We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 38783
    • 571 Posts
    Could the hosting company have applied any sort of restrictions to the site (like disabling cURL) to limit potential damage to other clients accounts?

    It might also be worth re-running Setup?
      If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

      email: [email protected] | website: https://andytough.com
      • 3749
      • 24,544 Posts
      Take a quick look at the modx_users table in PhpMyAdmin to make sure there are no bogus users there.
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 51020
        • 670 Posts
        Quote from: BobRay at Sep 18, 2018, 06:29 PM
        Take a quick look at the modx_users table in PhpMyAdmin to make sure there are no bogus users there.

        Thanks Bob - no unusual users in that modx_user table thankfully.
          • 51020
          • 670 Posts
          Quote from: andytough at Sep 18, 2018, 04:33 PM
          Could the hosting company have applied any sort of restrictions to the site (like disabling cURL) to limit potential damage to other clients accounts?

          It might also be worth re-running Setup?

          Thanks Andy,
          I already ran the setup just in case.
          Does disabling Curl stop anything from working in Modx?
          Do you think there's a real risk that the hackers could get into other accounts on my VPS via this site?
            • 3749
            • 24,544 Posts
            Disabling cURL could affect Package Manager, depending on your setup. Some MODX extras use cURL. UpgradeMODX does unless you force it to use fopen, though that probably won't be the case with the upcoming version.
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
              • 51020
              • 670 Posts
              Quote from: nicboyde at Sep 15, 2018, 07:34 PM
              Quote from: tm2000 at Sep 14, 2018, 06:32 PM

              I had a site go down.

              Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

              In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

              Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

              Check your index php files wherever they are. The one in the webroot too. It may well have a few lines inserted just after the

              Hi there.
              I followed the process you suggested, and reviewed every individual php and ico file and removed the code which the hackers are injecting.
              Reset up the site from a fresh install - then connected back to the original db.

              I thought that had sorted it - but this morning the php files all have the injected code again, and I have index.php files in directories which shouldn't be there.

              Interestingly - I also have the site installed on a subdomain (which is where I prepared it for the fresh install) and THAT site is fine still.
              So, I'm a little confused as to how they are accessing the files - it doesn't seem as though they have access to the DB - because if they did - the dev site would also be infected, but similarly - if there were some infected files on the dev site before I moved it back - those too would be infected.

              Very confused!!


                • 47733
                • 8 Posts
                Quote from: nicboyde at Sep 15, 2018, 07:34 PM
                Quote from: tm2000 at Sep 14, 2018, 06:32 PM

                I had a site go down.

                Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

                In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

                Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

                Check your index php files whereever they are. The one in the webroot too. It may well have a few lines inserted just after the
                  • 47733
                  • 8 Posts
                  Quote from: nicboyde at Sep 15, 2018, 07:34 PM
                  Quote from: tm2000 at Sep 14, 2018, 06:32 PM

                  I had a site go down.

                  Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

                  In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

                  Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

                  Check your index php files whereever they are. The one in the webroot too. It may well have a few lines inserted just after the

                  Thank you so much for this helpful information. I found out that my sites had been hacked. Fortunately they had not gone down. There is still one directory in the root called ".ftpquota" containing only a number. Does anyone know what that is, and would it be safe to delete that folder? And also: Is it absolutely safe to delete all content in the core/cache directory?
                    • 3749
                    • 24,544 Posts
                    Yes, deleting the core/cache files (but not the cache directory itself) is fine.

                    You can probably delete the ftpquota file. It's related to having more than one FTP account user, so it might come back. I would download it and take a look in a file editor (e.g. Notepad) to see if it looks suspicious. Important: don't look at it in a browser.

                    Be sure to check in cPanel to make sure there are no FTP or database users you didn't create. Also check the modx_users table in the DB to look for suspicious users.
                      Did I help you? Buy me a beer
                      Get my Book: MODX:The Official Guide
                      MODX info for everyone: http://bobsguides.com/modx.html
                      My MODX Extras
                      Bob's Guides is now hosted at A2 MODX Hosting