Ok, thank you for the hint!
I wasn't aware of the fact, that
plugin code is stored directly into the database and
therefore the database can (and will probably) be corrupted after a hack.
I thought all (core and plugin) code is stored in files, therefore I guessed the database would not be affected... I was wrong!
EvoCheck found malicious code in TinyMCE Plugin (they duplicated the Plugin, adding some "eval(base64_decode(" after the "end plugin code" comment *smile* and deactivated the original plugin).
I'm going to do a "clean install" of Evo 1.2 as @lusemodx suggested, to be sure, that all files are clean. Inserting the "personal" files into /assests/ will be needed but not to much work to do.
The problem remains what to do with the database. I see two possibilities to proceed:
(1) I'd feel better if I could
start with a fresh clean database too, but then I need a way to duplicate at least the site's content from the original (which would leave me with the need to copy templates, chunks, snippets, users, ...? manually but this would be ok). Can I export certain tables via phpMyAdmin and reimport them into the new database after the fresh install? Which tables would be needed? Is there any description of this kind of workflow out there (I coudn't find any)?
(2) The other option is to
clean my database and proceed with that one. Do you think that I'm save enough if EvoCheck does not report any further suspicious code inside the database? In that case: is it possible to do a "clean install" using an existing database, or do I need to use a new database, overwriting the whole new database with a dump of the old one after the installation (as described for moving MODx to another server)?
Last but not least: we are
off topic here - I didn't know which direction my question would take...
There seem to be other users facing similar problems this time: maybe I should change this thread to something like "Evo 1.1: steps after beeing hacked" and discuss the friendly URL issue later in a new thread (if the issue remains)? What would you suggest as "best practice" in such a case?
Edit:
Friendly URLs work fine on a clean install. My Evo 1.2 was an upgrade coming from a hacked 1.1 - somthing must have gone wrong there. Sorry!
I think this thread should be closed, leaving the "how to proceed" question to be discussed
here.
I'll mark this post as answer, but the reward should go to iusemodx and Nicola (Banzai) - thank you!
[ed. note: martin.lindenlauf last edited this post 7 years, 4 months ago.]