Quote from: tm2000 at Sep 14, 2018, 06:32 PM
I had a site go down.
Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.
In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:
Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.
Check your index php files whereever they are. The one in the webroot too. It may well have a few lines inserted just after the <php? header before the MODX bit proper starts. Delete these lines. Some index.php files in subsidiary directories are altogether false. Delete them. You may have index.html.bak.bak files all over the place. Rename them back to .html.
Do a full manual review of all .php and .ico files, especially ones called "blogs" or "newsletter". While there are some of these in legitimate versions of MODX, they are usually more informative eg blog-attachment-process-snippet.php. Opening them will prove legitimacy or otherwise.
You might well find enormous sitemap.xml files. Kill them too.
Once you've done all that your site should be working.
This will last a few hours before the hacker gets back in, because this is by no means the end of the matter.
Fixing the hacked site is one thing, re-securing it is another. It is common for hacked sites to have little back doors added to the database, and unless you are familiar with MODX's database, it is difficult to see what's good and what's bad. I don't know of any better program that Bob Ray's sitecheck to help you analyse your database. Start with that.
By now you should be kicking yourself about your failure to take backups. None of this is required if you have a clean back up. Restoration of any clean backup, even an old one, is going to be easier than rebuilding the entire site within a secure version of MODX. Which is what you are about to have to do.