Recent Hack

Hi,

We've only had a couple of sites affected, but we happened to missed two sites Gallery updates. They only seemed to add 2 .php files in assets/components/gallery/cache which we have manually removed and updated the package. After scanning the sites over the past few days we don't see anything else flagged, do you think this is ok or should we need to restore the site pre-18th?

Also another question! If we harden the modx install (moving the core out of htdocs etc) would this make upgrading (UpgradeMODX) more difficult in the future? Also see a lot of conflicting discussion on whether this would prevent attacks too.

Thanks

From what I've seen, if you've caught it at that stage you are probably ok but if it was me I would restore just in case.

Moving the core is now highly recommended - it won't stop a determined attack but may slow the attacker or move them on to somewhere else. Doesn't affect UpgradeModx as far as I'm aware.

Also recommended is to rename the manager, connectors and assets folders.

Password protecting folders is also being mentioned but it's not yet known if this will hinder UpgradeModx.

The hardening Modx page can be found here...

https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution

^^ I'd say restore, you never know what back-door is left hanging!

Quote from: stefany at Jul 31, 2018, 04:13 PM

^^ I'd say restore, you never know what back-door is left hanging!

Second that. With this latest exploit, I've seen legitimate php files infected with tiny bits of malware - with the modified date not being affected so you would never know, htaccess files infected, even .ico files embedded with malware. Better to wipe the home directory clean and do a full restore.

Quote from: cyclissmo at Aug 01, 2018, 04:52 PM

Quote from: stefany at Jul 31, 2018, 04:13 PM

^^ I'd say restore, you never know what back-door is left hanging!

Second that. With this latest exploit, I've seen legitimate php files infected with tiny bits of malware - with the modified date not being affected so you would never know, htaccess files infected, even .ico files embedded with malware. Better to wipe the home directory clean and do a full restore.

Oh my! Hacks have gotten very sophisticated!

Cheers for all the info

We ended up taking a backup from pre-18th and moving the sites over to a new faster server

Also does anyone know if the recent hack had any effect on the database?

Hi,
We also have been hacked a few days ago and I still haven't found a way to fix it.
Please can you describe the effect on your site ?
Even after upgrading to modx 2.6.5, the hacker still creates new files on the server, changes my google search console verification HTML page.
Also, in cPanel's logs I can see I have tons of dummy content accessible from mysite.com/fakecontent-blablabla.
This content doesn't seem to exist on the database. And I ddon't know where to find it.

I know there was a tool on Evo to check all files and database compromises, does such a tool exists on Revo ?
Thanks. [ed. note: booyaka last edited this post 5 years, 9 months ago.]

Quote from: natedin at Aug 03, 2018, 09:30 AM

Cheers for all the info

We ended up taking a backup from pre-18th and moving the sites over to a new faster server

Also does anyone know if the recent hack had any effect on the database?

Restore the DB as well.

Quote from: booyaka at Aug 03, 2018, 01:01 PM

Hi,
We also have been hacked a few days ago and I still haven't found a way to fix it.
Please can you describe the effect on your site ?
Even after upgrading to modx 2.6.5, the hacker still creates new files on the server, changes my google search console verification HTML page.
Also, in cPanel's logs I can see I have tons of dummy content accessible from mysite.com/fakecontent-blablabla.
This content doesn't seem to exist on the database. And I ddon't know where to find it.

I know there was a tool on Evo to check all files and database compromises, does such a tool exists on Revo ?
Thanks.

Restore files & DB from backup, change ALL passwords , SFTP, Cpanel, DELETE SFTP users that you do not recognize, temporary block SSH, change MODX manager passwords.

After all that, harden the MODX installation https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution.

Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)

^^ Do the password stuff Donsharespear recommends.

And you should be fine.

Ideally if you can, move the site to another server. [ed. note: stefany last edited this post 5 years, 9 months ago.]