Site icon Astra Security Blog

Fix Prestashop Hacked Redirect With This Step-By-Step Guide

Fix Prestashop Hacked Redirect With This Step-By-Step Guide

How many times have you resorted to forums to get an answer for your redirecting PrestaShop store or any other hack? Hundreds of times? Maybe even more. Well, this has been the case for so long. PrestaShop users and store owners rummage through forums to get a reliable solution for PrestaShop hacked redirect or other PrestaShop hacks.

The following hack questions on the PrestaShop forum validates my point.

An example of PrestaShop redirect hack case
PrestaShop hacked cases

This is mainly because there isn’t much information available on the web for PrestaShop hack cases.

Not reliable ones, at least.

This is why forums seem like the only good resource available.

Although there is no denying that forums clear out confusion to some level, it shouldn’t be deemed equivalent to a security expert’s advice. Which is why, after working with many PrestaShop redirect hack cases, we are finally drawing out our learnings as this one-stop PrestaShop redirect hack removal guide.

This guide deals with symptoms attached to PrestaShop hacked redirect, common hacked areas, and remediation steps.

So if you have also woken up to a redirecting PrestaShop store, this is what you need.

Why PrestaShop is a Hot Target?

Before we get started with the symptoms, let’s understand why your PrestaShop store was targeted in the first place.

According to BuiltWith trends, as many as 227,890 websites are currently using the PrestaShop CMS. Which is 9% of all open-source e-commerce websites.

PrestaShop Usage Statistics; Source: BuiltWith

Clearly, Prestashop is widely used for e-commerce on the internet. These e-commerce websites are generally a good resource for credit card data and user data, which makes for insanely profitable trade-offs on the dark web.

Besides data theft, spammers also use PrestaShop’s popularity to direct users to their malicious domains, which usually sell cheap replicas of luxurious brands, contraband products, or worse host obscene & restricted content, or malware.

Spam links to replica sites inserted in websites

Attackers seeking data or visibility find Prestashop websites exceptionally luring.

Furthermore, insecure PrestaShop websites are another huge reason for PrestaShop websites being attacked. Most store owners conveniently overlook PrestaShop best practices. Security negligence makes PrestaShop stores even more vulnerable to these attacks like Prestashop hacked redirect, PrestaShop malware hack, PrestaShop credit card hack, and more.

A hacked PrestaShop store has serious ramifications. Such as:

Hence, it is extremely important for you to identify the hack as soon as possible. The following symptoms of PrestaShop hacked redirect will help you with this.

Symptoms of a PrestaShop Redirect Hack

Some common symptoms of a Prestashop hacked redirect include:

While there is no definite way a hacker attacks a website. There are some common techniques identified. These include targeting some of the highly sensitive files.

Some files that are commonly targeted by attackers in a Prestashop hacked redirect include:

Step-By-Step PrestaShop Hacked Redirect Removal

Prerequisites: PrestaShop Hacked Redirect

a. Backup your website

First, take a complete backup of your PrestaShop store. So in case anything breaks while removing the malware, you can restore your website with the backup.

You can either backup your PrestaShop store on your own or request your hosting provider to take a backup for you.

b. Turn on the maintenance mode

Next, put your Prestashop store in maintenance mode. Doing so will prevent customers from placing orders on your store while you are working to remove the malware. To activate the maintenance mode, follow these steps:

  1. Login to your Prestashop Dashboard.
  2. For Prestashop 1.7, navigate to Shop Parameters>Maintenance.
  3. Here, “change enable” shop to No and click on Save.

Detection: PrestaShop Hacked Redirect

Now, try to locate the source of Prestashop hacked redirect infection.

a. Scan your website with a malware scanner

You can use online malware scanners to search for infected files like the one here. Scanning via an efficient malware scanner will automatically flag malicious files, links, or content on your website if there are any.

Malware flagged by the Astra Malware Scanner

b. Scan search engine warning messages

Google and other search engines have complex algorithms to detect malicious campaigns on a website. They abide by stringent policies to warn, flag, and blacklist websites which are possible security threats to their visitors.

