General info

We do apologise for this security issue and all hacked sites. We have learned the lesson!

As with all modules and themes it is very important that you are always on the latest version to avoid any security threats or other bugs.

Security issue was fixed within hours from discover. It was available as update on themeforest on 15 June 2016. It is essential that all your modules, Prestashop and servers are always updated with the latest release or at least track development process of used software. Update notifications were sent by themeforest to all customers. I also sent my personal newsletter to all the e-mails I had in my support system database.

Security fix is included in theme from version: 3.7.7. It is also prepared as a separate update which fits to the all theme and prestshop version. It can be found in folder “important - security hotfix – important”. It is also available to download from here: https://drive.google.com/file/d/0B6yfaCTJqFdeYldDNmg0d0Iwd1U/view?usp=sharing

The fix provided by us will fix only the security issue in modules, but it will not clear your site from maulicious code.

We are sorry but we only supply the template. We fixed the errors in our product but we are not able to fix the servers which had already been hacked. You need to contact with your hosting provider or administrator.

Additional info

Not all hacked website are related to warehouse them! If you applied fix correctly(and you did it before hackers infected your site) and there was no suspicious files inside sliders folder, then it mean you were probably hacked some different way. There was recently discovered issues in popular modules like

·         Sendtoafriend – default prestshop module, allows to send spam

·         Attribute Wizard Pro – module allows to hack site

·         Cartabandonmentpro – module allow to hack site

Which ware not developed by us and are not included in Warehouse template. If you use this modules make sure to update them to latest version

Step 0 – Apply hotfix

Download it here: https://drive.google.com/file/d/0B6yfaCTJqFdeYldDNmg0d0Iwd1U/view?usp=sharing

How to check theme version version?

B

If you have theme version 3.7.7 or above, you do not have to put hotfix on your site.

Please by ftp client like filezilla upload folders from  hotfix For Prestashop 1.6/modules/  or For Prestashop 1.5/modules/ folder(depends which ps version you use)

to your root prestashop installation modules/ folder (no to themes/warehouse/modules!) and override all existing files. If you using Mac, you need to make fusion of this folders.

 

!important!

To check if fix where applied correctly please type go to internet browser and type url like this

Youshopdomain/modules/simpleslideshow/uploadimage.php

Example

http://warehouse.iqit-commerce.com/modules/simpleslideshow/uploadimage.php

 

You should see  text “User is not logged in” or  “no file”.

If there is different message here then it means fix is not correctly applied.

So it means you uploaded fix to wrong patch, or files were not ovveriden. Please double check that!

 

Step 1:  Check for infection/Determine date of infection

You need to login to your ftp and check directories.

The attacks always start from one of the following places:

·         modules/simpleslideshow/slides

·         modules/homepageadvertise/slides

·         modules/homepageadvertis2/slides

·         modules/productpageadverts/slides

·         modules/columnadverts/slides

 

Once the attacker placed the malware in one of the above slides folders, they could put backdoor on your server. Start checking the all above slides folders first, if you find any other file there than images or index.php( inside it means you are already infected.

If index.php file exists it should contain only code like this

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
header("Location: ../");
exit;

Date of attack is the earliest date when suspicious files were added into above slides folder.

*sometimes date of this file maybe much older, because hacker changed data to match rest of your files in folder. Then you need to check access log of your server and look for something similar to(search for “uploadimage.php

"POST /modules/simpleslideshow/uploadimage.php HTTP/1.1" 200

If there was no suspicuse conde inside slides folder, then in means your site:

·         is clean or was infected by other modules not delivered with Warehouse theme

Step 2: Make full backup

Make a backup even with suspicious code inside - all kind of copy is valuable. Make sure you also back up your website database. Copy this full backup to your local computer hard drive.

Step 3(optional):  Temporary turn off your site or php executing

There are variouse way to do it, you can switch off php execution in your hosting cpanel

Or you can edit .httaccess file, and add in top of that file

deny from all
allow from YOUR_IP_ADDRESS


* Replace YOUR_IP_ADDRESS with your ip, you can determine your ip on site like: whatismyipaddress.com

Step 4:  Restore clean backup

The best situation is when you have regular backups of your server(it is highly recommended to have them!). Then you will be able to restore clean backup and apply security patch. In this point it is important to do clean restore, so all files of current state should be removed, and then you should restore only files from clean backup. If you sure you restored clean backup you can skip step 5.

*If you do not have own backups or your backup is not old enough to be clean, contact with your hosting provider. They often have their own backups.

Once you restore backup, update theme to latest version or immediately use security fix – Perform Step 0 from this guide

* if you can edit your backup before restoring it, you can already apply security fix in backup

Restoring clean backup is the best solution

Step 5:  Scan site  and clean from backdoors and malicious code

(if you do not have clean backup of your site you need to clean your site from malicious code)

If you 100% sure that you performed clean restore of clean backup you can probably skip this step. If not it is mandatary to scan site for backdoors and mailcius code.

