We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

hacked - site_url changed

    • 5340
    • 1,624 Posts
    cipa Reply #1, 14 years, 4 months ago
    Hi

    I just noticed the the site_url was pointing to another domain.

    I manually changed to <base href="http://www.my**site.com" /> instead of the site_url tag and it works.

    Any ideas what happened, where should i look for the hack?

    Thx
      Responsive CSS Grid: cipalabs.com/projects/metal/
      Blog: MODX Tutorials & Articles
    • onesmarthost Reply #2, 14 years, 4 months ago
      Hi,

      Sorry to hear about that, could you tell us more about your setup?

      Windows / Apache / and MODx Version?

      Aaron
        http://www.onesmarthost.co.uk
        UK MODX Hosting with love.
      • sottwell Reply #3, 14 years, 4 months ago
        Check your manager/includes/config.inc.php file; this file should be set to read-only once it’s been created on installation.

          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
          • 5340
          • 1,624 Posts
          cipa Reply #4, 14 years, 4 months ago
          Hi,

          I think the server was hacked not modx. Once I hardcoded the site_url everything was fine.
          PHP Version 5.1.6 Apache/2.2.6 (Fedora)/Mysql 5.0.27/Modx 1.0.0
          No warnings in modx(so config file read only)

          As I told you [(site_url)] was somehow made to show a different address. I think site_url is generated from a server variable, I think HTTP_HOST which somehow was hacked.

          Since it’s shared host anything is possible.

          I’m glad is working but I would like to know what happened.

          Thx
            Responsive CSS Grid: cipalabs.com/projects/metal/
            Blog: MODX Tutorials & Articles
          • sottwell Reply #5, 14 years, 4 months ago
            The $site_url is determined by the config.inc.php file. It is generated automatically from data sent by the server and stored by PHP in the $_SERVER array. This is stored in the MODx array config, which is how you can access it via [(site_url)] in your HTML and $modx->config[’site_url’] in snippet code.

                $site_url= ((isset ($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') || $_SERVER['SERVER_PORT'] == $https_port) ? 'https://' : 'http://';
    $site_url .= $_SERVER['HTTP_HOST'];
    if ($_SERVER['SERVER_PORT'] != 80)
        $site_url= str_replace(':' . $_SERVER['SERVER_PORT'], '', $site_url); // remove port from HTTP_HOST  
    $site_url .= ($_SERVER['SERVER_PORT'] == 80 || (isset ($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') || $_SERVER['SERVER_PORT'] == $https_port) ? '' : ':' . $_SERVER['SERVER_PORT'];
    $site_url .= $base_url;
}

            So if something is bad, it’s coming from the config.inc.php file.

            I have, however, run across sites where the server does not report the expected values, especially if the site is using PHP as CGI with some kind of suexec. If the server is not configured correctly, the the SERVER array will contain values relating to the location of the PHP engine itself, rather than relating to your domain on the server. So you might get data for the actual physical server, not for your domain.
              Studying MODX in the desert - http://sottwell.com
              Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
              Join the Slack Community - http://modx.org
              • 5340
              • 1,624 Posts
              cipa Reply #6, 14 years, 4 months ago
              The config file has not been changed. Permission is 644

              This is so weird. I just switched back to <base href="[(site_url)]" /> and everything seems fine.

              Since there was no harm done I am happy.

              Thx
                Responsive CSS Grid: cipalabs.com/projects/metal/
                Blog: MODX Tutorials & Articles
                • 26931
                • 2,314 Posts
                anonymized-26931 Reply #7, 14 years, 4 months ago
                Since there was no harm done I am happy
                ...even though it’s not my site, i feel concerned rolleyes grin
                • Ryan Thrash Reply #8, 14 years, 4 months ago
                  Could have been a server/Apache misconfiguration. Not that any shared server would ever see that happen. No. Never... tongue
                    Ryan Thrash, MODX Co-Founder
                    Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
                    • 5340
                    • 1,624 Posts
                    cipa Reply #9, 14 years, 4 months ago
                    You can do a research on "wantsfly.com"
                    There are some results but I could not relate.
                      Responsive CSS Grid: cipalabs.com/projects/metal/
                      Blog: MODX Tutorials & Articles
                    • sottwell Reply #10, 14 years, 4 months ago
                      That’s a known hacker, although there is some doubt if the owner of the computer it’s coming from is actually a hacker, or just a "zombie" being used by a hacker to hack others (it’s a Windows machine with several open ports; easy to access and control). Sounds like he got into your server, then your server admin fixed the hack and blocked him.
                        Studying MODX in the desert - http://sottwell.com
                        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                        Join the Slack Community - http://modx.org