Some of my modx 1.0.14 are hacked

@Guido:

Let's see. My script is already done but was only tested in a sandbox. I'm going to review the code tomorrow again and if I don't find any issues, I make the code public.

Btw, I didn't make my script based on the "known code" to infect ModX. Instead, it is based on the assumption that nothing should just create php files inside the assets folder (cache excluded). It can be configured to inform the admin if something/-one does via mail incl. a list of the files, and/or to immediately delete the files so the assets folder would always stay clean.

I had malicious code also in the core tree, so assets may not be enough. I guess it was roughly in all the folders which were writable, like cache, exports, packages ie. Your attempt is very good, maybe we can integrate some checks from my list (search for suspicious files).

I can also provide a whole 1.0.14 ftp site as a zip with all infected files still present.

like cache, exports, packages ie.

Those are all inside assets. I *think* the entry point is assets/images from which the code is then duplicated to other places.

I only ever had malicious files in the folders that the installer tells you to make writable. Of course, if the webhoster has default folder permissions that allow writing by default, you can have malicious files everywhere. But then, it's really a server misconfiguration and would make any CMS unsafe.

I only ever had malicious files in the folders that the installer tells you to make writable.

Could that writeable entry point allow access to later create files in non-writeable folders?
I found newly created files inside of assets/snippets/ditto, and various other places as well.

@Guido - You would think that any web hosting would have tools like the script you are working on. I am very interested in seeing where you go with it, and what can be done once the entry points are isolated.

I am having multiple Evo 1.0.14 sites hacked with some regularity. So I thought I would look at what the Modx community is reporting. This seems like the most appropriate thread.

None of my non-Modx sites are having this issue. Some hacks occur in the root directory, some in assets/ (any folder or subfolder) and some in manager/ (any folder or subfolder). The IP addresses resolve to Russia, Eastern European countries and Morocco, for example.

Some 1.0.8 sites experiencing the hacks were upgraded to 1.0.14, but that did not stop the attacks. Just yesterday I received a notice from Apple that phishing files were put on one of my Evo 1.0.14 sites. They tell you exactly where to look. This is happening regularly now. I have had two sites shut down by my host. They had to be cleaned manually. I would be very interested in a script or snippet that warns of file changes. This is a nasty world.

Quote from: timo_w. at Oct 14, 2014, 08:26 PM

Those are all inside assets.

Right! I had both architectures hacked, I mixed them up.

My attempt is to run find commands via php and let the user decide how to handle them. Most of the hacks look similar or use similar techiques. Base64 encoding, strreplace and so on. There are Linux tools which do checksums of all files, but i dont know how they handle cache or export folders. Its difficult.

I really recomment that tool "maldet" if you have shell access and can install linux stuff.

Nelson, do you need help cleaning up?

Could that writeable entry point allow access to later create files in non-writeable folders?

Yes, of course. Unless you also remove write permission even for the owner, which is what I did (as well as blocking all IPs that tried to call the malicious php files). It depends on the server configuration, though.

Posting my script later today. Seems to work (or at least doesn't cause any harm on the two sites I installed it for testing. ).

The attached script in my post (only visible if you are logged in) scans a whole folder (incl. subfolders) for new/modified files with specified extensions and sends a mail if the files are changed/added. It works independent from the CMS and should be used by a cron job. A lot of things are configurable (starting folder, mail address, excluded folders, scanned extensions etc.).

Find my script attached. It's self-contained and can be used as a snippet in MODX or as a file called by a cronjob. It's pretty much self-explaining, I think. If not, just ask.

One important thing: When using the script on new or updated MODX installations, make sure that $auto_del is set to false for the number of days given by $days_ago. Otherwise it will delete your snippets/plugins. I take no responsibility for any damage caused by the script. [ed. note: timo_w. last edited this post 9 years, 5 months ago.]