Just got back from holiday, 10+ sites hacked. Overwhelmed.

Hi,
Title says is all. Is there any guide available to fixing the hacked sites?

Sorry to hear you have come back to that.

If possible the safest option is to restore from a backup prior to 18th July.

Then use Bob Rays Upgrade MODX extra to upgrade to the lates version.
UpgradeMODX 1.5.5-pl
https://modx.com/extras/package/upgrademodx

If possible it is wise to make your sites as secure as possible by following these guidelines
Hardening MODX Revolution | MODX Revolution
https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution

There is also a discussion about further protection on the MODX Slack Community
https://modxcommunity.slack.com/

Which version were the websites? if they were below 2.5.x and no patches were added maybe that's why.
Follow Andy's instructions and you should be fine.

Feel for you mate - I've had two hacked and it's been a nightmare getting the sites back even with backup restores as would seem some of the hacked files were somehow date time stamped with earlier dates than the hack along with a whole load of other issues and glitches.

Have to say MODX Upgrade has been great on other non hacked sites.

I used https://sitecheck.sucuri.net/ to double check that I'd cleaned the files after what the server hosting company advised.

Thanks for the replies. Deep breaths...

I have had 9 out of 49 sites hacked. Luckily most of them had decent backups, but you have to scrape your server space first and make sure you are completely replacing the site rather than a "merge files" update.

If you have to clean a site manually do the following:

1. delete the obviously added files
2. go through all .php and .js files to look for either injected lines of code (usually at the top), or totally replaced code and restore to original (like jQuery.js etc.)
3. look for added index.php files in directories that shouldn't have them and delete them.
4. If you've used any other stuff like Foundation/Bootstrap framework etc. check those files too, this hack gets into everything!
5. Once you are sure the site is clean, make a backup straight away, I had one site hacked twice!

I feel your pain, good luck!

Quote from: gavinbaylis at Jul 25, 2018, 03:58 PM

Feel for you mate - I've had two hacked and it's been a nightmare getting the sites back even with backup restores as would seem some of the hacked files were somehow date time stamped with earlier dates than the hack along with a whole load of other issues and glitches.

Have to say MODX Upgrade has been great on other non hacked sites.

I used https://sitecheck.sucuri.net/ to double check that I'd cleaned the files after what the server hosting company advised.

^^ Good tool. If you don't have backups and aren't a magician with the shell I guess either complete re-install or call the Sucuri guys.

I've had one of my 10+ Modx sites hacked through this most recent exploit. The attacker absolutely trashed my site - overwriting every single javascript file with malware and infecting every single .php file. One of the worst hacks I've ever seen.

Remediating was straightforward - after verifying what happened by checking log files, I wiped the entire web directory and restored from remote backup.

I can't stress enough the need to have thorough and frequent backups - daily/weekly including your database. They will save your neck, and possibly save you from losing a customer or worse, a lawsuit.

HI Wilbo,

we have like 5 sites hacked in a short time period. Backups were our save. We start leaving host this year that dont have backups back 14 days minimum.

I have seen hacks in modx getting 1 or 2 websites but current hack is very agressive and large. Never seen before on Modx.
Shocking fact is that views concering this on the Modx forums are very low. Most Modx owners are not aware of what is going on. (at own risk)

I left out 2 sites not updating Gallery. They were hacked after 2.6.5. update in 1-2 days. Dont forget Gallery to 1.7.1

Good luck, Voklee