My website got hacked this morning!

[tutygr]

Hello all,

A couple of hours ago my website got hacked by turkish hacker called "ghost61". No serious damage was done. He just changed my index.php with his message. He is probably a "gray hat" trying to show that i'm vulnerable!

Questions? How can I prevent something like this? Is my hosting provider fault? Are they vulnerable?

Is it something to do with prestashop? Maybe some wrong file permissions? Security hole?

Hope some of you have some experience in the area and can help us prevent this kind of thing.

Thank you in advance!

[tomerg3]

Most common hacks where files are changed on the server originate from a hack of your PC, hackers get in there, read the password file of your FTP program, and get the usename / password of your server.

It's much easier to hack to PC than a web server...

[css1404]

Which FTP Programme you are Using ? Cuteftp is having some problem.Do not save your password in FTP programme.Change all your passwords.

[k3ri]

First off:
If you're running on a shared hosted machine with tech support, let them know IMMEDIATELY.

They (or you) should restrict all access to your server from the "outside" world. This means in & out traffic, and only allow your own access while you are investigating the crack (hack == what we do to prestashop code, crack == breaking and entering).

Next:
Check ALL logs available (provided that they didn't remove them) for any unusual activity. Weblogs, syslogs, etc.

Check that no unusual processes are running on the server, and that your files timestamps aren't "strange". IE: other than your own activities in setting up your shop, your timestamps for most files should be more than a few days ago.

Last:
If you have the ability to do so, look into settin up something like tripwire, portsentry, etc. Configure them to send you email every day with changes to the server files.
Make backups make backups make backups.

Best of luck

[tutygr]

Hey guys!

I use FileZilla. I just contacted my hosting provider. As I didnt have any backups they will restore my those files for me.

Also, I asked them about it. They told the 2 most common reasons and ways those attacks happen is through a ftp, with a password hack (or steal), from holes in the code especially if you use cms like joolma (and presta) and he told me to be careful with file permissions.

Well, I will look into those, especially the last one, because as I was having problems with my website I ended up messing with a lot of files and folders permissions for it to get working. Does anyone know the most secure "setup" for file permission in presta, which are the only necessary folders and files are that need to be changed.

Cheers!

[k3ri]

With the exception of your image folders (for uploading of pictures), most of your directories should be 755, and files 644. Removal of install directory (or rename to a .randomlynameddirectory and permissions 600 is what I normally do), and renaming of admin directory to a random combination of alpha-numeric+upper/lowercase. Make sure everything is owned by your user:group.

[tutygr]

Thank Keri! I will try that. Hope every will work after that...

[Patric]

from holes in the code especially if you use cms like joolma (and presta)

I would be pleased if he could tell you more about that.
This is easy to say the problem comes from the solution's code, but the least he could do is to say why...

[tutygr]

from holes in the code especially if you use cms like joolma (and presta)

I would be pleased if he could tell you more about that.
This is easy to say the problem comes from the solution's code, but the least he could do is to say why...

Agreed! Well, he said its a good thing to always keep an updated version of the software etc.... Standard stuff.