Morrocan Wolf hack please urgent help

[Mackens]

Dear all

 

All my websites on the same server have been hacked since yesterday evening by " Morrocan Woldf"

 

The access to all the websites is impossible, the following sentence appears 

 

hacked by Moroccanwolf

 

I can still have access to the prestashop back office however but for how long ?

 

Can you please help me or direct me with someone or a company which can help me ?

 

Thank you

[selectshop.at]

1. Do you have daily security back-ups ? If not ask you provider for that. Roll-back your page to one version working.

Change all your log-in passwords: FTP, database, Prestashop BO.

Disable all modules which you installed that are free or developed by third parties.

Upgrade your Prestashop to latest version. Specially payment modules and send to a friend if you are using it.

[Mackens]

Hello and thank you for your answer.

The websites are hosted by 1&1 and it is a dedicated server.

I am not sure if I have daily saves.

I have changed all the passwords.

I will check the modules as per your recommendation.

 

Is the website still possible to recover if I don't have any recent save ???

 

Can you help?

[selectshop.at]

You can recover your whole NATIVE FTP by downloading the version you are using here: https://www.prestashop.com/en/download

 

and substituting all files on your server by the native one. This to make sure that all files are again native and does not contain any foreign coding. This saves only the FTP, but not possibly changes made on database !!

Daily back-ups are a must have for each webmaster !!!

 

Than you should avoid the use of any extras not verified by Prestashop (mainly free addons/themes). They could contain malicious code.

[Naldinho]

If it is on a dedicated server that you set up and you don't know if there are daily backups then there aren't any. If this is some kind of managed dedicated server then there might be backups.

There is a decent chance that the hacker only changed your index.php file and that the rest of the site is intact. If the hacker wanted to profit from inserting malicious code he wouldn't have announced that the site was hacked. This is just someone doing it for bragging rights. If he was a jerk he might have deleted all the files on the server but back office still works so he didn't. I'd bet that the only change is to index.php and that restoring that would fix the site. That said you still need to check the rest of the files just to be sure.

As selectshop.at explained your goal now is to return the files to their Native state. This is how I would approach that:

1) Download the complete site using FTP to your computer

2) Download the same version of PrestaShop from PrestaShop -- make sure it is the same version you are using.
3) Use something like Beyond Compare to look for differences between your files and the files in the download you got from PrestaShop
4) For all differences look at the differences and confirm that they are either something you changed in the core files either directly or because you installed a module that requires modified core files. Any malicious differences overwrite the file with the original from PrestaShop
5) Upload all the files you downloaded back to the server using FTP overwriting everything with the now verified version.
6) Repeat for all the sites.

7) Stop trying to manage your own server -- having root access is really valuable in my opinion but if you don't know what you're doing you end up with this. Pay for a managed server when the hosting company handles security and backups.

[Mackens]

Hello Naldinho,

 

Thank you for your precise answer. The site is back in tracks now thanks to a nice person who helped me from the french forum.

The index.php file was changed yes but it seems a number of other files were also modified.

The hacker managed to enter the server because of a faulty module from prestashop abandonedcart pro.

It seems the module is now secure.

 

Thanks again for all your explanations.