We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 53657
    • 1 Posts
    Hi there

    One of my modx Evo install is hacked all the time.

    I have to clean these files once a week min :
    /assets/images/accesson.php
    /assets/images/customizer.php
    /assets/images/css.php
    /assets/images/dump.php

    These files are file explorer, etc...

    I updated with 1.2.1, then disabled all admin users, but the problem persists.

    Is someone here with the same issue or any experience to trace how these files was uploaded ?

    Thanks
      • 11798
      • 43 Posts
      Hello Stephan,

      I had and still have the same problem with a few of my sites, running this version. At first it seemed, the attackers successfully posted something using "index-ajax.php" to get access rights. So I renamed that file. But later, after desinfection, the files reappeared. Obviously "accesson.php" seems to be the keyfile for their scripts. I erased the content of that file and restricted the webservers execution permissions. Well thats more a temporary hack than a solution, but it works for the moment.

      During this week I contacted the developers of the new Evolution project to find out, if this vulnerability is already fixed. But unfortunately, they do not answer.
      Most probably, I have to migrate to Revolution with these sites.
        • 13226
        • 953 Posts
        Guys, there is / are standard procedures to clean a hacked site, including dropping everything from the live server, uploading a 100% clean installation and ensuring the DB is cleaned of any corrupt snippets, plugins etc.

        Ensure that the system has no users that aren't showing in the manager, no re-named snippets or snippets that have a very similar name or misspelt name.

        Then re-install, once the new install is finished delete all snippets, plugins and modules that are not installed or that are not going to be used.

        You can contact the DEV team directly, but you must supply all infos that relate to attack dates, system errors, Evo Logs etc.

        And last but not least - report this kind of issue on GitHub, not here