We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 31902
    • 342 Posts
    Maybe this is something of a dumb question since I'm not much of a security expert, but here it goes. In dealing with a rash of malware these past couple of weeks, I've noticed something that I'm not sure is something to take note of.

    Some of the malware experienced, especially that which I found was added months ago without detection until now, involved the hacker adding some code within other existing files, as well as adding index and other files within directories. In the case of the added index files, along with other added files, the malware code looked something like this (the X's represent numbers or letters that I don't want to share here):

    <?php
    
    /*xxxxx*/
    
    @include "\xxxx\xxxx\xxx/\xxxx\xxxx\xxxx\xxxx\xxx/\xxxx\xxxx\.....\xxx";
    
    /*xxxxx*/


    In the case of added index files, I was wondering why MODx doesn't come shipped with empty index files within certain directories, such as the core, assets, etc? Would that help the situation, at least a little bit?

    At one point, I had found a file within the assets/images directory called accesson.php. Since I know there should be no files in there except images, I looked in that file and found more of that gibberish code. So, as an experiment, instead of deleting it, I emptied the contents of that file and left it empty. I then changed the permissions to 0000.

    Among other error messages in the manager's error log, I then found repeating copies of this over a few days:

    [2018-08-07 08:16:06] (ERROR @ /home/username/public_html/core/cache/includes/elements/modplugin/12.include.cache.php : 2) PHP warning: fopen(/home/username/public_html/assets/images/accesson.php): failed to open stream: Permission denied


    So, something was still using that file and not able to do anything with it after I changed its permissions.

    So, my point is that, would MODx benefit somehow by adding files, such as empty index files within directories to thwart some malware activity? In my case, I added an empty one within the core directory just in case.

    Any thoughts?

    This question has been answered by markh. See the first response.

    [ed. note: waizen last edited this post 5 years, 7 months ago.]
    • discuss.answer
      Once an attacker has the ability to edit or add files to your server, it's already game over. Some empty index files are not going to get in their way. Preventing file writes by changing the permissions does help if the PHP process can't write to it, but let's assume for a moment that you want to be able of uploading files from the manager and you're not going to lock the entire assets directories down to anyone but root. Putting in an empty index.php with those permissions wouldn't prevent an attacker from creating an index2.php instead.

      Empty index files are meant to prevent directory indexes giving away too much information about what files are located where. It's better, and in my recent experience already the default on most hosts, to disable directory indexes on the server level.
        Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

        Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
        • 31902
        • 342 Posts
        Thank you, Mark. I knew there had to be an explanation. Would have been too easy.