If your website has been flagged or if you have received a warning message, go through the message once again and read between the lines to gauge an idea of what’s wrong.

An example of the Google warning message

c. Check Google search console for reasons

In case your store has also been blacklisted by Google, the Security Issues tab under Google search console can help you in finding the source of infection.

Security Issues Tab

d. Look for suspicious files

If you are still unable to trace the source of Prestashop hacked redirect infection, look for recently-added suspicious files. Also, go through recent modifications in your core files.

You can check modifications in the last 7 days, run this command in your SSH terminal:

$ find ./ -type f -mtime -7

Alternatively compare your core files with their fresh copies. To do this,

  1. Download a fresh version of your PrestaShop store. Let’s call this directory $BASE.
  2. Download your current PrestaShop files. Let’s call this directory $YOUR_CART.
  3. Compare $BASE to $YOUR_CART. This will show you changes in core.
cd $BASE for i in `find . -type f`do  diff -q $i $YOUR_CART/$idone

4) Inversely, to find the files that have been added to your installation but are not a part of the original installation – $BASE, run the following command:

cd $YOUR_CART for i in `find . -type f`do  diff -q $i $BASE/$i 2>>/tmp/newfilesdone

e. Check your database for unknown users and admins

Next up is checking your database for the additions of any unknown admins or unauthenticated users in the past few days. To do this first access your website’s database via PhpMyAdmin. Now find details of all modified tables like this:

select
    object_name(object_id) as OBJ_NAME, *
from
    sys.dm_db_index_usage_stats
where
    database_id = db_id(db_name())
Order by
    dm_db_index_usage_stats.last_user_update desc

This will show you when was the tables last updated. Identify the tables that have been updated recently and go through their contents manually.

Cleanup: PrestaShop Hacked Redirect

a. Replace infected files with good copies

If one of your core files is infected, replace it from the official repository of Prestashop. For database infection, try dropping the infected tables. In the case of infection in one of your add-on & theme files see if you can find their good copies on their site. Otherwise, just compare them with one of your uninfected back-ups.

Note: If you are comparing two copies of a file, make sure to match their version number in all cases, i.e, core, add-on, and theme files.

b. Restore a good backup

Moreover, if you already have a good backup, restore the same. Restoring a backup is particularly easy when you can tell apart a good backup from a malicious one. Which in turn, is easier to tell if you have back-ups with a considerable gap between them – a week, a fortnight, or a month, so to say.

However, in case you’re backing-up your website every day, it may be hard to pin-point which back-up is good and which isn’t.

Furthermore, restoring a backup are more affordable to websites in which minimum to almost no change happens in their backing-up period. For websites, in which regular content is updated or changes are made, restoring an old back-up would also mean losing all those changes in between the period.

c. Delete malicious files

Delete suspicious files that are not part of core Prestashop. If you’re an Astra customer, you can do this from your Astra dashboard itself. This is how:

Delete this File option in Astra’s malware scanner

If you are not an Astra user, manually delete the file by accessing your website via an FTP tool like Filezilla.

d. Uninstall suspicious plugins & themes

It is quite possible that the PrestaShop redirect hack on your store is due to a zero-day add-on exploit. In that case, notice if there is any buzz around the same on forums and other PrestaShop communities. Normally zero-day exploits target thousands of websites at a time. Which is why you may find people asking the same questions like yours.

If there’s an identified case of an ongoing exploit due to a particular add-on or theme, uninstall the add-on if the patch has not been released yet. If there is a patched version available, update to that.

Once the infection is resolved, make sure to turn off the maintenance mode. Sometimes, the infection may reappear after the cleaning process. In case you are unable to spot the infection, it is highly recommended that you immediately contact experts.

PrestaShop Security Measures

I hope by now you have successfully removed the malware.

Order Deny,
Allow
Deny from all
Allow from xx.yy.zz.ww

Conclusion

As evident it is from the article, there are multiple ways in which Prestashop hacked redirect can occur. For an average user of Prestashop, it may seem tedious to prevent it. But covering the basics mentioned in this article can provide you some security.

Exit mobile version