaddy. This move allows us greater server control and enables us to implement additional security measures like antivirus and firewall protections for our websites. Surprisingly, we hadn't considered the possibility of unfair practices by hosting companies, but I suppose anything can happen.

We've conducted a site scan, and it revealed no spyware or vulnerabilities. However, it's conceivable that something might be infecting our site from within.

regards,

AJ

[Nickz]

2 hours ago, tivicrdotcom said:

We've conducted a site scan, and it revealed no spyware or vulnerabilities

what does your access log give away? Also in the BO you have acces to logfiles.

[idnovate.com]

Maybe these files are removed by an antivirus?

[tivicrdotcom]

On 10/30/2023 at 4:30 PM, Nickz said:

what does your access log give away? Also in the BO you have acces to logfiles.

Nothing weird, no warnings or errors.

[tivicrdotcom]

On 10/31/2023 at 10:45 AM, idnovate.com said:

Maybe these files are removed by an antivirus?

We don't have an antivirus running on the shared server.

[tivicrdotcom]

We've successfully backed up all 4 Prestashop stores, downloaded them to my PC, and scanned them with antivirus software. Fortunately, no Trojans or spyware were detected, or they might be well-hidden. Tomorrow, our plan is to migrate them to the VPS. We'll be installing fresh copies of Prestashop and transferring the backed-up stores to the new server. However, there's a concern with this process: if there are any hidden instances of spyware, they might also be copied over because we can't identify the source of the problem.

The issue persisted on the shared server; every day, the index.php file size becomes zero, .htaccess files get corrupted, and the files Symfony/Component/Cache/Traits/PhpFilesTrait.php and vendor/twig/twig/src/Environment.php disappear.

We'll update tomorrow.

[idnovate.com]

Have you run this script?

https://www.prestashop.com/forums/topic/1067200-hack-prestashop-sur-la-page-de-paiement-nettoyage/

[Nickz]

10 hours ago, tivicrdotcom said:

Nothing weird, no warnings or errors.

Access log: GET and a file which is part of the inner workings is someone sniffing for holes.