We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Help fixing website after hack

    • 36687
    • 24 Posts
    Grayline Reply #1, 7 years, 4 months ago
    My Evo 1.1 site was hacked last week before I could upgrade to 1.2. I was able to upgrade to 1.2, deleted the siteCache.idx.php file and everything was working again. I couldn't get evocheck to work - my browser would just display the script instead of executing it.

    Now today, I see that the site is hacked again. I must have missed something. Using phpMyAdmin, I went into my database and checked the plugincode for each of my plugins in the table modx_site_plugins. I found two plugins that had something like this, "eval(gzuncompress(base64_decode(str_rot13('rWmIsKg72fn299..." One was tinyMCE which I deleted. The other was the Core Services. I can't find a way to get the correct code for this so assume I need to reinstall Modx to overwrite the Core Services record.

    I tried to re-upload the Evo 1.2 files and run install. The only option that I can use is Advanced Upgrade. I enter my database info and both the connection and database check pass. However, when I click on next, I get, "You need to enter a password for the system admin account". I have no idea where to go from here. Any help would be greatly appreciated.
      • 13226
      • 953 Posts
      iusemodx Reply #2, 7 years, 4 months ago
      There isn't such a thing as Core Sevices in Evo - simply delete it

      Your best bet is to delete everything on the server - sounds radical, but it ensures everything that was modified by the hacker is removed.

      Now backup your database and then clean it as good as you can, start by using the following queries:

      SELECT * FROM modx_site_plugins WHERE plugincode LIKE '%base64%'


      SELECT * FROM modx_site_plugins WHERE plugincode LIKE '%(128/2)%'


      Change "modx_" to your table prefix if different.

      Once you have cleaned the database, upload the new version of Evo and install it as normal, in update mode

      Then, once it's working, add your images, files, CSS etc. back into the newly created site - after checking them of course.
        Download the latest Evo release
        Report an issue about Evo
        Read the Evo documentation
        • 36687
        • 24 Posts
        Grayline Reply #3, 7 years, 4 months ago
        Thanks lusemodx,

        I did delete the rogue record and searched the rest of the database per your instructions. Nothing found. I did then reinstall modx and everything is working again. I really appreciate the help.
          • 33238
          • 388 Posts
          ysanmiguel Reply #4, 7 years, 4 months ago
          Mate if the web was hacked a week ago, just upload a backup from before, then update the ModX. That should works.
            --
            ysanmiguel.com