@hartmanrik
It sounds like there’s a backdoor on your webserver, as Mark suggested. Try searching your assets folder for php files. They will be named deceptively, like “logo.php”. Using grep can also help you locate malicious files.
If, after performing these tasks, you still experience the same issues, you’ll likely need to rebuild the site on a different webserver. As you say “it’s not easy” but if the other steps suggested have been tried unsuccessfully then there is no easy solution.
It can, however, be not too difficult, and even rewarding, to rebuild a site. Some things to watch for:
1. Start on a new webserver. Not a new virtual host / folder—a new server. If you’re on a cPanel server, and the server software is up-to-date, you may be ok with a new cPanel account, but the easiest would be to spin up a MODX Cloud instance.
2. Install all the Extras you had in the previous site, directly from the Extras Installer. Do not copy/paste any of them from the infected server.
3. Take a copy of your site’s database and import it to your localhost, to inspect it. There are tutorials online on how to search for malicious code. Be diligent in this. You are trying to salvage Resources (site_content), TVs (several tables required), Templates, Chunks (htmlsnippets), and likely you’ll want System Settings, and Context Settings.
4. Once you have inspected and cleaned those tables, move only those tables to your new install. Do NOT migrate snippets, plugins, nor Users in this way. Set those up from scratch in the new site, including User Groups, and Permissions.
5. The next part is tricky: migrate only good assets from your old site to the new. Two ways you can try:
5.1 Copy everything to localhost and scan/inspect for malicious files. Careful not to open/execute any files!!!
5.2 Maybe safer is to use wget to crawl your existing site pulling down only files with specific extensions, like jpg, png, etc. There are tutorials online for doing this. You can more reliably avoid bringing over php files this way. Don’t migrate font files and ico files. Scan/inspect JS files carefully!!! CSS files should be ok but I’d inspect them anyway.
At that point, if you’ve done everything above, you should be close to having a new, clean site, along with a very thorough understanding of everything that goes into it. You could do a seamless DNS cutover at that point, after testing fully that everything works. You could then back up the old site, quarantine the backup files and then delete the old webserver, never to point traffic at it again.
Hope this helps.