Store hacked -- looking to see if anyone else in the same boat.

[Naldinho]

I am still trying to figure out how and the extent of the damage but currently seems pretty minor.

Somehow two php files up.php and ox.php were uploaded to my public_html directory. They then uploaded a google webmaster verification file and added themselves as an owner.

 

There is also a bunch of php files in modules

 

Has anyone else's store had the same attack?

 

 

[rocky]

See the topic here for a list of known third-party modules that are vulnerable to hacking.

[Naldinho]

Thanks. Yes that was it. I found the topic earlier and have since upgraded the at fault module.

 

The hack was pretty easy to clean up. They uploaded a bunch of php files. It seems like a generic hacking script because the main files first try to identify the platform and then take action. PrestaShop is one of the platforms it can identify. I've removed all the foreign files and upgraded the module. I'll change the database password and maybe set up something to monitor the directory for changes but I think the worst is over.

 

Unfortunately the upgrading of the module broke my store so it is frustrating.  

[El Patron]

Sorry you experienced this  issue.  I had a shop hacked back in 1.4 days and wrote PrestaVault module you might find useful in the future.

[Naldinho]

Thanks. I'll take a look. I have a lot of core file changes so not sure how that would work but I'll read through the topic once I have some coffee in me.

[Andreea S.]

Hi @Naldinho, how did you sort out this issue? I have the exact same issue - several php files uploaded to the public_html directory and modules folder including up.php and ox.php. Even though I cleaned them up, upgraded prestashop and changed all passwords, it seems that there's another vulnerability that I missed, since these files keep being uploaded twice a week now - basically every time I delete them and change the passwords. 

 

 

Your support is highly appreciated!

 

Andreea

[selectshop.at]

Where were these files uploaded ? To a folder or on root ?

 

For a folder you can close access by adding a line to your .htaccess. If hacker are able to add new folders than it is a critical vulnerability and you should contact your provider. In this case permissions of server are not correct set.

 

Is there any other software running on your host for ex. WordPress our joomla ?

[Andreea S.]

Hi @selectshop.at, thank you so much for the fast reply! Files were added both to folders - the modules folder or its subfolders - and the root. Moreover, they were able to create a folder, as specified earlier. 

See attached a screenshot from the clean-up this morning. 

 

My host provider also hosts wordpress - actually, that's the majority of the stores they host. 

 

 

 

[Naldinho]

I was able to identify all the foreign files by the date stamp. I don't remember which locations they were in but they were definitely in two different locations and maybe three.

One set of files was acting as a fetcher so would regularly replace the files that I deleted. Once I deleted the all of them it stopped.

To double check I then downloaded the entire site and downloaded the same version from PrestaShop. I used Beyond Compare but any difference software will do. Depending on how custom you've gone with your store you'll get between a few and a lot of hits for files that are different and you should be able to trace back / explain every difference.

I'd also suggest Installing a change detection system. That won't keep them out but you'll know pretty quickly and be able to address it

Beyond that, it is a matter of finding how they are getting the files on your server. In my case, it was a published vulnerability in a module. Since upgrading to current version of the module I have had no problems. Any kind of module that allows for file uploads would be where I start. If it isn't a vulnerability in the site then it would be a vulnerability in the server itself. The options there would depend on how you're handling hosting. Are you shared hosting or VPS? Do you use a panel? Are there any other CMS on the same server?

If you can't find it even after that you'll have to install some kind of system auditing software and just wait for it to happen. Once it does the how will be in the logs and once you know how fixing it should be simple.

 

[Andreea S.]

Thanks a lot, @Naldinho!

 

I'm on a shared hosting with lots of Wordpress stores so this is most probably a server vulnerability. I am going to contact my provider and change this. 

[selectshop.at]

Thanks a lot, @Naldinho!

 

I'm on a shared hosting with lots of Wordpress stores so this is most probably a server vulnerability. I am going to contact my provider and change this. 

This is a case for your provider. It will not solve your problem, if you daily clean your software and other software with vulnerability is running on same space. This is a big minus of shared space.

[Naldinho]

If you're on shared hosting from a legitimate company it is unlikely that there would be a vulnerability in their server setup. If you have shared hosting from a smaller outfit then maybe -- I see people who are asking basic questions on sysadmin sites all the time who I later find out run their own micro hosting company. It is actually really scary.

From a legitimate hosting company it won't be the server and the WP sites would only be a factor if they are part of your account which would make them your sites presumably unless you're sharing a shared hosting account.

Shared hosting really limits what you can do to find the issue. Most auditing options require root which you won't have.

Unrelated to the hacking but shared hosting just isn't appropriate for e-commerce beyond the hobby/entry store level. I'd consider moving to a VPS hosted system at some point
I tried running a store on GoDaddy and it was costing a few thousand in sales a week because of how slow it was. I moved to a better-shared hosting and it improved a lot but wasn't great but that only lasted a year before EIG bought the company and ruined it. Once I switched to VPS store was much faster and sales increased dramatically / abandoned carts decreased.

[Andreea S.]

Guys, thank you all for the very useful insights! In the end, this turned out to be a vulnerability inside 2 of my theme modules which allowed file uploading. The theme developer upgraded and fixed the modules. In any case, I am switching to VPS as of August 1st! 

 

Have a great weekend!