Maybe this is something of a dumb question since I'm not much of a security expert, but here it goes. In dealing with a rash of malware these past couple of weeks, I've noticed something that I'm not sure is something to take note of.
Some of the malware experienced, especially that which I found was added months ago without detection until now, involved the hacker adding some code within other existing files, as well as adding index and other files within directories. In the case of the added index files, along with other added files, the malware code looked something like this (the X's represent numbers or letters that I don't want to share here):
<?php
/*xxxxx*/
@include "\xxxx\xxxx\xxx/\xxxx\xxxx\xxxx\xxxx\xxx/\xxxx\xxxx\.....\xxx";
/*xxxxx*/
In the case of added index files, I was wondering why MODx doesn't come shipped with empty index files within certain directories, such as the core, assets, etc? Would that help the situation, at least a little bit?
At one point, I had found a file within the assets/images directory called accesson.php. Since I know there should be no files in there except images, I looked in that file and found more of that gibberish code. So, as an experiment, instead of deleting it, I emptied the contents of that file and left it empty. I then changed the permissions to 0000.
Among other error messages in the manager's error log, I then found repeating copies of this over a few days:
[2018-08-07 08:16:06] (ERROR @ /home/username/public_html/core/cache/includes/elements/modplugin/12.include.cache.php : 2) PHP warning: fopen(/home/username/public_html/assets/images/accesson.php): failed to open stream: Permission denied
So, something was still using that file and not able to do anything with it after I changed its permissions.
So, my point is that, would MODx benefit somehow by adding files, such as empty index files within directories to thwart some malware activity? In my case, I added an empty one within the core directory just in case.
Any thoughts?
[ed. note: waizen last edited this post 5 years, 7 months ago.]