ploaie Posted May 21 Share Posted May 21 I noticed that ps 1.7.8.2 was infected with some kind of malware. There is h.php file in modules/ps_linklist wich is injected in payment page to steal data. Also, they are sending all customer and employee data to some ip 196.251.69.100 Any ideea about this problem? See attach. Link to comment Share on other sites More sharing options...
Webkul Solutions Posted May 22 Share Posted May 22 11 hours ago, ploaie said: I noticed that ps 1.7.8.2 was infected with some kind of malware. There is h.php file in modules/ps_linklist wich is injected in payment page to steal data. Also, they are sending all customer and employee data to some ip 196.251.69.100 Any ideea about this problem? See attach. We did not find h.php in PrestaShop 1.7.8.2 in modules/ps_linklist. Can you please share the specific path of the file? Link to comment Share on other sites More sharing options...
ploaie Posted May 22 Author Share Posted May 22 1 hour ago, Webkul Solutions said: We did not find h.php in PrestaShop 1.7.8.2 in modules/ps_linklist. Can you please share the specific path of the file? You are lucky then. I still have no clue how my prestashop was compromised. I suspect a module, but I found nothing in logs. Still searching. Attached are the injected files, just clasic malware to stay in control and steal credit card info. malware.zip Link to comment Share on other sites More sharing options...
Prestashop Addict Posted May 22 Share Posted May 22 (edited) il y a une heure, ploaie a dit : I suspect a module, but I found nothing in logs. Very hard to find where the issue is. You can analyse web server logs for POST request (most of the time, the way attackers use a hole), but very long and difficult. That the reason we made a simple small script which alert you for any file creation or change. Here is the free script. Edited May 22 by Prestashop Addict (see edit history) Link to comment Share on other sites More sharing options...
Mediacom87 Posted May 22 Share Posted May 22 Hi, i made some articles about security : https://www.mediacom87.com/post/security/ And now that your site has been hacked once, it's listed as hackable and will be attacked very regularly to take advantage of a new vulnerability, so you need to clean up your site and secure it well to avoid any further attacks. Link to comment Share on other sites More sharing options...
El Patron Posted May 22 Share Posted May 22 immediate action I would recommend download h.php edit production h.php, delete all code set permissions for h.php readonly (444) ok, so download your zip files. Search your installation for recently modified files and files containing suspicious code such as: base64_decode eval gzinflate file_put_contents with encoded payloads you can also try pc antivirus sfw to check your base code long term...or maybe short term and best solution Update and Patch PrestaShop Upgrade to the latest PrestaShop version. PrestaShop 1.7.8.2 has multiple known security holes; current versions have patched these. Update all modules, especially third-party and custom modules. Remove any unused or suspicious modules. normally when I do this for customers, I do not use ps upgrade but use a migrator to move catalog into a fresh ps version 8.1.2 for example. then install new theme, new modules....this reduces totally bringing into new shop untrusted files. in interim or after you sorted hack...this module will monitor your filesystem and alert you when a change has been detected...trusted change can be stored in vault, untrusted change can be restored from vault.... https://prestaheroes.com/collections/all-modules/products/prestavault-malware-trojan-virus-protection?variant=40653346603215 good luck! Link to comment Share on other sites More sharing options...
.png.022b5452a8f28f552bc9430097a16da2.png)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now