On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • joshratcliffe Reply #1, 1 year ago
    Hello,

    After rolling back a hacked website, upgrading to 2.6.5-pl, following the ModX hardening documentation the site I'm working on has been compromised.

    After checking through the access log for the server I've found a few SQL injections via the "/?search" parameter which led to a large payload attack a few minutes later.

    The only extension I have on the site related to the search is the AdvSearch module, I've not heard of any vulnerabilities with this module and it has been updated to the latest version.

    I'm going to roll the site back as the site as hacked 07/08 after a few days of brute force attacks.

    So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?

    Thanks

    This question has been answered by joshratcliffe. See the first response.

    • Mark Hamstra Reply #2, 1 year ago
      Quote from: joshratcliffe at Aug 08, 2018, 02:12 PM
      So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?

      Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via security@modx.com.
        Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

        Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
      • joshratcliffe Reply #3, 1 year ago
        Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via security@modx.com.

        Hi Mark thanks for the reply.

        I will get in touch with both and see what I find out and post back here. It might be a vulnerability on my server but whatever the cause/fix I'll update here.

        Thanks
        • Keep us updated.
          • discuss.answer
            joshratcliffe Reply #5, 1 year ago
            So after doing some investigation of the files it turns out I just did a poor job of removing the hacked files from the site when I took a backup.

            So I'm now searching through and removing files that had gotten onto my new server via the /assets/ folder.

            For anyone who is also suffering from the hack try looking for .php files in your assets folder and .ico files in index.php files all over the site.

            I will mention that even when compromised with hardening only publicly accessible sections of the site have been compromised, so I would highly recommend hardening your Modx sites after upgrading to to 2.6.5-pl.