We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Security forensics: how to analyse an unexpectedly-changed password?

    • 10525
    • 247 Posts
    Gav Reply #1, 7 years, 6 months ago
    I've been working on a duplicated MODX site. I generally re-open my browsers after hibernating/restarting with all tabs open and my MODX sessions reconnect via cookies.

    Today after clearing all cookies and rebooting I couldn't log back in to my duplicate MODX site. I compared the password in the duplicate site database with the password in the live site database and they are different (should be the same).

    In the db table modx_users the values for salt were still the same in both sites, and both values for hash_class are hashing.modPBKDF2.

    1. I would like to decrypt the new password to see if it is recognisable (i.e. did I change it, or was it malicious). Is it posssible to do this?

    2. Is there any log entry anywhere for changing a password in any of the normal ways, so I can see when/how this was done?

    3. If malicious, could this have been done direct in phpMyAdmin?


    EDIT: I've altered this Q to make it more concise.
    [ed. note: Gav last edited this post 7 years, 6 months ago.]
      • 3749
      • 24,544 Posts
      BobRay Reply #2, 7 years, 6 months ago
      1. No, password hashes are one-way, so there's no way to convert a hash to a password.

      2. If the change was made in the Manager, it might be in the manager actions log (modx_manager_log). The 'action' field is in plain text. The 'user' field contains the ID of the user who did it, and the 'occurred' field is a date (iirc, as a unix timestamp).

      3. Yes, it could be done in PhpMyAdmin by cutting and pasting the values from another MODX install's DB.

      What version of MODX are you using.

      In PhpMyAdmin, look for a plugin named core_services or something similar (or any plugin you didn't install). Also look for extra, or new users in the user's table.
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 10525
        • 247 Posts
        Gav Reply #3, 7 years, 6 months ago
        Thanks Bob.

        I'm on 2.3.5.

        No mention of password change in Manage > Reports > Manager Actions. Time to tighten up security methinks.

          • 3749
          • 24,544 Posts
          BobRay Reply #4, 7 years, 6 months ago
          IIRC, 2.3.5 has some security issues, so an upgrade is definitely in order. If the hacker has left a back door, though, that may not be enough. Be sure to check for extra plugins you didn't install and take a close look at index.php in the root and .htaccess.
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting