If you are not aware, on 6/19/2016 a hack was released for the most popular PrestaShop theme on the market, Warehouse. The developer of the theme quickly released a patch for the theme, but there are still sites that have not installed it. In the week since the theme was released we handled almost 30 clients whose sites have been hacked. The hacks have ranged from 7 sites that were totally deleted, and the reset either being converted into phishing sites or spam sites. To make matters worse we were alerted over the weekend that there is an automated tool being distributed that will detect the theme and hack the vulnerable files already.
Fixing a hacked website
There are two ways to go about fixing your hacked or vulnerable website, you can either do it yourself or you can hire someone to do it. If you are not technically inclined or unsure of some of the methods that we use in the article it might be best to hire someone to clean your site up.
Warehouse Hack Cleanup Special $200
We will apply the theme patch to your site, clean all of the hacked files / back doors up off of the site, and also install a module that will alert you to any file changes on the server. This is so you can see if the hackers ever get back in and modify files.
Fixing the hack yourself
Patching the theme is a pretty simple all you need to do is download the patch zip file, unzip the patch and upload it to the root of your site. You can download the patch below.
Download Warehouse theme patch
Cleaning up your site
I really took my time and looked for tools to try to help this process, but I have not been able to find anything that is 100% successful in cleaning a hacked site up. We tried server anti-virus software such as ClamAV and a couple of other programs. At best they did an ok job. No program that we tried would find every single file or backdoor left on the servers. This creates a problem in writing a clean up guide that most people can follow.
The reason that none of the programs could clean up the sites is because how distributed the different files on the servers are. From my best guess most hacked sites we have seen had multiple people in them doing very different things. Some of the things we saw were simple phishing pages, trying to get account information from visitors, others had spam scripts installed that would spam users. Still other had shell scripts that would allow account level / root level access to the server. There were a couple that had no visible hacks other than a test file left on the server.
We tried to come up with search patterns we could use to search the sites to find the files. Some of the files were encoded with base64, some used a different type of encoding. Some used eval statements, some were just plain php. A couple of them used swiftmailer, some were just html files for phishing. In the end we did not come up with any program or automated way to find all of the files on the server.
Two ways to handle it
There are basically two ways to handle a situation like this, they depend on your level of comfort. The first and easiest would be a site restore from before June 12th. That is the oldest timestamp we saw of a hacked site. Most of the other we saw were around the 15-20th date range. The downside to doing a full restore is you lose all of the information in your database such as orders, customer accounts, and new products. If your host or yourself can do just a file restore, that would be the best possible situation. Then you can retain all of the information in your database. Be sure to apply the patch after the restore, this is imperative.
The second way to handle it is to manually clean the site yourself. Either you or your host should start by running the anti-virus software that should be installed on your server, ClamAV is installed on most Cpanel servers by default. Next you will want to search for some obvious strings in files such as “base64” “eval” “indo” “shell” “auth_pass” “output_buffering” “str_rot13”. These are some of the strings we have seen the most in files from hacked websites. None of these strings would be in core PrestaShop files, but we cannot say the same for some of the modules that you might be using.
Cleaning a hacked site up manually is a tedious process, the whole site really needs to be scanned by hand by someone that has a knowledge of PrestaShop and knows what files should be there and which ones should not. At the same time you need to be able to look at the files so you can see what they actually do. They could link to other files on your server, or they could actually just be a poorly written module file.
I really wish there was an easy way to write a guide so do it yourselfers could clean up their sites. But I just have not found a quick fix for this because of all of the different kinds of files we have seen on the hacked sites we have worked on.