Reinstall 2.5.5 and upgrade to 2.6.5 does not fix a hacked site

My partially hardened 2.5.5 site was hacked. I manually cleaned the assets folder, reinstalled 2.5.5 and upgraded to 2.6.5. Everything appeared to be OK until I tried to update the plugins and everything crashed. So far, I have found Trojans in zip files in core/packages/gallery and tagger. Example of an infected zip file:
file: core265/packages/tagger-1.10.0-pl/modCategory/6a1f0bc245f29e70109941713b21f4e3.1.preserved.zip->tagger/js/mgr/extras/griddraganddrop.js

Is there a practical procedure to recover a site that has been hacked or should I just go to an ancient backup?

Is there some way to clean a backup or to know that it is clean?


[ed. note: dgt849327673 last edited this post 6 years, 7 months ago.]

Hi,

or should I just go to an ancient backup?

Do you have any backup made earlier than July 17? It will be good to roll back there firstly.
Latest MODX 2.6.5 + updated Gallery + all main folders hardened from external access - is what you need now.
There are a lot info here on forum about that, see this please https://forums.modx.com/thread/?thread=104131&page=1 and https://forums.modx.com/thread/?thread=104149&page=1 and https://forums.modx.com/thread/?thread=104108&page=1

Automatic scanning is good, but manual checking is also valuable, especially when you know where to check(there are number of folders and files where malicious code was found dozens of times).That can help with infected backup too.

Hope all that will help you.