Hi Bernhard,
The best plan is (as for me, according to conversation with colleagues and about 25 recently updated websites for my clients):
1) rollback MODX to any backup was made before first active attacks were detected (two weeks or older will be the best).Also you can manually check all your files, nothing extraneous should be there,here are some examples I've found only today:
https://monosnap.com/file/Q1lsnsCedjgvNxIdvAcdPqnqan4IWf#
https://monosnap.com/file/2OvbqlL1NdiOHGhvPQ7kIr4FpasP9l#
2) upgrade it up to the latest 2.6.5 version
3) The main security issue was with Gallery extra (there was problem with phpthumb connector vulnerability),so if you have it - must be updated first up to 1.7.1
4) As for other extras - of course it's good practice for all times to have actual ones for the website.
Hope that makes sense.