⚠️ Urgent! Active Attacks on MODX Revolution Sites Below Revolution 2.6.5
Subscribe: RSS
  • Quote from: jonasdroste at Aug 01, 2018, 08:44 PM

    It's from 16th July. Don't know what to do know... Files appear again and again. Restores don't work. Google already told me that I was hacked and lots of 404 pages appeared. What a mess!
    Have you reset all FTP and control panel passwords? Is 16th July the oldest backup you have?
    • Here is how I managed to clean my website. Did that a couple of days ago and it works.

      1. Update all packages/ plugins in ModX Manager
      2. Download all website’s files to computer and duplicate / backup that folder
      3. Be sure all files are completely downloaded and then delete all files from your server
      4. Change FTP password of our server (important!)
      5. Download latest ModX version to your computer
      6. Copy all ModX files to duplicated website’s folder and replace all files/ folders that exist
      7. Most important part! Delete everything in your duplicated website’s folder that could be corrupted: also look in your own folders (e.g. images folder) - when there are files or even folders that don’t belong there (e.g. index.php in images folder) or files with cryptical names like „ao49l8bg87.php“ —> delete that! Sometimes files appear that look like wordpress files but have a different spelling/ spelling mistakes. If you have not installed wordpress: delete everything that isn’t also in a freshly extracted modx installation folder. Also delete everything in assets folder or other remaining folders, except your own files (e.g. template’ sfiles). But be sure that in the remaining files there is no code that doesn’t belong there. Mostly corrupted files have cryptical code on top like: .$eroxhb[20].$eroxhb[18].$eroxhb[29].$eroxhb[18].$eroxhb[9].$eroxhb[3].$eroxhb[10] or /*36ab4*/ @include "\057is/\150tdo\143s/w\160112\064144\070_A1\126DGB\1117F6\057www\057ena\…; If you are not sure if you should keep the file: look if it’s in freshly extracted modx folder. If you cannot find the file, delete it. All plugin/ extra’s folders etc. will be recreated later automatically. Don’t be afraid to delete something. In case you need something you deleted: you have a backup!
      8. Make a data base backup and save it on your computer. Then delete everything inside your online data base. (not in the backup ;-) )
      9. Change data base password (important!)
      10. In your original (corrupted) website’s copy, go to „/modx/core/packages/„ and copy ONLY the ZIP files (so none of the extracted folders) of your original websites folder EXCEPT core.transport.zip
      11. In your duplicated website’s folder, go to „/modx/core/packages/„ (there should be only the core files) and paste copied ZIP files to this folder
      12. Now you should have a completely fresh ModX Websites Setup —> upload that to your server.
      13. yourwebsite.com/setup/ —> make a new installation, but DON’T delete setup folder and remember you changed your data base password
      14. Now you have a fresh install but of course your contents are gone
      15. Delete everything inside freshly installed database again
      16. Optional: check or update DB password in cor/config/config.inc.php file
      17. again: yourwebsite.com/setup —> choose „Update installation“ and checkmark „delete setup folder“ at the end
      18. Login to ModX Manager and change all Passwords of all users (!important)
      19. Go to ModX Manager —> Packages and reinstall all Packages. I had to delete some of them and download them again because there were some installation issues. You see that when installing the package and there is no „content/ info texts“ for this package.
      20. Check if some folders or files of your original websites are still missing. If so, you have to check every single file, if it’s corrupted before copying them to your freshly installed ModX website
      • I wonder if your website is still clean?
        My site was infected several times now, so looks like I have to clear it more thoroughly now. So I plan to use above steps.
        But is is not clear how I recover the contents after we delete the data base in step 8.
        Is there maybe a step missing after step 15?
        • This process is a lot more work than is needed.

          I'm reworking a document on this but essentially to clean sites we use the PHP Malware Scanner and Ai-Bolit to scan sites to find malicious files/shells and backdoors. Once you find the naughty files, you remove them.

          You can essentially remove the entire core and the Manager directories (if you don't use custom lexicon files). You must keep /core/components/ /core/packages/ and /core/config/config.inc.php. You'll also need to keep your config.core.php files. In /core/packages you can also delete the directories and leave the transport packages. Once those dirs are removed you should be able to fetch a clean install of MODX and use rsync to replace missing/altered files. You can then run setup in upgrade mode.

          With regard to the DB, I've not seen any SQL injections with the recent hack. I have only seen SQL injections of users and bad plugins/snippets in the hack of sites on 2.2.15 and below.
            Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub
          • FWIW, UpdgradeMODX will install or replace all the MODX core files for you, though it won't delete any extra files left by the hackers and it won't touch the core/components/, core/packages, or any of the config files.
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/MODx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
            • Quote from: Gerben at Oct 02, 2018, 01:42 PM
              I wonder if your website is still clean?
              My site was infected several times now, so looks like I have to clear it more thoroughly now. So I plan to use above steps.
              But is is not clear how I recover the contents after we delete the data base in step 8.
              Is there maybe a step missing after step 15?

              Yes, all my websites are still clean. So the effort was worth it. smiley