-
- 68 Posts
Hi,
We've only had a couple of sites affected, but we happened to missed two sites Gallery updates. They only seemed to add 2 .php files in assets/components/gallery/cache which we have manually removed and updated the package. After scanning the sites over the past few days we don't see anything else flagged, do you think this is ok or should we need to restore the site pre-18th?
Also another question! If we harden the modx install (moving the core out of htdocs etc) would this make upgrading (UpgradeMODX) more difficult in the future? Also see a lot of conflicting discussion on whether this would prevent attacks too.
Thanks
-
- 463 Posts
From what I've seen, if you've caught it at that stage you are probably ok but if it was me I would restore just in case.
Moving the core is now highly recommended - it won't stop a determined attack but may slow the attacker or move them on to somewhere else. Doesn't affect UpgradeModx as far as I'm aware.
Also recommended is to rename the manager, connectors and assets folders.
Password protecting folders is also being mentioned but it's not yet known if this will hinder UpgradeModx.
The hardening Modx page can be found here...
https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution
-
- 130 Posts
^^ I'd say restore, you never know what back-door is left hanging!
-
- 249 Posts
Quote from: stefany at Jul 31, 2018, 04:13 PM^^ I'd say restore, you never know what back-door is left hanging!
Second that. With this latest exploit, I've seen legitimate php files infected with tiny bits of malware - with the modified date not being affected so you would never know, htaccess files infected, even .ico files embedded with malware. Better to wipe the home directory clean and do a full restore.
lo9on.com
MODx Evolution/Revolution | Remote Desktop Training | Development
-
- 29 Posts
Hi,
We also have been hacked a few days ago and I still haven't found a way to fix it.
Please can you describe the effect on your site ?
Even after upgrading to modx 2.6.5, the hacker still creates new files on the server, changes my google search console verification HTML page.
Also, in cPanel's logs I can see I have tons of dummy content accessible from mysite.com/fakecontent-blablabla.
This content doesn't seem to exist on the database. And I ddon't know where to find it.
I know there was a tool on Evo to check all files and database compromises, does such a tool exists on Revo ?
Thanks.
[ed. note: booyaka last edited this post 5 years, 9 months ago.]