Infected again after clean and update

Hello, my modx websites where hacked during last month because i was on holiday and didnt update soon enough. I keep backup for only two weeks and i noticed the hack 16 days after so i dont have a clean backup. I manually cleaned all files with the following method, first i searched all files with recent modification date and removed the infected parts, then i did a full text search on all files for @include and eval and manually inspected each. I also checked the DB and js files but it seems only php files where infected and some ico files created, nothing in DB or js files. After that i updated modx to 2.6.5 and all plugins to latest version, changed DB and all user passwords. I was watching everyday for file changes and after one week passed without any problem i thought i had succesfully cleaned all websites. Unfortunally few days after (on 25th of August) i was hacked again and i dont know what more to do. I am using pThumb plugin which was last update on 2018-01-17 and statcache that was updated on 2016 and i was wondering if any of those might be the problem. I have faced similar problems in the past with custom sites, sql injections etc but this is the first time that i have double checked everything and cant find where the vulnerability is. I have 40+ websites with little content so i can copy paste the content to a new install but i also have two websites with thousands of pages and hundreds of custom snippets, chunks etc. Any help or even hint will be much appreciated because even the thought of having to manually copy tens of thousands of pages is very deprecing.

Are the websites on servers that you maintain? If so are any of the websites that have not been cleaned up on the same server as the websites that have been cleaned? I'm wondering if hacked sites might be allowing the modification of files in other sites that have been cleaned.

Have you 'hardened' your installations? https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution

In addition to the suggestions in the above document @donshakespeare and others also recommend password protecting your three main folders: core, manager and connectors.

Quote from: andytough at Aug 31, 2018, 04:48 PM

Are the websites on servers that you maintain? If so are any of the websites that have not been cleaned up on the same server as the websites that have been cleaned? I'm wondering if hacked sites might be allowing the modification of files in other sites that have been cleaned.

Have you 'hardened' your installations? https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution

In addition to the suggestions in the above document @donshakespeare and others also recommend password protecting your three main folders: core, manager and connectors.

Thank you for your reply. The sites are on servers i maintain. I cleaned every single one of them twice. Every account is restricted from accessing other account folders with openbase_dir. I have enforced all methods of hardening Modx except renaming connector and asset folder (many years ago it used to create problems with plugins). I talked to a friend dev who is pretty sure that i missed some infected files, he adviced me to also do a full text search for @file_put_contents and after doing it i indeed found one infected file with different date that i missed during previous cleaning so i guess he is right. About password protecting my folders i feel very bad about it, is like knowing that i have a vulnerable or infected file with bad code and instead of fixing it i password protect it, also it wont help me if even one file is already infected. I will keep searching and keep you updated, thank you again for your reply.

It seems i did a sloppy job when i cleaned them, after searching more every reinfection can be explained by something i missed. I hope this time i cleaned them for good.