Site and paypal configuration hacked

[edsmiths]

Hello,

I'm helping a merchant that has a site (Prestashop 1.6.1.18) hacked in later December... there was the typical hacker banner on the homepage and a lot of files injection in the server. Also, there was a lot of email spam sent via the contact and register forms (we still get some deferred mais in queue). We installed the recaptha module to avoid e-mail spam sent from the server and uninstalled some modules (eg send to a friend).

I've managed to clean the malicious code and for some days all went nice. Meanwhile, the official paypal module was changed in the API parameters, so a couple of payments were sent to another paypal account. In addition, the .contactemail file on the server root was changed to the hacker address.

I uninstalled and deleted the paypal module and did a clean installation (the module is updated) but after a week the problem arise again. Checking the dates, the only file that seems to be changes is the htacess (but I think the code is fine) please check atached.

The error logs just display a error in the /override/classes/Product.php (PHP Strict Standards:  Declaration of Product::updateProductAttribute() should be compatible with ProductCore), probably due to a standalone software (emagicone) that is used to synchronize and update the store from the PC.

Another issue is when I try to update the prestashop (via 1 click upgrade) the site's backend just keep waiting for a few minutes until it redirects to the login page (probably a connection timeout).

The debug mode just showed the product.php override error.

Assuming that there's some malicious code hidden in the server, my question is to figure out where should I dig first? Also, do you think the problem with the 1 click upgrade it's related to server issues (lack of resources).

All the passwords were changed meanwhile and the modules and template are from prestashop addons.

Any help would be appreciated.

Thanks in advance.

Ed

 

 

 

htacess.txt