Malware - weird files on the server. Website down

[Jacek Es]

Hi,

I run into several issues on my PS 1.7.2.4 in the past few days. Most recent was this morning causing website down - HTTP 403 - Forbidden. I Checked log around the time when the site went down and I found this record:

45.40.167.2 - - [24/Apr/2018:06:42:24 +0100] "POST /6cwel4s2.php HTTP/1.0" 200 6694 "https://MY-DOMAIN/6cwel4s2.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"

File ROOT/6cwel4s2.php contains the following:

After this request the website went down. I scanned entire directory for similar files and found them spread across various folders. These files had different names (such as kg0ucas6.php, rk8lc98d.php, b5x9kpcv.php, ect) but identical content (as above). I found 25 in total. 

I brought the site up from backup that doesn't contain the above files and the site works but couldn't figured out how the files were placed on the server and how to prevent this in the future. Has anyone had similar issue? Any advise?

 

[razaro]

Hi

And sorry to here you have those issues. That reminds me of issue that effected lot of users over two years ago.

You can check detailed info here https://www.prestashop.com/forums/topic/544579-major-security-issues-with-few-modules-and-themes/

and read some posts there for tips.  In short it was connected with 3rd party themes from ThemeForest and modules but also one native module had problem that hackers exploited. 

It is recommended to upgrade to latest available version, safely and properly on test server first.

But also if you found source or hack you should contact PrestaShop directly :

  

Quote

What is responsible disclosure?

Responsible (and private) disclosure is a standard practice when someone encounters a security problem: before making it public, the discoverer informs the Core team about it, so that a fix can be prepared, and thus minimize the potential damage.

The PrestaShop team tries to be very proactive when preventing security problems. Even so, critical issues might surface without notice.

This is why we have set up the [email protected] email address: anyone can privately contact us with all the details about issues that affect the security of PrestaShop merchants or customers. Our security team will answer you, and discuss of a timeframe for your publication of the details.

Understanding a security issue means knowing how the attacker got in and hacked the site. If you have those details, then please do contact us privately about it (and please do not publish those details). If you do not know how the attacker got it, please ask for help on the support forums.

 

[Jacek Es]

Hi,

Many thanks for the info. I have in fact a theme from ThemeForest. I will look into this. Thanks