-
- 7 Posts
Hello, my modx websites where hacked during last month because i was on holiday and didnt update soon enough. I keep backup for only two weeks and i noticed the hack 16 days after so i dont have a clean backup. I manually cleaned all files with the following method, first i searched all files with recent modification date and removed the infected parts, then i did a full text search on all files for @include and eval and manually inspected each. I also checked the DB and js files but it seems only php files where infected and some ico files created, nothing in DB or js files. After that i updated modx to 2.6.5 and all plugins to latest version, changed DB and all user passwords. I was watching everyday for file changes and after one week passed without any problem i thought i had succesfully cleaned all websites. Unfortunally few days after (on 25th of August) i was hacked again and i dont know what more to do. I am using pThumb plugin which was last update on 2018-01-17 and statcache that was updated on 2016 and i was wondering if any of those might be the problem. I have faced similar problems in the past with custom sites, sql injections etc but this is the first time that i have double checked everything and cant find where the vulnerability is. I have 40+ websites with little content so i can copy paste the content to a new install but i also have two websites with thousands of pages and hundreds of custom snippets, chunks etc. Any help or even hint will be much appreciated because even the thought of having to manually copy tens of thousands of pages is very deprecing.
-
- 571 Posts
Are the websites on servers that you maintain? If so are any of the websites that have not been cleaned up on the same server as the websites that have been cleaned? I'm wondering if hacked sites might be allowing the modification of files in other sites that have been cleaned.
Have you 'hardened' your installations?
https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution
In addition to the suggestions in the above document @donshakespeare and others also recommend password protecting your three main folders: core, manager and connectors.
-
- 7 Posts
It seems i did a sloppy job when i cleaned them, after searching more every reinfection can be explained by something i missed. I hope this time i cleaned them for good.