@chrisandy -- Thanks. Did you have an .htaccess file on site 2 that prevented outside access to the core?
My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack. (Ironic, because I always thought there was no reason to rename the connectors directory if the core had been moved and renamed.)
Quote from: BobRay at Jul 29, 2018, 09:27 PM
My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack....
My point exactly!
Especially if the Gallery's compromised file needed the MODX connectors' folder.
@wingnutty ... better than watching the forum like a hawk!
LOL
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
Should sites implemented on MODX Cloud be hardened by default or at least give the option of hard or soft?
Surely it would be relatively simple for the install routine to protect and rename the vulnerable folders?
@BobRay - sorry only just seen your reply: I don't know if there was a htaccess file in there - all happened a bit too fast.
@BobRay Putting this out here to help. I had 2.6.4 sites and 2.6.5 sites get hacked. The malware was identical, however the effects were quite different. On 2.6.4, obfuscated javascript was inserted into php files (I think only the index.php files but I'm not sure), additional php files were created, and more or less every javascript file was completely overwritten with obfuscated javascript. On 2.6.5, it appears on initial scan at least that the only thing it did was insert php into the index.php files, and create some blank index.php files in any directory that didn't have an index.php. On all the sites, there was an htaccess file in the core. I have yet to find a corrupted js file on the 2.6.5 hack. All had gallery plugin installed spare one, but it was running a pre 2.6.4 version of modx.
I checked the backup I took and files managed to piggy back via the assets, so I essentially gave the bot/hacker a backdoor into my site.
However just to assist Bob a bit, even from me doing this nothing in the /core/ has been affected due to Modx hardening, so I highly recommend people complete the hardening.
For anyone still struggling with the hack I highly recommend they fully check their backups in case they have also missed files.