Question for people whose sites were hacked

@chrisandy -- Thanks. Did you have an .htaccess file on site 2 that prevented outside access to the core?

My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack. (Ironic, because I always thought there was no reason to rename the connectors directory if the core had been moved and renamed.)

Quote from: jcdm at Jul 29, 2018, 04:39 AM

Is there no way to receive email updates of security issues currently?

Emails were sent to the list you can sign up for here: https://modx.com/insider-subscribe/

Joining that would be the best bet for the short term.

Awesome, thanks! This is better than watching the forum like a hawk!

Quote from: BobRay at Jul 29, 2018, 09:27 PM

My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack....

My point exactly!

Especially if the Gallery's compromised file needed the MODX connectors' folder.

@wingnutty ... better than watching the forum like a hawk!

LOL

Should sites implemented on MODX Cloud be hardened by default or at least give the option of hard or soft?

Surely it would be relatively simple for the install routine to protect and rename the vulnerable folders?

Quote from: sparkyhd at Jul 30, 2018, 02:19 PM

Should sites implemented on MODX Cloud be hardened by default or at least give the option of hard or soft?

Surely it would be relatively simple for the install routine to protect and rename the vulnerable folders?

Maybe we can send the modx cloud a letter about it ?

Quote from: BobRay at Jul 29, 2018, 09:27 PM

@chrisandy -- Thanks. Did you have an .htaccess file on site 2 that prevented outside access to the core?

My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack. (Ironic, because I always thought there was no reason to rename the connectors directory if the core had been moved and renamed.)

@BobRay, I've had sites hacked on 2.6.4 AND 2.6.5, presumably by the same bot. Admittedly, I didnt have the core moved/renamed, but I did have an htaccess file in the core.

EDIT: I did have gallery installed, btw. [ed. note: thetexan last edited this post 5 years, 8 months ago.]

@BobRay - sorry only just seen your reply: I don't know if there was a htaccess file in there - all happened a bit too fast.

@BobRay Putting this out here to help. I had 2.6.4 sites and 2.6.5 sites get hacked. The malware was identical, however the effects were quite different. On 2.6.4, obfuscated javascript was inserted into php files (I think only the index.php files but I'm not sure), additional php files were created, and more or less every javascript file was completely overwritten with obfuscated javascript. On 2.6.5, it appears on initial scan at least that the only thing it did was insert php into the index.php files, and create some blank index.php files in any directory that didn't have an index.php. On all the sites, there was an htaccess file in the core. I have yet to find a corrupted js file on the 2.6.5 hack. All had gallery plugin installed spare one, but it was running a pre 2.6.4 version of modx.

Quote from: BobRay at Jul 29, 2018, 09:27 PM

My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack. (Ironic, because I always thought there was no reason to rename the connectors directory if the core had been moved and renamed.)

Hi Bob,

In an attempt to fix one of the Modx sites I handle, I rolled the site back to pre-hack then took only the /assets/ and DB. Moved to a new server installed a fresh version of Modx upgraded it to 2.6.5-pl. Hardened it following the Modx documentation then inserted the assets and uploaded the DB to the server. No gallery extra installed at any point in the sites lifetime.

Currently trying to figure out how they hacked the site again, possibly there was a backdoor already in the assets folder which I missed. I'm still trying to figure it all out but there could be something else but I will update when I find the cause.

Thanks

I checked the backup I took and files managed to piggy back via the assets, so I essentially gave the bot/hacker a backdoor into my site.

However just to assist Bob a bit, even from me doing this nothing in the /core/ has been affected due to Modx hardening, so I highly recommend people complete the hardening.

For anyone still struggling with the hack I highly recommend they fully check their backups in case they have also missed files.