Site hacked

Hi there

I had a site go down. It’s not a highly used site so not sure whether it happened before I upgraded to the latest version or not.

There was some strange WordPress redirect code in the htaccess file, and I found a strangely named pho document in public_html.

I removed the code from htaccess and deleted the php file, but not sure if I need to check anything else.

Has anyone any idea as to a process for checking?

Presumably this happened when on the previous vulnerable version before I upgraded but I’m not sure.

Do you know when the hack occurred ?

Quote from: stefany at Sep 15, 2018, 04:12 PM

Do you know when the hack occurred ?

Unfortunately not!

Quote from: tm2000 at Sep 14, 2018, 06:32 PM

I had a site go down.

Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

Check your index php files whereever they are. The one in the webroot too. It may well have a few lines inserted just after the <php? header before the MODX bit proper starts. Delete these lines. Some index.php files in subsidiary directories are altogether false. Delete them. You may have index.html.bak.bak files all over the place. Rename them back to .html.

Do a full manual review of all .php and .ico files, especially ones called "blogs" or "newsletter". While there are some of these in legitimate versions of MODX, they are usually more informative eg blog-attachment-process-snippet.php. Opening them will prove legitimacy or otherwise.

You might well find enormous sitemap.xml files. Kill them too.

Once you've done all that your site should be working.

This will last a few hours before the hacker gets back in, because this is by no means the end of the matter.

Fixing the hacked site is one thing, re-securing it is another. It is common for hacked sites to have little back doors added to the database, and unless you are familiar with MODX's database, it is difficult to see what's good and what's bad. I don't know of any better program that Bob Ray's sitecheck to help you analyse your database. Start with that.

By now you should be kicking yourself about your failure to take backups. None of this is required if you have a clean back up. Restoration of any clean backup, even an old one, is going to be easier than rebuilding the entire site within a secure version of MODX. Which is what you are about to have to do.

Quote from: nicboyde at Sep 15, 2018, 07:34 PM

Quote from: tm2000 at Sep 14, 2018, 06:32 PM

I had a site go down.

Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

Check your index php files whereever they are. The one in the webroot too. It may well have a few lines inserted just after the

Thank you for your comprehensive response. And yes - I am kicking myself.
Even more so because i backup ALL my sites regularly - but somehow this one slipped under my radar - it's for a small local charity, and never changes, so as it's not a commercial site I've neglected it - lesson learnt.

I found files all over the place - either with injected lines, or just totally new files. Deleted them all - and they all came back 24 hours later.

I was going to install Bobs sitecheck extra - but when I try and install any extras by clicking the download button - I get the following error:



The provider is set as: modx.com
service URL is: https://rest.modx.com/extras/

Presumably this is a result of the hacked site? Anyone have any ideas what to do?

Thanks in advance.

PS I cannot sit down due to kicking myself so much...

I feel for you, I had a few sites hacked but could recover them all apart from 1 which kept getting re hacked.

I ended up upgrading all the addons I had installed ( and made a note of them ), then removed all files from the server, re uploaded a clean modx and installed it as a new site ( new database ).

After that I installed all the addons again, once that was done I edited the config file to point to the old database and re uploaded the css, images, js ect after making sure there were no hacked files in them.

Might sound like a lot of work but if you leave just 1 hacked file on there you have to start again after 24 hours and some files had been buried deep within the addons

Quote from: paulp at Sep 18, 2018, 02:45 PM

I feel for you, I had a few sites hacked but could recover them all apart from 1 which kept getting re hacked.

I ended up upgrading all the addons I had installed ( and made a note of them ), then removed all files from the server, re uploaded a clean modx and installed it as a new site ( new database ).

After that I installed all the addons again, once that was done I edited the config file to point to the old database and re uploaded the css, images, js ect after making sure there were no hacked files in them.

Might sound like a lot of work but if you leave just 1 hacked file on there you have to start again after 24 hours and some files had been buried deep within the addons

Thanks for this - so you don't think they have got into the database itself?
I'm worried that if I reinstall as you suggest, they will still get in via a backdoor in the original database that you reconnect to?

Haven't seen anything to suggest that any databases were compromised and all sites have stayed clean for me.

Quote from: paulp at Sep 18, 2018, 02:50 PM

Haven't seen anything to suggest that any databases were compromised and all sites have stayed clean for me.

OK will give it a go - thanks for your advice.

Quote from: paulp at Sep 18, 2018, 02:50 PM

Haven't seen anything to suggest that any databases were compromised and all sites have stayed clean for me.

The strange thing is - why can I not install any extras now?