We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 38142
    • 91 Posts
    I have a website built with MODX Revo 2.3.1 on Linux hosting. After being told by the client that they had suddenly lost the ability to do things in the manager area, I logged in and saw that a new user account had been created (the only person with permission to create user accounts was myself, and there was only one client with limited content permissions 42 out of the full 172) using an email address ending .ru and beginning "f***youmodx" (*** = uck). My content access permissions had been altered, but after reverting them to what they were, it is still impossible to save any changes to updated resources with my full permissions.

    I have updated the CMS to 2.3.2 and deleted the rogue user account, and checked the permissions. Made another attempt to update a resource, then everything in the manager area below the blue band at the top disappears (resource tree, etc, disappears), and clicking logout or end sessions does not work. Can't log out or force a logout of all users. Manager area now functionless.

    In another browser I manage to get to the error log. It notes an error from about three hours earlier:

    [2014-12-09 09:04:01] (ERROR @ /connectors/index.php) Could not get table class for class: modAccess
    [2014-12-09 09:04:01] (ERROR @ /connectors/index.php) Could not get table name for class: modAccess
    [2014-12-09 09:04:01] (ERROR @ /connectors/index.php) Error 42000 executing statement:
    Array
    (
    [0] => 42000
    [1] => 1064
    [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AS `modAccess` WHERE `modAccess`.`principal` = 3' at line 1
    )

    With the other browser I manage to end all sessions. then log in again successfully and see the resources but can't update some of them and am denied access to media files in template variables on the resources, even though the permissions for my Admin account should give me full access as the Super User.

    Any advice?


    This question has been answered by sottwell. See the first response.

    • First, delete the core/cache directory. Also clear your browser cache and cookies.

      Try replacing (delete and replace) the entire /manager/ directory, also the core directory except for the config.inc.php file, the components directory and the packages directory. Examine your assets folders carefully - there should be no .php files there, just images, css and js files.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
        • 38142
        • 91 Posts
        Thank you for the offer of help. I have done everything you suggested, plus logging in from a browser never before used to access the website.

        Bizarrely, even though my permissions are correct (full 171 permissions (minus database_truncate, which caused a problem in the past and I now delete from the template as a routine matter, but I forget why exactly) and have Media Admin permissions for the client's media source that has been set to be the default I cannot:

        1. Save an altered resource (but I can do a Quick Update and it will save);

        2. Get access to the media files through the template variable on the resources (the resources show the file path but don't show the icon to click).

        I have to go away now and do something else now otherwise I will lose the last traces of sanity.

        Thank you very, very much for the help.
        • I would try BobRay's SiteCheck. It's not free, but once you get a license it's yours to use on any site you work with.

          You could also install a new copy of Revo in a subdirectory and see if you can work with it OK. If you can, then maybe you'd be best off transferring the relevant assets (images, css, js, etc) and a database dump of the content, TV, snippet, etc. tables (just the dynamic content tables) to the new one, then replace the old one altogether.

          I've attached the Administrator policy template and policy from a fresh installation of Revo 2.3.2 in case they are useful.
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
            • 38142
            • 91 Posts
            Thank you very much again. I will try the second installation. A good idea.

            You have been very helpful.
            • discuss.answer
              It's hard to be helpful remotely in a situation like this. There's no way to tell how the site got hacked. Was this an upgraded older installation? Some of these hack files were installed in vulnerable versions which have since been upgraded, but the files have been there sometimes for months or even years before being activated. If this was even hacked using that method. It could be the whole server has been compromised, allowing the hacker to rampage at will through everything. But this one sounds like an old "forgot password" hack that's probably been sitting through upgrades for a year or more before somebody or something got around to activating it.
                Studying MODX in the desert - http://sottwell.com
                Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                Join the Slack Community - http://modx.org
                • 38142
                • 91 Posts
                To reply to that question about the upgrade: No, this wasn't a website that was neglected and then updated to 2.3.1 from a much earlier version. I have been anxious about keeping all the sites up to date, so the upgrade to 2.3.1 was from 2.2.14 (I think that was the previous version after the warning about a vulnerability in versions up to 2.2.13).

                I have another 20 websites with MODX Revo on the same server. As far as I know, only this one has been hacked.
                • I had a site that I regularly updated reported by the hosting company as harboring some of the hack-files. I simply removed the files, since they didn't appear to have done anything yet - no extraneous users, nothing nasty done to any of the MODX files. The files in question all had the same date, several months earlier, and I definitely had updated the site within a few hours of all of the patch updates. So somewhere in between the vulnerability getting into the wild and the site upgrades, the files got inserted.

                  Two things that can be scanned for are .php files where they have no business being, like in the assets directories, and files with unusual dates where files shouldn't be changing or being added. These were obvious since these files were all of the same date, much older than the updated MODX files, and some of them were in the assets/images directory.
                    Studying MODX in the desert - http://sottwell.com
                    Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                    Join the Slack Community - http://modx.org