-
- 7 Posts
Our site has recently experienced a hack and we’ve upgraded to Modx 2.3.5.
The code was inserted before the closing </body> tag.
You can see the code when viewing the page source of the home page or subsequent pages that use the same template. Canadian viagra.
How do I find the file that was hacked to remove the code?
I've already looked at index.php and through our entire database.
Our site is ww.teco.com.au
Any help would be greatly appreciated.
[ed. note: teco_aus last edited this post 8 years, 7 months ago.]
Check your core/config/config.inc.php file. It should NOT be writable after the installation is complete, change its permissions to 444 or 644 if that won't work.
Also look for any .php files that have an older date, especially in odd places like assets/images or assets/js. There should very rarely be an .php files at all in the entire assets/ directory, although occasionally in assets/components there will be one associated with a specific component. The hack-files filenames are usually pretty stupid and obviously don't belong there.
And check your Users for unknown users.
Oh, and delete the entire core/cache/ directory to make MODX re-create all of the cache files.
No, this is done in either the index.php file (the main one), the config.inc.php file, possibly the core.cofig.php file in the site root, or even the .htaccess file.
If the hacker was able to create himself a Manager user, he also could have made a plugin, or added the code to the templates.
The reason we look for an odd file in a place where it doesn't belong is that this file can be accessed by the hacker to get access again even if you clean everything up.
-
- 70 Posts
You may wish to search through your articles, templates, chunks etc too in the db to see if there was anything "special" inserted in to those records.
-
- 24,544 Posts
It's difficult to know the extent to which your site has been compromised, so be sure to change your cPanel, FTP, and Database credentials in addition to your MODX ones. Even then, it's possible that the server itself has been compromised, in which case the trouble may be back.
Also, to help protect your site in the future, see this:
https://rtfm.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution
-
- 7 Posts
Hi guys,
Thanks a lot for your feedback. I've been away on leave but will go through all your suggestions this week and post any results here.
Cheers!
-
- 295 Posts
we have setup the following permissions on modx 2.3.x for folders which works fine for us.
${site_dir}/core/cache \
${site_dir}/core/export \
${site_dir}/core/packages \
${site_dir}/core/components \
${site_dir}/core/config/config.inc.php \
${site_dir}/assets \
${site_dir}/setup
all of the above folders are 0772
we had a similar problem ages ago, but found that the hack came from cpannel whereby somebody added a cron job. the problem is if the hacker gains root access then becuase the passwords for the database side is held in plane text i.e php file, it would be easy for an attaker to take advantage.
before you susspect modx, check your environment, patching the environment, updating cpannel or whm, add ssl certificate. becuase the index has changed i wouldnt assume that nothing else has been changed or added, i.e cron jobs, so i would get a linux expert in, or what we did, create a new vps server and migrate from the old hosting to the new hosting. it sounds very time consuming and i assure you it was a massive headache for us....
-
- 7 Posts
Thanks comp_nerd26, this whole issue has been put on the back burner after going through every index.php file on the site with no results.
We're negotiating having the entire site rebuilt.
I simply don't have enough experience to find where the hackers inserted the links to purchase Canadian viagra. I suggested to our sales team to get on board.