Someone is trying or had hacked me again!

[DArnaez]

Ok this is new for me. I'm using Prestashop 1.6.1.6 selling only digital products. In the past someone was buying products using coupons and I fix it removing a module "rewards for new buyers" or something like that. Everything was working fine until today. Now I'm receiving the Paypal email anouncing a purchases for $0.01 (for a products that cost $18 or $20).

 

My first question is obviously how to avoid purchases from an specific email/customer? this is an @outlook.com.

 

THe second question is what you would do if you realize that someone is hacking or downloading your products?

 

THere is a way to forbid the access to everyone up to find the solution?

 

Thanks!

 

Site is www.ohmyicons.com

[razaro]

First you can set store to maintenance mode or just catalog mode.

Back office > Preferences > Maintenance and Back office > Preferences > Products.

 

Also read again whole topic and replays 

https://www.prestashop.com/forums/topic/544579-major-security-issues-with-few-modules-and-themes/

You do have theme from Themeforest and they could use same modules that have security issue with uploading

images that hacker are exploiting.

 

And in your case it looks like someone have access to your back office, so do change passwords.

Also maybe good idea to check some .htaccess rules to allow access to your back office based on IP address.

Scan files with anti-virus/anti-malware, if you can on server or download to your computer and scan.

And look into folder for strangely named files.

[DArnaez]

Thanks razaro! Ok I already changed the password. But I don't have idea about "Also maybe good idea to check some .htaccess rules to allow access to your back office based on IP address.". any clue? Thanks a lot!

[endriu107]

You can also block some php script adding this to your htaccess file:

 

<IfModule mod_mime.c>
	RemoveHandler .php .phtml .php3 .php4 .php5
	RemoveType .php .phtml .php3 .php4 .php5
</IfModule>
<IfModule mod_php5.c>
	php_flag engine off
</IfModule>

[DArnaez]

Mmm... when I added that code to my .htaccess (in the root) it doesn't let me access to admin.

[razaro]

Not sure if it would had some effect as first you must be sure hacker can not access your server with FTP.

But for code, create new .htaccess file in your admin folder. So in admin folder not main .htaccess that is in root.

 

And just add there 

Order deny,allow
Deny from all
Allow from 1.1.1.1

Change 1.1.1.1 to your IP.

[vekia]

firstly it is necessary to find breakpoint in your website, then find a solution.

if you've got ip of the order - check apache logs from your host for this ip, you will be able to follow step by step what this dumbass did (what pages accessed)

[Dh42]

I cannot remember where, but there is actually a bug in the voucher system that will allow for this. You should come to the gitter and ask someone, there is a pull request that rolls that code back. https://gitter.im/PrestaShop/General

[DArnaez]

Ok is very very weird. THis is what happen. Yesterday night I received 3 emails (from Paypal) with an space of around half an hour saying: You received a payment of $0.01 from Kit Harrington ([email protected])." It show an address New York, NY 10027. But who know is is real.
 

The worst think is that I have 2 different stores... the other is using Zen-cart. THe first email was a purchase for a product of this Zen-cart products.  So I though ... if he have access from FTP why to make a purchase? In none of the cases the system show a new purchase. So what could happen? Only in the Paypal email show the product he bought for $0.01. Freaking... right??

[Dh42]

Hmm, your paypal module could have been hacked. Which module are you running and what version? Also, Kit Harington is a famous actor so I bet it was fake. 

[DArnaez]

OMG you are right! I didn't realize that was an actor...  For Prestashop I'm using Paypal module v1.3.9 - by PrestaShop.  But the worrying is the other site is using Zen-Cart that use a different module. By the moment I change the psw in PS and installed a anti-malware  (Zemana) is new for me but in some site they recommend it. 

[vekia]

im affraid that anit-malware software will do nothing if there - on your website - we can find breakpoints ;-)
have you got an access to apache traffic logs?

[DArnaez]

Hi Vekia. Yes I have access to my cpanel. I'm not so familiar with Apache but I can see the Error Pages. I don't know what to search because in this case it wasn't errors. Any guide?

 

I highly appreciate your help. 

[PrestaHeroes USA]

Look under logs, I use plesk but most major control panels should show similar, so under logs I for example see access log  That is log of all access to your domain.

 

As a side point, you may also want to consider this module

https://www.prestashop.com/forums/topic/303132-module-prestavault-malware-trojan-virus-hack-protection/

 

happy day, ell

[DArnaez]

Thanks for the advice Patron! I will add it to my wish list. btw... I was navigating into prestaheroes.com... any idea what module use in the menu to show the contents like that? I really like it! Specifically when you put the mouse over PS1.6 or PS 1.5

[PrestaHeroes USA]

Thanks for the advice Patron! I will add it to my wish list. btw... I was navigating into prestaheroes.com... any idea what module use in the menu to show the contents like that? I really like it! Specifically when you put the mouse over PS1.6 or PS 1.5

 

all the Leo Themes come with their menu module...I think it is difficult to get just a good menu module anymore, they are including in themes now.  Happy day, el

[globosoftware.net]

So did you know how is your website hacked?

[Dh42]

One good way is that it is broken. Another good way is checking the mail queue. There are lots of different hacks that we have seen exploited on PrestaShop sites.