Answered Hacking of my website on Evo 1.21

I have a website that's been subject to a series of attacks. I've tried cleanups (very detailed searches and deleting old files of all sorts) and password changes and am currently up to date with Evo 1.21.

In part the hackers can replace my index.php file but I'm very careful to check this file is correct and we also get warnings of a change. I've checked my ftp logs and they don't seem to be getting in that way. And also my access logs and while people try to connect to WordPress (which I don't have) I don't see any access to rogue php files.

I don't believe the hackers can access the CMS directly. I did find some errors with a file at:
assets/cache/siteManager.php(2) that doesn't exist but it doesn't mean it didn't temporarily.

But here's the final puzzle. Even when I delete the cache this hack lasts maybe an hour, or as many as three hours and goes away. The CMS page itself seems to be still correct.

So for instance the page http://xxxxx/live appears to hacked but if I put it as http://xxxxx/live? (with a question mark at the end) the correct page appears, that's also true if I copy the page and produce a new one at a different address. The hacked live page seems to be a static html page that's being served instead of the one from my CMS and I simply don't understand where it is or how to get rid of it.

Any help in how to even get started in resolving this problem would be much appreciated as I'm at the end of my knowledge here. I can't even find any mention of this kind of hack where the CMS page is replaced rather than hacked from within modx.

Mark

@Mark

I am not sure if you are in the position to do this, but can you take down your current website and upload / install a new copy of Evo and see if that also gets hacked ?

With this I mean - completely removing everything from your server and using a new DB to then install a brand new install, possibly using the demo content

It would be interesting to know if your current install does still have hidden code that keeps rising its head, but at the same time, is very hard to track down.

As a test base it would at least show that if it doesn't get hacked, that your current site still has hidden hacked code

Have you also tried using EvoCheck ?

Quote from: iusemodx at Mar 27, 2017, 10:09 PM

@Mark

I am not sure if you are in the position to do this, but can you take down your current website and upload / install a new copy of Evo and see if that also gets hacked ?

I'm thinking I may have to do this. Or even try to move to Revo and mix up the directories too. It will take some effort.

I did use EvoCheck. Before this I also downloaded the entire website and did checks using powerful search tools on my own computer and that seemed to catch everything.

What I don't understand is how pages not corrupted within the Modx database are served up hacked for a few hours to the internet. I tried searching for this problem, I couldn't find a search term that explained what was happening.

[ed. note: iusemodx last edited this post 7 years ago.]

I personally see no reason whatsoever to move to Revo. The LLC boast that Revo hasn't been hacked as many times as WordPress, but the reality is: Revo doesn't have the reach WordPress does, if it did, it would be more interesting for hackers and as such, would probably be exploited more, if and when a hack is viable.

The only benefit I see with Revo at this point is the abaility to move config folders out of the root. But this is not fail safe, if a hacker gets on the server, they can get to those folders as well

The problem with all open source code is the same, it can be downloaded, reviewed and then any potential exploits can be tested.

If you don't have a backup in this day and age then it's a major problem to get a hacked site 100% clean again.

As mentioned in my previous post - delete the server contents, upload and install a new version, wait a couple of days whilst monitoring it and see if it gets hacked - if yes, then there's possibly a server breach, if not, then your hacked code still has dodgy code in files or in the DB

Side Note: You could also try using CloudFlare