location ~* ^/(manager|core|connectors)/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/yourlogin/.htpasswd;
try_files $uri $uri/ @rewrite;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass backend-yourlogin;
}
}
☆ A M B ☆
The connectors directory was the entrypoint for the core attack, and assets/components/gallery/ for the vulnerability in Gallery 1.7.0. Having only the core moved/made inaccessible would not have prevented this particular vulnerability from being exploited.
if requests.get(
target + '/assets/components/gallery/connector.php',
verify=verify).status_code != 404:
print(Fore.GREEN + '/assets/components/gallery/connector.php - found')
url = target + '/assets/components/gallery/connector.php'
if (!defined('MODX_ASSETS_PATH')) {
$modx_assets_path= '/home/m_user/public_html/mined/gems/';
$modx_assets_url= '/mined/gems/';
define('MODX_ASSETS_PATH', $modx_assets_path);
define('MODX_ASSETS_URL', $modx_assets_url);
}
Most of the people I have run into did not harden their site. Sad! But they are learning now, the hardest way.
The owner of modhost.pro hosting, @bezumkin, has a password on all three folders: core, connectors, manager. He suffered no hack. And claims this procedure has saved him for years. Of course, I doubt he or his clients use the Gallery extra. But certainly, the core hack would not touch him with his method in place.
He says, that this passwording is more efficient than renaming the folders, which I tend to agree. I myself, have passworded my manager folder, and often have it absent from my server completely till when I want to log in again.
I wonder if MODX Cloud (which I hear got hit badlly) observes bezumkin's standard hosting practice?
https://en.modhost.pro/help/nginx
location ~* ^/(manager|core|connectors)/ { auth_basic "Restricted Access"; auth_basic_user_file /home/yourlogin/.htpasswd; try_files $uri $uri/ @rewrite; location ~ \.php$ { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass backend-yourlogin; } }
Upgrading stuff is one thing but basic preventative measures is money!
I'm really curious about this: Did any of you have the modx core renamed and moved above the web root?
@stefany
Forgive my obvious question, but how could locking your core and connectors with htaccess prevent a hack when those folders don't allow direct access off the bat?
Oh ooo, door found, no keys, no padlock, bring in the demons quick
@stefany
Forgive my obvious question, but how could locking your core and connectors with htaccess prevent a hack when those folders don't allow direct access off the bat?
Off the bat, those folders are in the web root and therefore allow sweet wholesome direct wide access. And that's precisely how the hacks worked.
They tried the direct access, and the hack script responded:
Oh ooo, door found, no keys, no padlock, bring in the demons quick
So the upgrade patches are good, but, tomorrow another hole will be found (before a new patch is made), and those folders will still be unprotected ... and then more helter-skelter all over again. It would be awful if the same species of script is used again successfully ... like being twice beaten at home!
☆ A M B ☆