Website hacked, host demands action

[CrossY]

Hi there,

 

Apparently two of our sites (running on the same FTP) were hacked recently. Apparently used to send out shitloads of mails via our server.

 

Our host scanned the site for 'suspicious scripts' and compiled a list of files which were certain and/or likely to be infected. I have no idea what they are scanning for, and I've checked some of the files and found that they were last edited ages ago (same date as other files in those folders). Couldn't compare line-by-line, but the files were the exact same size as a 'fresh/clean' file.

 

Since it's weekend now, it's unlikely we can reach the host to ask them. Any idea what they are looking for? 

 

Certainly infected (according to them):

public_html/controllers/admin/AdminModulesController.php
 

Suspicious:

public_html/website1.com/tools/smarty/sysplugins/smarty_internal_resource_eval.php
public_html/website1.com/modules/gamification/gamification.php
public_html/website1.com/modules/adyen/controllers/front/notification.php
public_html/website1.com/prestashop/tools/smarty/sysplugins/smarty_internal_resource_eval.php
public_html/website1.com/prestashop/classes/Rijndael.php
public_html/website1.com/prestashop/classes/Blowfish.php
public_html/website1.com/prestashop/webservice/dispatcher.php
public_html/website1.com/classes/Rijndael.php
public_html/website1.com/classes/Blowfish.php
public_html/website1.com/bridge2cart/bridge.php
public_html/website1.com/webservice/dispatcher.php
public_html/website2.com/modules/leotempcp/libs/DataSample.php
public_html/website2.com/modules/autoupgrade/AdminSelfUpgrade.php
public_html/website2.com/modules/gamification/gamification.php
public_html/website2.com/prestashop/classes/Rijndael.php
public_html/website2.com/prestashop/classes/Blowfish.php
public_html/website2.com/prestashop/webservice/dispatcher.php

 

I get the sense they are marking all files suspicious when it's just Prestashop functions they are tagging as such..

 

Edit:

What we've done so far:

• Change admin folder name
• Change all passwords
• Change FTP password
• Planning a CCleaner for everyone that uses this FTP
• Removed FireFTP (Firefox), I have the idea that's where we were most vulnerable 

 

Should I replace all these files with new ones? Scan my own FTP somehow? Any advice would be appreciated!

Edited February 27, 2015 by CrossY (see edit history)

[fred-vinapresta]

Hi, yes change that files by new ones would be better

[bellini13]

you don't say what version of Prestashop you are using, which you should when post for help. 

 

I would start by downloading the same exact version of prestashop that you are currently running from this URL

https://www.prestashop.com/en/developers-versions#previous-version

 

Extract that onto your desktop for reference.

 

So they say that this file is definitely infected, so then start by comparing the contents of this file on your server, to the contents from the package you downloaded.

public_html/controllers/admin/AdminModulesController.php

 

They should be an exact match.  If they are not an exact match, and you did not make any changes previously, then it was changed obviously

 

I would be interested in seeing what the differences are.  If it is some malicious script (unlikely in my opinion), then you at least know what to look for in other scripts. 

 

However if there are no differences, or the script is not malicious, then you will need to go through the other files they pointed out, and do the same thing.

 

A few other notes

1) You appear to have 2 prestashop stores installed.  One in root, and another in a subfolder called 'prestashop'.  Do you know that?

 

2) You have modules that are not packaged with Prestahop by default, and you have likely added them after installation, or perhaps they came with a custom theme.

I assume adyen is this payment module?

http://addons.prestashop.com/en/payments-gateways-prestashop-modules/8924-adyen-payments.html

public_html/website1.com/modules/adyen/controllers/front/notification.php

 

I assume this was installed with your theme?

public_html/website2.com/modules/leotempcp/libs/DataSample.php
 

3) This is not a prestashop file. 

public_html/website1.com/bridge2cart/bridge.php

 

according to a google search, you have used some cart migration service?  If you are done, then I would suggest removing the entire bridge2cart folder.

https://www.api2cart.com/faqs/connection-bridge-need/

[CrossY]

you don't say what version of Prestashop you are using, which you should when post for help.

Im using version 1.5.4.1

 

A few other notes

1) You appear to have 2 prestashop stores installed.  One in root, and another in a subfolder called 'prestashop'.  Do you know that?

 

2) You have modules that are not packaged with Prestahop by default, and you have likely added them after installation, or perhaps they came with a custom theme.

I assume adyen is this payment module?

http://addons.prestashop.com/en/payments-gateways-prestashop-modules/8924-adyen-payments.html

public_html/website1.com/modules/adyen/controllers/front/notification.php

 

I assume this was installed with your theme?

public_html/website2.com/modules/leotempcp/libs/DataSample.php

 

3) This is not a prestashop file. 

public_html/website1.com/bridge2cart/bridge.php

 

according to a google search, you have used some cart migration service?  If you are done, then I would suggest removing the entire bridge2cart folder.

https://www.api2cart.com/faqs/connection-bridge-need/

1. Yep, realized it when I was showing this. It is removed now.

 

2. Im pretty sure Adyen came with our installation. We don't use it though, i'm not even sure if it's enabled as module.

 

3. I'm aware. We've done a migration at some point, i've removed that folder now.

 

Thanks for the help in general. Our host has turned our website back online  

 

I'm just very curious what kind of scripts could be enabled through these files? What exactly are we looking for there, and what can the hackers achieve with these files?

[bellini13]

I have already provided you with the instructions necessary.  Compare the files from your store, with the files from the core 1.5.4.1 package.  I even provided you with the URL to download old versions of Prestashop

[sandya]

Hi, 

 

Can someone please help !!! My site has been hacked pretty badly through the HTaccess file and several files posted in the root and in many modules.  I think I was able to remove manually most of them by sifting through the files one by one.  My shop runs on 1.6.0.8 with a purchased theme. 

 

It now seems to work OK - except for one thing : the meta title and meta description from the major search engines describe an online casino !  I really don't know what else to do : 

 

I changed all my passwords (PC, FTP, server and backstore)

Scanned my own PC (no viruses found)

 

Can someone please help me figure out where I can find the code that is modifying the meta description and titles for search engines and make sure that I am not infected.

 

Thanks in advance 

 

S.

 

[PrestaHeroes USA]

Hi, 

 

Can someone please help !!! My site has been hacked pretty badly through the HTaccess file and several files posted in the root and in many modules.  I think I was able to remove manually most of them by sifting through the files one by one.  My shop runs on 1.6.0.8 with a purchased theme. 

 

It now seems to work OK - except for one thing : the meta title and meta description from the major search engines describe an online casino !  I really don't know what else to do : 

 

I changed all my passwords (PC, FTP, server and backstore)

Scanned my own PC (no viruses found)

 

Can someone please help me figure out where I can find the code that is modifying the meta description and titles for search engines and make sure that I am not infected.

 

Thanks in advance 

 

S.

 

gosh that is stressful.

 

Probably the best way is to ensure you have up to date anti-virus program running on your local machine.

Then using FTP (or other method) download 'all' your shop files, then your anti-virus program may find (most likely .js file) that continues to corrupt.  then you can probably get clean files from a 1.6.0.8, see download section, scroll to the bottom for earlier versions.

 

(note: in the future for best results, start new topic as that will get more community visibility).

 

Good luck!   Let us know how it goes...

Edited December 24, 2015 by El Patron (see edit history)