PrestaShop Credential-Stealing Skimmer Via Image Beacons

Forensic Triage and Removal

1) Find All Injections

• Search your files & database for the above patterns.
• If you are unable to find & clean it yourself, Consider using professional website malware removal services. 

2) Clean and Restore

• If the above doesn’t work and if you can afford restoring to older backups, Any recent data may be lost if you are restoring to an older backup.
• Clear caches:
  • Back office: Advanced Parameters → Performance → Clear cache
  • Manually: delete var/cache/*
• Purge CDN caches to prevent serving stale malicious assets.

3) Hunt and Remove any further Backdoors or leftovers (Critical)

• Grep for suspicious PHP:
  • eval(base64_decode(, gzinflate(base64_decode(, assert($_POST, preg_replace('/e', create_function, system(, shell_exec(
• Inspect writable directories for PHP files:
  • /upload, /img, /download, /var, module folders
• Check .htaccess for odd rewrites or PHP execution enablement in uploads.
• Review cron jobs and admin accounts:
  • Remove unknown employees from ps_employee, enforce 2FA, rotate passwords.

4) Credentials and Sessions

• Force reset passwords for:
  • Admin accounts, affected customers, hosting panel, SSH/FTP, database.
• Invalidate active sessions and remember-me tokens.
• Rotate API keys (payment, shipping, SMTP, etc).

5) Patch and Harden

• Update PrestaShop core and all modules/themes to latest secure versions.
• Remove unused/untrusted modules.
• Restrict /admin* by IP allowlist or secondary HTTP Auth.
• Set correct File permissions: Files 0644, directories 0755; disable PHP execution in /upload and /img.
• Apply a strong Content Security Policy (CSP) and Subresource Integrity (SRI).

Example CSP (start in Report-Only, then enforce):