These backdoors are developed in such a way that a hacker can use them to regain access to your site. Sometimes several backdoors are installed in case one is lost in a manual removal or upgrade. They maybe added as new files in your server or they maybe added as part of existing core files of Prestashop or modules.

Step 5a – Server virus scanner

Scan with server antivirus. Most of cpanel have included ClamAv software, you should scan your site with it. Also ask ask your host provider to make scan for you no matter that you already scanned by with ClamAv or not.

Clean all kinds of infected files. If you're not sure if this Prestashop or module core file or not, just open it and compare with clean Prestashop or module package. If you still are not sure it is better to delete it anyway.

Step 5b –File Scan via SSH(Shell) and manual fix

Performing server virus scan is not enough. It is also needed to perform manual scan for code injections.

For that step you need to SSH access to your server. If you do not have it ask your hosting provider, they may provide, if not ask them to perform commands described below and send your result files.

find . -type f -name '*.php' | xargs egrep -i "(shell_exec|system|stream_socket_client|str_rot13|gzinflate|system|passthru|eval|base64_decode|preg_replace) *\(" > scanresult_suspciouse.txt
find . -type f -name '*.php' | xargs egrep -i "eval/" > scanresult_eval.txt
find . -name 'index.php' -size +1900c > scanresult_indexmorekb.txt find . -mtime -30 -name '*.php' > scanresult_modified_php.txt
find . -type f -name '*.php' | xargs egrep -i "hacked|hacker|hack" > scanresult_hacked.txt
find . -type f -name '*.php' | xargs egrep -i "paypal" > scanresult_paypal.txt
find . -type f -name '*.php' | xargs egrep -i "\.chr*\(" > scanresult_chr.txt
find . -type f -name '*.php' | xargs egrep -i "move_uploaded_file" > scanresult_fileupload.txt
find . -type f -name '*.php' | xargs egrep -i "shell" > scanresult_shell.txt
find . -type f -name '*.php' | xargs egrep -i "@mail" > scanresult_mail.txt
find . -type f -name '*.php' | xargs egrep -i "@copy\(" > scanresult_copy.txt
find . -type f -name '*.php' | xargs egrep -i "@set_time_limit" > scanresult_time.txt

 

How to connect by SSH:
https://mediatemple.net/community/products/dv/204404604/using-ssh-in-putty-
http://www.inmotionhosting.com/support/website/ssh/how-to-login-ssh

Once you are connected you need scan your server, usually public_html.

Also download clean Prestshop installation which match version you have currently installed from here

https://www.prestashop.com/en/developers-versions#previous-version unzip it. You will use files from it to replace core Prestashop files with the clean one.

 

First scan all files with command

find . -type f -name '*.php' | xargs egrep -i "(shell_exec|system|stream_socket_client|gzinflate|system|passthru|eval|base64_decode) *\(" > scanresult_suspciouse.txt

It will result all files which may contain mauliciuse code.
Not all files listed here are malware. Some samples containing malware are highlighted with red mark.

Some malicious code is added in file created by hackers and only contains hackers code, this files should be removed from server.
Some of code added by hackers in included insider core Prestshop files or modules files, in this case you need to download this file, remove malicious code and upload it on server.
or if it is easier to you just replace the file with clean version from clean Prestashop package or module. If you are not sure is the file is part of prestashop, check it paths in clean Prestshop downloaded from web.

./modules/blockmyaccount/blockmyaccount.php:  - It is prestashop core module file, which is infected, you need to replace this file with clean file from Prestashop, or download it to local computer, open in code editor and replace hackers code from it.

Example: remove marked code from file

Another examples of how infected files look like

For example this wele.php, template.php, 500.php, Dex.php file is not core Prestshop file, and it should be removed from server

As you can see on above examples, code added by hackers usucally looks different/weird, because it is encoded. Except for looking that strings you must pay attention for weird looking variables names

And execution of commands like

·         System

·         Passthru

·         Shell_exec

Even if they do not contain any weird looking variables and base64 code In brackets

 

 

Not all listed files are infected, for example below there are listed files which are clean

* If you using storecommander module, scan may show for files of this module like. It looks like infected but in case of this module the code is fine. Anyway if you have possibility remove storecommander files from server and upload them once again to be sure they are not infected

 

Then Investigate all recently modified files

It is possible to make fake date modification date for files, but many hackers won’t bother about that. So it is also good to scan for recently added files. For that use command

find . -mtime -14  > scanresult_modified.txt

-14 means you will look back 14 days from now. You can modify this according to your date of infection. Consider to add some margin to that date. you can also limit scan only for php files

find . -mtime -14 -name '*.php' > scanresult_modified_php.txt

Example result

Now you can check for suspicious filenames, or .php files which seems to be in wrong directories. Then check content of files you consider as maulicuse.

