Index.php is the landing page of your PrestaShop store. Hence, no doubt, this is one of the most visited pages of your website. However, this also implies that index.php is actively targeted by attackers. If the attackers are successful in doing PrestaShop index.php hack in your website, the results can be disastrous. The attackers can use it to serve malware, deface your site or steal credit card info of the customers of your PrestaShop store. According to a report published by riskiq.com,
Magecart attacks have been observed on all sorts of stores from Magento to PrestaShop. Some groups not going after the shops themselves, but after third-party services loaded on those shops. Hackers compromise these services and hide their payment card skimming code inside the JavaScript code loaded via these widgets.
Pro Tip: The Index.php file of Prestashop can also be used to secure the module files from unauthorized access? Click here to know more!

Prestashop Malware Removal

Symptoms: PrestaShop index.php Hack

Index.php can be injected with malicious code by hackers to accomplish a number of malicious tasks. Detecting the index.php hack in Prestashop is not easy. However, a few symptoms to look out for are:
  • Users visiting your Prestashop store are being redirected to malicious sites.
  • Defacement of the index.php page.
  • Multiple pop-ups or malicious adverts appear on the index.php page.
  • The index.php page is asking users to install malware.
  • Gibberish content appears on the index.php page or something appears to be broke.
  • The index.php page becomes bulky and loads slowly.

Causes: PrestaShop index.php Hack

Vulnerable Upload Module

Upload modules allow users to upload certain files to your Prestashop stores like .txt or .pdf invoices. Beware, this could be a security risk. In order to prevent code execution, most of the modules allow only certain filetypes like .png, .txt, etc to be uploaded. However, poorly coded upload modules can allow .php files to be uploaded to the server leading to code execution. One such example is shown in the image below.
These are the logs of a real hacked site. The logs clearly show that the vulnerable modules first allowed the attackers to upload a malicious x.php file. Thereafter, the permission was set to (0644/-rw-r–r–) to allow code execution leading to a hacked index.php.

 

Common Vulnerabilities

Poorly coded modules and files are often vulnerable to attacks like XSS, SQLi, etc. A poorly coded index.php file may be injected with malicious javascript code. This malicious code can accomplish a variety of tasks ranging from defacing the site to stealing the credit card info of Prestashop users.

 

One such example is the pub2srv malware which specifically targets the index.php. This malware uses SQLi to inject malicious javascript code into the index.php files of various CMSes like Prestashop. Given below is a code snippet of such malicious code injected by the pub2srv malware in index.php file.
index.php hacked Prestashop

 

Weak Passwords

Weak or default passwords to services like FTP can open doors of your site to the hackers. Hackers can use these credentials to log into your site and edit the contents of index.php. There may be a few services running on various ports of your server which have hardcoded credentials. You may be unaware of these services but the hackers use special scanners to detect them and inject index.php with malicious code.

 

Need professional help in cleaning hacked index.php of your PrestaShop store? Drop us a message on the chat widget, and we’d be happy to help you. Clean my PrestaShop store now.

 

Weak File Permissions

PrestaShop allows editing of sensitive files like index.php to specified users only. However, if these file permissions are not set properly, anyone can edit your index.php file. Moreover, if the root directory listing is enabled, the attackers can read sensitive files of your PrestaShop store. The can then use the info obtained from those files to inject index.php with malicious code.

 

Outdated Modules and Files

PrestaShop releases updates frequently to patch various bugs. Most of the times these bugs are security related which can be checked from the changelog. However, if you fail to you updated your core files and modules, it is an open invitation to attackers. At times while updating, the index.php file may be renamed to index.php.old and left out on the server. The attackers can detect such files and used it to inject malware into index.php.

 

Remedies: PrestaShop index.php Hack

  • Firstly, put your Prestashop site into maintenance mode before repairing index.php.
  • Change all the passwords to random and secure ones.
  • Look for malicious code inside the index.php file. If you are unable to figure out what the code does, simply comment it out or contact experts.
  • Look for base64encoded code inside the index.php file and decrypt it using online tools.
  • Remove the malicious code in the index.php file and any other files.
  • Set the permissions in Prestashop to 755 for folders and 644 for files 664

  • Remove any suspicious or unreputed Prestashop modules, there are plenty of alternatives available.
  • Make sure to update to the latest version of Prestashop.
  • Finally, take your Prestashop store out of maintenance mode.
Last but not least investing in a continuous & comprehensive security solution can protect your website immensely. There are plenty of solutions in the market. But, only a few of them are trusted, and Astra Website Security is one of them. Astra secures your crucial files like index.php from any kind of malicious activity with its firewall. In addition to that, it leverages continuous monitoring to your website. You can sit back and relax while Astra does everything security for you. Go! Give it a try!

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Keen to learn almost everything that computers have to offer. Check out my Github profile for more info.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close