I have a website that's been subject to a series of attacks. I've tried cleanups (very detailed searches and deleting old files of all sorts) and password changes and am currently up to date with Evo 1.21.
In part the hackers can replace my index.php file but I'm very careful to check this file is correct and we also get warnings of a change. I've checked my ftp logs and they don't seem to be getting in that way. And also my access logs and while people try to connect to WordPress (which I don't have) I don't see any access to rogue php files.
I don't believe the hackers can access the CMS directly. I did find some errors with a file at:
assets/cache/siteManager.php(2) that doesn't exist but it doesn't mean it didn't temporarily.
But here's the final puzzle. Even when I delete the cache this hack lasts maybe an hour, or as many as three hours and goes away. The CMS page itself seems to be still correct.
So for instance the page http://xxxxx/live appears to hacked but if I put it as http://xxxxx/live? (with a question mark at the end) the correct page appears, that's also true if I copy the page and produce a new one at a different address. The hacked live page seems to be a static html page that's being served instead of the one from my CMS and I simply don't understand where it is or how to get rid of it.
Any help in how to even get started in resolving this problem would be much appreciated as I'm at the end of my knowledge here. I can't even find any mention of this kind of hack where the CMS page is replaced rather than hacked from within modx.
Mark