⚠️ Urgent! Active Attacks on MODX Revolution Sites Below Revolution 2.6.5
Subscribe: RSS
  • Quote from: jonasdroste at Aug 01, 2018, 08:44 PM

    It's from 16th July. Don't know what to do know... Files appear again and again. Restores don't work. Google already told me that I was hacked and lots of 404 pages appeared. What a mess!
    Have you reset all FTP and control panel passwords? Is 16th July the oldest backup you have?
    • Here is how I managed to clean my website. Did that a couple of days ago and it works.

      1. Update all packages/ plugins in ModX Manager
      2. Download all website’s files to computer and duplicate / backup that folder
      3. Be sure all files are completely downloaded and then delete all files from your server
      4. Change FTP password of our server (important!)
      5. Download latest ModX version to your computer
      6. Copy all ModX files to duplicated website’s folder and replace all files/ folders that exist
      7. Most important part! Delete everything in your duplicated website’s folder that could be corrupted: also look in your own folders (e.g. images folder) - when there are files or even folders that don’t belong there (e.g. index.php in images folder) or files with cryptical names like „ao49l8bg87.php“ —> delete that! Sometimes files appear that look like wordpress files but have a different spelling/ spelling mistakes. If you have not installed wordpress: delete everything that isn’t also in a freshly extracted modx installation folder. Also delete everything in assets folder or other remaining folders, except your own files (e.g. template’ sfiles). But be sure that in the remaining files there is no code that doesn’t belong there. Mostly corrupted files have cryptical code on top like: .$eroxhb[20].$eroxhb[18].$eroxhb[29].$eroxhb[18].$eroxhb[9].$eroxhb[3].$eroxhb[10] or /*36ab4*/ @include "\057is/\150tdo\143s/w\160112\064144\070_A1\126DGB\1117F6\057www\057ena\…; If you are not sure if you should keep the file: look if it’s in freshly extracted modx folder. If you cannot find the file, delete it. All plugin/ extra’s folders etc. will be recreated later automatically. Don’t be afraid to delete something. In case you need something you deleted: you have a backup!
      8. Make a data base backup and save it on your computer. Then delete everything inside your online data base. (not in the backup ;-) )
      9. Change data base password (important!)
      10. In your original (corrupted) website’s copy, go to „/modx/core/packages/„ and copy ONLY the ZIP files (so none of the extracted folders) of your original websites folder EXCEPT core.transport.zip
      11. In your duplicated website’s folder, go to „/modx/core/packages/„ (there should be only the core files) and paste copied ZIP files to this folder
      12. Now you should have a completely fresh ModX Websites Setup —> upload that to your server.
      13. yourwebsite.com/setup/ —> make a new installation, but DON’T delete setup folder and remember you changed your data base password
      14. Now you have a fresh install but of course your contents are gone
      15. Delete everything inside freshly installed database again
      16. Optional: check or update DB password in cor/config/config.inc.php file
      17. again: yourwebsite.com/setup —> choose „Update installation“ and checkmark „delete setup folder“ at the end
      18. Login to ModX Manager and change all Passwords of all users (!important)
      19. Go to ModX Manager —> Packages and reinstall all Packages. I had to delete some of them and download them again because there were some installation issues. You see that when installing the package and there is no „content/ info texts“ for this package.
      20. Check if some folders or files of your original websites are still missing. If so, you have to check every single file, if it’s corrupted before copying them to your freshly installed ModX website