We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered Site keeps getting hacked even after upgrade to MODX 2.5.2 – is the NoSpam module causing this?

    • 36686
    • 165 Posts
    sketchi Reply #1, 7 years, 4 months ago
    My site was hacked a few days ago, running MODX 2.2.10 (I know, I know...). After I carefully cleaned it (I thought) and upgraded to MODX 2.5.2 it got hacked again and my host's technicians say it's due to the MODX core getting compromised and recommend me to remove the "affected modules". They refer to the below log.

    [root@xxxx-xxxx logs]# grep 'POST' access_log.processed | tail -5
    XX.XX.XX.XX - - [13/Dec/2016:06:39:50 +0100] "POST /core/model/modx/modchunk.class.php HTTP/1.0" 403 1228 "http://www.mydomain.com/core/model/modx/modchunk.class.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/XX.XX.XX.XX Safari/537.36"
    XX.XX.XX.XX - - [13/Dec/2016:06:40:33 +0100] "POST /f2ab3.php HTTP/1.0" 500 17376 "http://mydomain.com/f2ab3.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/XX.XX.XX.XX"
    XX.XX.XX.XX - - [13/Dec/2016:06:41:14 +0100] "POST /assets/components/nospam/js/cache18.php HTTP/1.0" 200 245 "http://www.mydomain.com/assets/components/nospam/js/cache18.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
    XX.XX.XX.XX - - [13/Dec/2016:06:41:25 +0100] "POST /core/model/modx/jsonrpc/search1.php HTTP/1.0" 403 1228 "http://www.mydomain.com/core/model/modx/jsonrpc/search1.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
    XX.XX.XX.XX - - [13/Dec/2016:08:46:19 +0100] "POST /fltwpqc HTTP/1.1" 200 322 "http://mydomain.com/fltwpqc" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/XX.XX.XX.XX Safari/537.36"

    Can someone techie out there tell me if this means it's the "NoSpam" component (nospam-1.0-rc1) I need to remove? Is this what's making the site vulnerable in my case? Would it be safe to install nospam 1.0-pl instead? It's doesn't show up as an upgrade so I haven't seen it until now, that's why I haven't installed it. I just want to be sure before I reinstall the site again since the hack spread to the other sites on the same shared web host account ("cross site contamination").

    Are there any other components that are known to have security flaws?

    On many of my MODX sites I have a lot of old packages in the core/packages that I'm unable to remove. The Uploaded Versions tab in Components > Installer is empty (this is the case for all my sites). Is there any way of fixing this to make it easier to clean out old and possibly unsafe packages?

    I'd very much appreciate some input on this from someone with security experience. Many thanks in advance!

    -----

    EDIT: Also, my access log has been full of rows like this the last few days (I've removed the IP and the real blog post title):

    XX.XX.XX.XX - - [14/Dec/2016:09:20:34 +0100] "GET /blogg/2014/09/02/my-blog-post-title--2014/blogg/blogg/tags/blogg/blogg/tags/blogg/blogg/2014/09/02/my-blog-post-title-2014/blogg/blogg/tjanster/blogg/blogg/tjanster/blogg/blogg/tags/grafisk+profil HTTP/1.1" 404 1229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.1) Gecko/20100101 Firefox/26.0"

    What's that all about?

    This question has been answered by sketchi. See the first response.

    [ed. note: sketchi last edited this post 7 years, 4 months ago.]
      • 44195
      • 293 Posts
      Murray Reply #2, 7 years, 4 months ago
      I haven't used the nospam extra before so unsure about that. Certainly try getting rid of it if you suspect it.

      In terms of the logs above, had you previously removed the files they refer to?
      With the exception of modchunk.class.php the rest are bogus. Perhaps even modchunk was changed?
        I'm lead developer at Digital Penguin Creative Studio in Hong Kong. https://www.digitalpenguin.hk
        Check out the MODX tutorial series on my blog at https://www.hkwebdeveloper.com
      • discuss.answer
        • 36686
        • 165 Posts
        sketchi Reply #3, 7 years, 4 months ago
        These files were found on the site that was hacked yesterday:

        assets/components/nospam/js/cache18.php
        core/model/modx/jsonrpc/search1.php

        This was on the site when it was hacked a few days ago but not this time around:

        f2ab3.php

        modchunk.class.php on the site that was hacked yesterday looks identical to the one in the MODX 2.5.2 download. When the site was hacked a few days ago however, modchunk.class.php had loads of jibberish code at the top!

        I'm pretty sure the above files were removed after the first hacking.
        • Jako Reply #4, 7 years, 4 months ago
          Quote from: sketchi at Dec 14, 2016, 09:00 AM
          These files were found on the site that was hacked yesterday:

          If your site shows everyday new hacked files (PHP shells), you have not found all hacked files in your installation. You can't be sure that your hosting provider detects all those files, you have to check that maybe manually. [ed. note: Jako last edited this post 7 years, 4 months ago.]
            • 36686
            • 165 Posts
            sketchi Reply #5, 7 years, 4 months ago
            Thanks Jako, I thought I'd cleaned up things really carefully last time around – I uploaded a fresh version of 2.5.2 but I uploaded my old assets folder after I cleaned it, and the packages/components, so it's possible that something slipped through. This time I'm uploading a really old backup of most of the assets and I'll try to redownload/reinstall all components rather than trying to clean up the old ones.
              • 36686
              • 165 Posts
              sketchi Reply #6, 7 years, 4 months ago
              Right, I've now reinstalled the site from fresh, as I explained above I would do, and all of a sudden this appears in the MODX error log:

              [2016-12-14 11:40:26] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:26] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:26] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(): Failed opening '/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php' for inclusion (include_path='.:/usr/local/php5619-cgi/pear')
[2016-12-14 11:40:26] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/xpdo/om/xpdoobject.class.php : 811) modTemplateVar: Attempt to set NOT NULL field type to NULL
[2016-12-14 11:40:26] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/xpdo/om/xpdoobject.class.php : 811) modTemplateVar: Attempt to set NOT NULL field type to NULL
[2016-12-14 11:40:27] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/xpdo/om/xpdoobject.class.php : 811) modTemplateVar: Attempt to set NOT NULL field type to NULL
[2016-12-14 11:40:27] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:27] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:27] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(): Failed opening '/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php' for inclusion (include_path='.:/usr/local/php5619-cgi/pear')
[2016-12-14 11:40:43] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:43] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:43] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(): Failed opening '/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php' for inclusion (include_path='.:/usr/local/php5619-cgi/pear')
[2016-12-14 11:40:44] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:44] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:44] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(): Failed opening '/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php' for inclusion (include_path='.:/usr/local/php5619-cgi/pear')
[2016-12-14 11:40:46] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:46] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:46] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(): Failed opening '/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php' for inclusion (include_path='.:/usr/local/php5619-cgi/pear')
[2016-12-14 11:40:46] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:46] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php): failed to open stream: Filen eller katalogen finns inte
[2016-12-14 11:40:46] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/cache/includes/elements/modplugin/11.include.cache.php : 2) PHP warning: include(): Failed opening '/var/www/vhosts/mydomain.com/httpdocs/core//components/nospam/nospam.plugin.php' for inclusion (include_path='.:/usr/local/php5619-cgi/pear')


              This appeared right after I installed FormIt and FormItBuilder if that makes any difference.

              Oh, and "Filen eller katalogen finns inte" means "The file or folder does not exist" smiley

              Should I be worried? [ed. note: sketchi last edited this post 7 years, 4 months ago.]
                • 36686
                • 165 Posts
                sketchi Reply #7, 7 years, 4 months ago
                The nospam related error messages now seem to have stopped after I found and removed the plugin with the same name AND uninstalling FormIt and FormItBuilder. I'm not sure which of it made it stop.

                I now instead get errors like this:

                [2016-12-14 12:50:26] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/xpdo/om/xpdoobject.class.php : 811) modTemplateVar: Attempt to set NOT NULL field type to NULL

                And like this:

                [2016-12-14 12:42:52] (ERROR @ /var/www/vhosts/mydomain.com/httpdocs/core/xpdo/xpdo.class.php : 1259) Problem getting service quip, instance of class Quip, from path /var/www/vhosts/mydomain.com/httpdocs/core/components/quip/model/quip/

                Could both of the above be related to uninstalling Quip? Perhaps it's needed when using Articles, even if I don't use the commenting function?
                  • 36686
                  • 165 Posts
                  sketchi Reply #8, 7 years, 4 months ago
                  Ok so the two error messages above has gone away as it seems, after reinstalling Quip and changing all instances of "inputTV" in my MIGX TVs to "inputTVtype".

                  There are still regular attempts to access wp-login.php in the log but I'm hoping that will stop eventually. At some point they must realise I'm not using WordPress, right? At least one thing I've done right wink

                  And, most importantly, nothing compromised so far as far as I can see. Not yet at least...