On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Hi,

    For the 4th time, my whole VPS server, including all the other sites on it, have been infected with viruses through Modx sad

    The previous time, it was through Image+ issue, which was fixed in an update of that plugin.

    Now it was through the Gallery Plugin with Modx 2.7.0 :
    Shell:PHP/Filehacker.A (Shell)
    /public_html/assets/components/gallery/cache/_home_deb57431n2_domains_test.fr_public_html_.ccfd0c12bb35bbd91d179d0cae090e66.php
    Shell:PHP/Filehacker.A (Shell)
    /public_html/assets/components/gallery/cache/_home_deb57431n2_domains_test.fr_public_html_.b7e3a964094cfe6e29fc9228bad6e7b2.php


    Modx used to be safe in the past, but now I am afraid to use it for security reasons.
    Unlike wordpress, it doesn't even have a security or malware scanning plugin.

    Please help wih this !
    • what version of gallery are you running ?
        ■ email: lk@alienbuild.uk | ■ website: https://alienbuild.uk

        The greatest compliment you can give back to us, is to spend a few seconds leaving a rating at our trustpilot: https://uk.trustpilot.com/review/alienbuild.uk about the service we provided. We always drop mention of services offered by businesses we've worked with in the past to those of interest.
      • I run the latest version of the Gallery plugin.

        How is this possible ?

        Look above in which folder the virus was injected through the Gallery Plugin ... [ed. note: sriananda last edited this post 2 months, 1 week ago.]
        • Is it possible that the there's a back door left from a previous hack? That's fairly common and it could have been in a file in the gallery directory if you didn't completely remove Gallery and delete all files in its directories.
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
          • If you're running the latest version of Gallery and the latest version of MODX core then I agree with BobRay that it's most likely you missed something left behind by the previous hack. Perhaps something in the cache?
              I'm lead developer at Digital Penguin Creative Studio in Hong Kong. https://www.digitalpenguin.hk
              Check out the MODX tutorial series on my blog at https://www.hkwebdeveloper.com
            • Quote from: muzzstick at Feb 11, 2019, 04:04 AM
              If you're running the latest version of Gallery and the latest version of MODX core then I agree with BobRay that it's most likely you missed something left behind by the previous hack. Perhaps something in the cache?

              Hi,

              It was a more recent file, so not from previous hacks.

              However, it could not spread to other folders this time, luckily. So that dirty php virus stayed in
              assets/components/gallery/cache/

              Is it possible to prevent php code execution from cache and file folders ?

              Because in previous hacks, the virus spread itself by injecting code-scripts from that one php file, and inserting and changing all sorts of other php & htaccess files elsewhere. It even prepended trojan code in existing php files (I guess it was not them Russians wink

              thanks



              • For starters, I'd suggest uninstalling and then removing *every* version of Gallery in Package Manager. Then delete assets/components/gallery and core/components/gallery if they still exist. If you have any images in those directories, save them somewhere and analyze them with a virus checker. Then re-download and re-install Gallery (or some other gallery plugin).

                I would also move the core directory above the web root if you haven't done so already, as described here:https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution.

                Putting this in an .htaccess file will prevent the execution of .php files in that directory and ones below it, but be careful because it can also break MODX some MODX extras.

                <Files *.php>
                    Order Deny,Allow
                    Deny from all
                </Files>


                If it's in a place where there shouldn't be any .php files, though. It should prevent attacks via .php files placed there. OTOH, if an attacker can place a .php file on your site, you need to fix something.

                As of Apache 2.4, a different method applies:

                http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require



                [ed. note: BobRay last edited this post 2 months ago.]
                  Did I help you? Buy me a beer
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/modx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting