Answered Hacked again even after Upgrading two sites

I'm getting so tired of this now - after upgrading, now two of the same sites hacked again.

And I moved the Core Dir with one - like people have said the files infected are all over the place with different date stamps.

I'm just a simple web designer who has used MODX over the years, I'm not a full on security / server expert and I SHOULD NOT HAVE TO BE DOING THIS!!! (excuse the rant)

I've deleted various files as per the list below but obviously some of the files were system files so I'm now unable to see / use the full functionality of Manager.

I'm going to do a system restore but that's what I did before so somehow they are getting in?

I'm not happy !!

Scanning [/home/wwwstyle] ... Please wait...
[HEX]php_include_obf_local [06/09/17] /home/wwwstyle/public_html/core/index.php
[HEX]php_include_obf_local [31/08/17] /home/wwwstyle/public_html/core/config/index.php
[HEX]php_include_obf_local [28/01/18] /home/wwwstyle/public_html/core/export/index.php
[HEX]php_include_obf_local [05/10/17] /home/wwwstyle/public_html/core/xpdo/index.php
[GEN]obfuscated_globals [25/07/18] /home/wwwstyle/public_html/core/xpdo/om/mysql/xpdodriver.class.php
[HEX]php_include_obf_local [20/10/17] /home/wwwstyle/public_html/core/lexicon/index.php
[GEN]obfuscated_globals [25/07/18] /home/wwwstyle/public_html/core/lexicon/uk/resource.inc.php
[GEN]obfuscated_globals [25/07/18] /home/wwwstyle/public_html/core/lexicon/da/propertyset.inc.php
[GEN]obfuscated_globals [25/07/18] /home/wwwstyle/public_html/core/lexicon/th/user.inc.php
[HEX]php_include_obf_local [09/05/18] /home/wwwstyle/public_html/core/model/index.php
[HEX]obfuscated_php_code_5 [26/07/18] /home/wwwstyle/public_html/core/model/aws/services/vgstnoho.php
[HEX]obfuscated_php_code_5 [26/07/18] /home/wwwstyle/public_html/core/model/smarty/plugins/fnqyhgym.php
[HEX]php_include_obf_local [26/12/17] /home/wwwstyle/public_html/core/docs/index.php
[HEX]php_include_obf_local [22/12/17] /home/wwwstyle/public_html/core/error/index.php
[GEN]obfuscated_globals [25/07/18] /home/wwwstyle/public_html/core/components/formit/includes/us.states.inc.php
[HEX]php_include_obf_local [20/04/18] /home/wwwstyle/public_html/core/import/index.php
[HEX]php_include_obf_local [08/06/18] /home/wwwstyle/public_html/core/packages/index.php
[HEX]stream_context_func [01/08/18] /home/wwwstyle/public_html/core/packages/seopro-1.0.3-pl/.2ce06750.ico
[HEX]obfuscated_php_code_5 [30/07/18] /home/wwwstyle/public_html/core/packages/upgrademodx-1.5.5-pl/71a12c4a.php
[HEX]obfuscated_php_code_5 [26/07/18] /home/wwwstyle/public_html/core/packages/simplesearch-1.9.2-pl/modCategory/faxkdjgx.php
[HEX]php_include_obf_local [18/10/17] /home/wwwstyle/public_html/css_new/imports/index.php
[HEX]obfuscated_php_code_5 [26/07/18] /home/wwwstyle/public_html/images/Alti-trade/vznkohmu.php
[HEX]php_include_obf_local [17/10/17] /home/wwwstyle/public_html/connectors/security/index.php
[HEX]php_include_obf_local [27/11/17] /home/wwwstyle/public_html/connectors/index.php
[HEX]php_include_obf_local [04/06/18] /home/wwwstyle/public_html/connectors/system/index.php
-----------------------------------------
Scanned Files : 37165
Scanner Hits : 25
Time Taken : 100 (sec)
Scan Report: report-020818-110538 [ed. note: gavinbaylis last edited this post 5 years, 9 months ago.]

@gavinbaylis, I'm not a security/server expert, either, but I'm wondering how old your restore files are. If from really recent backups, maybe you may be restoring already-affected backups?

We got hit pretty hard too but the restore files we used were from backups taken back on July 5th, I believe. In one case, a lot farther back than that. We also cleared the account first before restoring.

Probably not much to offer here, but maybe it helps a bit. [ed. note: waizen last edited this post 5 years, 9 months ago.]

One other thing that may or may not apply to your case. Take a look at the server, or have the server people do this for you, to check for any running processes and cron jobs that may be opening up some doors again. I'm personally not an expert in this area but there were some that were found on our system. Then, it was just a simple matter to kill them off.