@chrisandy -- Thanks. Did you have an .htaccess file on site 2 that prevented outside access to the core?
My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack. (Ironic, because I always thought there was no reason to rename the connectors directory if the core had been moved and renamed.)
Quote from: BobRay at Jul 29, 2018, 09:27 PM
My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack....
My point exactly!
Especially if the Gallery's compromised file needed the MODX connectors' folder.
@wingnutty ... better than watching the forum like a hawk!
: Complete back/frontend content solution.
Harden your MODX
site by passwording
your three main folders: core, manager, connectors
and renaming your assets
(thank me later!)
5 ways to sniff / hack
your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
Should sites implemented on MODX Cloud be hardened by default or at least give the option of hard or soft?
Surely it would be relatively simple for the install routine to protect and rename the vulnerable folders?
@BobRay - sorry only just seen your reply: I don't know if there was a htaccess file in there - all happened a bit too fast.
I checked the backup I took and files managed to piggy back via the assets, so I essentially gave the bot/hacker a backdoor into my site.
However just to assist Bob a bit, even from me doing this nothing in the /core/ has been affected due to Modx hardening, so I highly recommend people complete the hardening.
For anyone still struggling with the hack I highly recommend they fully check their backups in case they have also missed files.