We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 38793
    • 18 Posts
    Hi,

    my host has blocked my websites due to malicious malware on the server. The same thing happened about 2 months ago, so i installed the latest Modx Revolution and linked the database to it and all was working fine, until today or who knows when. (i don't check my website often, recently)

    I am thinking my database was still corrupt, which has caused the problem again, below is the scan report from my hosting.

    ./core/model/phpthumb/phpthumb.gif.php   ->   AsPng(
    ./kanemi.info/assets/content_images/about/dirs24.php   ->   foreach ($GLOBALS[$GLOBALS[
    ./kanemi.info/assets/content_images/diff86.php   ->   base" . "64_decode"
    ./kanemi.info/assets/content_images/exhibits/diff.php   ->   base" . "64_decode"
    ./kanemi.info/assets/gallery/9/sql39.php   ->   foreach ($GLOBALS[$GLOBALS[
    ./kanemi.info/assets/gallery/menu83.php   ->   base" . "64_decode"
    ./kanemi.info/assets/templates/dnygoqzk.php   ->   foreach ($GLOBALS[$GLOBALS[
    ./kanemi.info/core/lexicon/de/hicnqsgf.php   ->   =$_COOKIE;
    ./kanemi.info/core/model/modx/processors/erbhxqpv.php   ->   foreach ($GLOBALS[$GLOBALS[
    ./kanemi.info/core/model/modx/rest/kcaarncf.php   ->   base64_decode 
    ./kanemi.info/core/model/phpthumb/phpthumb.gif.php   ->   AsPng(
    ./kanemi.info/core/packages/formit-3.0.2-pl/modSystemSetting/qefmzliv.php   ->   foreach ($GLOBALS[$GLOBALS[
    ./kanemi.info/core/packages/getresources-1.6.1-pl/preserved.php   ->   VERY LONG LINE
    ./kanemi.info/core/packages/resizer-1.0.1-pl/modSystemSetting/lvjltgoz.php   ->   base64_decode 
    ./kanemi.info/core/xpdo/om/wwwdxfpz.php   ->   base64_decode 
    ./kanemi.info/manager/min/lib/HTTP/uzsmbwmx.php   ->   base64_decode 


    when a database gets infected is it better to just move on and start fresh or can you clean them easily?

    thanks

    Tim

    This question has been answered by BobRay. See the first response.

      • 38793
      • 18 Posts
      found this https://forums.modx.com/thread/94643/how-to-clean-up-your-hacked-webspace

      will have a look through it, but if anyone has anymore advice please share.

      Tim
      • discuss.answer
        • 3749
        • 24,544 Posts
        If the database is corrupted, it was either done by a hacker who got your database username and password, or uploaded a script that's convincing MODX to write bad stuff to the DB. Cleaning the DB by itself is only a temporary fix.

        Look at your Users table in the Manager to see if there's a user that shouldn't be there.

        Look for a plugin that shouldn't be there (especially one called something like Core Services).

        Compare the index.php files in the various MODX directories against ones in a clean install.

        The safest thing is to create a new install in a new directory, change the username for the MODX install, the Database, cPanel, and FTP access, and move your content and files (but not those files listed above) after checking them all for malicious code.

        Most important: Keep MODX up to date!



          Did I help you? Buy me a beer
          Get my Book: MODX:The Official Guide
          MODX info for everyone: http://bobsguides.com/modx.html
          My MODX Extras
          Bob's Guides is now hosted at A2 MODX Hosting
          • 38793
          • 18 Posts
          Thanks for the advice.

          Tim