We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered Modx 2.5.5 was hacked

    • 42322
    • 5 Posts
    lizetnm Reply #1, 7 years ago
    Hi!

    My site was hacked today. Someone rewrite my menu links with links to another domain. This is no the first time. It happened 3 or 4 times before. I'd always solved it cleaning cache, but client and my boss want a final solution. They are so angry.

    Permissions in my cache directory are 755 now.

    Any suggestions?

    This question has been answered by markh. See the first response.

    • discuss.answer
      Mark Hamstra Reply #2, 7 years ago
      Hello! To my knowledge there are no known vulnerabilities in 2.5.5 at this time. When you mention you solved it by "cleaning cache", that makes me wonder if you might be leaving an actual vulnerability/shell/ in place, which could explain why it keeps happening.

      Also when you say they "rewrite my menu links with links to other domain", are the menu links still pointing to the right path, just on a wrong domain? If so, you might just need to make sure that the 
      <base href="[[!++site_url]]">
      tag in your site's header is uncached. If you leave that cached, and your server will respond with your site no matter the domain used to access its IP, it's rather easy for what's called "cache poisoning" to occur. That's not a hack, just poor configuration, and luckily quite easy to solve. Uncaching the site url in the base tag, and additionally using htaccess/nginx rewrites to force the right domain to be used will prevent that from happening again.
        Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

        Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
        • 42322
        • 5 Posts
        lizetnm Reply #3, 7 years ago
        Quote from: markh at Mar 29, 2017, 09:41 PM
        Hello! To my knowledge there are no known vulnerabilities in 2.5.5 at this time. When you mention you solved it by "cleaning cache", that makes me wonder if you might be leaving an actual vulnerability/shell/ in place, which could explain why it keeps happening.

        Also when you say they "rewrite my menu links with links to other domain", are the menu links still pointing to the right path, just on a wrong domain? If so, you might just need to make sure that the 
        <base href="[[!++site_url]]">
        tag in your site's header is uncached. If you leave that cached, and your server will respond with your site no matter the domain used to access its IP, it's rather easy for what's called "cache poisoning" to occur. That's not a hack, just poor configuration, and luckily quite easy to solve. Uncaching the site url in the base tag, and additionally using htaccess/nginx rewrites to force the right domain to be used will prevent that from happening again.


        Thank you so much!! I have another site that have same problem because the other developer use ip instead domain to work with and i uncached site_url in base tag to prevent this.

        I did't think about having same problem because the other domain is a russian domain. I applied your advices!! Thank you so much again!!
        • Mark Hamstra Reply #4, 7 years ago
          Glad I could help smiley
            Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

            Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.