I've been working on a duplicated MODX site. I generally re-open my browsers after hibernating/restarting with all tabs open and my MODX sessions reconnect via cookies.
Today after clearing all cookies and rebooting I couldn't log back in to my duplicate MODX site. I compared the password in the duplicate site database with the password in the live site database and they are different (should be the same).
In the db table modx_users the values for salt were still the same in both sites, and both values for hash_class are hashing.modPBKDF2.
1. I would like to decrypt the new password to see if it is recognisable (i.e. did I change it, or was it malicious). Is it posssible to do this?
2. Is there any log entry anywhere for changing a password in any of the normal ways, so I can see when/how this was done?
3. If malicious, could this have been done direct in phpMyAdmin?
EDIT: I've altered this Q to make it more concise.
[ed. note: Gav last edited this post 3 years, 11 months ago.]
1. No, password hashes are one-way, so there's no way to convert a hash to a password.
2. If the change was made in the Manager, it might be in the manager actions log (modx_manager_log). The 'action' field is in plain text. The 'user' field contains the ID of the user who did it, and the 'occurred' field is a date (iirc, as a unix timestamp).
3. Yes, it could be done in PhpMyAdmin by cutting and pasting the values from another MODX install's DB.
What version of MODX are you using.
In PhpMyAdmin, look for a plugin named core_services or something similar (or any plugin you didn't install). Also look for extra, or new users in the user's table.
I'm on 2.3.5.
No mention of password change in Manage > Reports > Manager Actions. Time to tighten up security methinks.
IIRC, 2.3.5 has some security issues, so an upgrade is definitely in order. If the hacker has left a back door, though, that may not be enough. Be sure to check for extra plugins you didn't install and take a close look at index.php in the root and .htaccess.