Some examples of hackers code:

 

 

Then scan with

find . -type f -name '*.php' | xargs egrep -i "eval/" > scanresult_eval.txt

And follow same procedure as for result of first command.

 

Then scan with

find . -name 'index.php' -size +1900c > scanresult_indexmorekb.txt

It will look for all index.php files which have more than 2 kb

Check content of all listed index.php files it is possible that all of them comes from hacker. In above example only ./admin123/index.php is clean, rest have hackers postcard and phishininh paypal login(entire directory LoginPPL is added by hacker)

Scan for words like hacked|hacker|hack

find . -type f -name '*.php' | xargs egrep -i "hacked|hacker|hack" > scanresult_hacked.txt

Example results, check all suspicouse files, they contact may just show information about hacked by, but also may modify some other files or allows file upload

 

Then Scan for paypal hack

find . -type f -name '*.php' | xargs egrep -i "paypal" > scanresult_paypal.txt

paypal” word should be found only in few core PS files and modules/paypal or modules/paypalusa (which you should remove from ftp and replace with clear copy)

You need to  check and in most of cases remove other files with paypal workd

Results

Full code example of paypal hack

Once you perform a scan and remove all suspicoiuse files, please redo step 5b to be shure you not missed anything.

Step 5c – Replace index.php and other critical files with orginal files from prestshop installation

 

Download clean Prestshop installation which match version you have currently installed from here

https://www.prestashop.com/en/developers-versions#previous-version

unzip it and by ftp replace few critical files no matter if they was showed as infected or not.

·         ./index.php

·         ./controllers/admin/AdminLoginController.php

·         Entire paypal module(remove modules/paypal from ftp and replace it http://addons.prestashop.com/pl/1748-paypal.html )

·         You should also check themes/warehouse/shopping-cart.tpl for ani mailicus code like redirect manually

Tip: if you not modified core files of Prestashop, you can copy and relace all folders like from you clean downloaded prestashop

·         ./classes

·         ./controllers

·         ./Adapter

·         ./Core

·         /tools

 

Step 5d – Erase and re-create your .htaccess file

1.       Login to website by ftp

2.       Navigate to your store root directory.

3.       Download .htaccess file to your local drive to backup it

4.       Remove it from ftp

5.       Go to your store backoffice

6.       Navigate to Preferences -> SEO and URLs.

7.       Disable Friendly URL option

8.       Then re-enable  Friendly URL option. .htaccess fill be regenerated now, if you added any custom code in it(if you are sure which code is added by you) you can copy this part of code
from local backup of your .httaccess file

 

If you did not appied security fix yet do it now (perform Step 0 from this guide) or update theme to latest version.

Step 6:  Change your access data

Change all passwords on your website:

·         your backoffice users access data

·         MySQL database access data

·         ftp data

·         hosting panel/cpanel access data

·         ssh access data

Once you change mysql access data, you need to edit file

Config/settings.inc.php     and change lines

 

Step 7(optional):  Turn on your site or php executing

If you disable access to your site or php execuiting, remember to  revert that change and enable access to your site.

Step 8:  Scan site with online scanner

Scan your site with tool like: https://sitecheck.sucuri.net/

 

 

If your site is clean but still blacklisted you need to ask google to check your site again to remove it from blacklist. Open the Security Issues Report in Google Webmaster Tools: https://www.google.com/webmasters/tools/security-issues  then click Request a review. Add your site if you haven’t already

More info
https://support.google.com/webmasters/answer/3258249?hl=en&topic=2365140&ctx=topic&rd=1
https://blog.sucuri.net/2011/01/what-to-do-when-your-site-gets-blacklisted.html

Step 9:  Schedule correct backup pattern

 

Make sure you have scheduled backups performed on your website. You should have scheluded backups for files and for database. For example it is good to have:

·         4 x Weekly Backups(or at least one)

·         4 x Monthly Backup(or at least one)

·         Daily backups

Weekly backups is total minimum!

More to read:
https://dh42.com/blog/backing-prestashop-site/
http://www.dirhost.com/Do-You-Have-a-Backup-Strategy-for-Your-Website.aspx
https://dmjcomputerservices.com/blog/whats-your-website-backup-strategy/

Consider using some file integrity tools or services like https://sucuri.net/

Step 110: Update and remove unused modules

Consider upgrade prestashop and all modules to latest version. Older versions are more prone to hacks than newer versions.

Remove all unused modules because even if they are disable or uninstalled they still may allow to access to your site if they have vulnerability, or keep it up to date at the very least.

References and other worth to read articles

 

https://dh42.com/blog/fixing-prestashop-warehouse-theme-hacks/

http://www.gregfreeman.io/2013/how-to-tell-if-your-php-site-has-been-compromised/

http://www.gregfreeman.io/2013/steps-to-take-when-you-know-your-php-site-has-been-hacked/

https://www.joomshaper.com/blog/my-joomla-site-was-hacked-what-to-do

https://codex.wordpress.org/FAQ_My_site_was_hacked