Phishig Problem On My Website

[kawther]

Hi Everyone, Am new to the forum and to prestashop.
My Shop Is on prestashop version 1.6.1.4.

So a few months ago, my hosting service contacts me saying that I have a phishing page on my website.
I do the jib delete the page and then everything goes back to normal.
Then 15 days later the hacker changes my index with his own coordonate and text and photo.

So I change the Index back.
The hacker got access to my server via my backoffice. He gets a file named failure.txt with my login and password.
this file is then sent to his mail.
I don't know how this file generated. So I changed the swift folder name. to swifttttttt and then the hack stopped.
My problem now is that no user can create an account in my website.
He'r is the error after i enabled dev mod:

 

 

Warning: fopen(../modules/failure.txt): failed to open stream: No such file or directory in /home/skymilinai/www/config/config.inc.php on line 266

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/skymilinai/www/config/config.inc.php on line 266

Warning: include_once(/home/skymilinai/www/tools/swift/Swift.php): failed to open stream: No such file or directory in /home/skymilinai/www/classes/Mail.php on line 27

Warning: include_once(): Failed opening '/home/skymilinai/www/tools/swift/Swift.php' for inclusion (include_path='/home/skymilinai/www/tools/htmlpurifier/standalone:.:/usr/local/php5.6/lib/php') in /home/skymilinai/www/classes/Mail.phpon line 27

Warning: include_once(/home/skymilinai/www/tools/swift/Swift/Connection/SMTP.php): failed to open stream: No such file or directory in /home/skymilinai/www/classes/Mail.php on line 28

Warning: include_once(): Failed opening '/home/skymilinai/www/tools/swift/Swift/Connection/SMTP.php' for inclusion (include_path='/home/skymilinai/www/tools/htmlpurifier/standalone:.:/usr/local/php5.6/lib/php') in /home/skymilinai/www/classes/Mail.php on line 28

Warning: include_once(/home/skymilinai/www/tools/swift/Swift/Connection/NativeMail.php): failed to open stream: No such file or directory in /home/skymilinai/www/classes/Mail.php on line 29

Warning: include_once(): Failed opening '/home/skymilinai/www/tools/swift/Swift/Connection/NativeMail.php' for inclusion (include_path='/home/skymilinai/www/tools/htmlpurifier/standalone:.:/usr/local/php5.6/lib/php') in /home/skymilinai/www/classes/Mail.php on line 29

Warning: include_once(/home/skymilinai/www/tools/swift/Swift/Plugin/Decorator.php): failed to open stream: No such file or directory in /home/skymilinai/www/classes/Mail.php on line 30

Warning: include_once(): Failed opening '/home/skymilinai/www/tools/swift/Swift/Plugin/Decorator.php' for inclusion (include_path='/home/skymilinai/www/tools/htmlpurifier/standalone:.:/usr/local/php5.6/lib/php') in /home/skymilinai/www/classes/Mail.php on line 30

Fatal error: Class 'Swift_RecipientList' not found in /home/skymilinai/www/classes/Mail.php on line 181

 

 

Thanks for all your help.

[Scully]

It's just too simple to think you can run business as usual after your site has been hacked. Obviously you didn't make efforts to harden your site after the first successfull hack. You can clean up the system 10 times and you still get hacked if you don't close the door that opened access to hackers.

 

What we can guess is

 

- Your config.php has been compromised

- All your passwords are known 3rd party

- Your password hashing key is known to a 3rd party

- All your database content is known to a 3rd party

- All your admin user passwords are kown to a 3rd party

- Your mailbox credentials are kown to a 3rd party

 

Once a system has been compromised like that - NOTHING can be considered to be safe anymore until a complete cleanup and hardening has taken place.

 

A few steps how to proceed now:

 

- Take your site offline

- Change all your admin username and password (delete old, create a new admin with new mailaddress and new password)

- Change the database settings (with new database username and new database password)

- Change hashing key and inform customers they have to change all passwords once you have cleaned your system.

- Change all email usernames and passwords you use - especially if you youse SMTP on your server

- Find the way you have been hacked - it's quite probably a 3rd party modules was the culprint

- File upload mechanisms are critical in terms of hacking, but there are also other ways

- Make a clean, fresh install, import data from the old instal (products, customers etc)

- Read the forums post about critical modules in terms of hacking

- If possible, take a newer PS version than you have now

- Install only modules you really need

- Check you logfiles frequently

 

And most of all: Take your responsibility to clean your system before going live again. If you don't feel comfortable with cleaning up, ask a service company to assist you in this task.

Edited August 5, 2017 by Scully (see edit history)

[Scully]

Hello kawther,

Is there news on your issues?

[kawther]

so am back I found a partial solution to my problem.

First I updated my Swift mailing module. seems to have settled things. and I found a way to stop the file that capture my Login and Password to be written. so that's all I'll mark this solved.