4th hacking of whole server through modx image-related plugin

Hi,

For the 4th time, my whole VPS server, including all the other sites on it, have been infected with viruses through Modx

The previous time, it was through Image+ issue, which was fixed in an update of that plugin.

Now it was through the Gallery Plugin with Modx 2.7.0 :


Modx used to be safe in the past, but now I am afraid to use it for security reasons.
Unlike wordpress, it doesn't even have a security or malware scanning plugin.

Please help wih this !

what version of gallery are you running ?

I run the latest version of the Gallery plugin.

How is this possible ?

Look above in which folder the virus was injected through the Gallery Plugin ... [ed. note: sriananda last edited this post 5 years, 2 months ago.]

Is it possible that the there's a back door left from a previous hack? That's fairly common and it could have been in a file in the gallery directory if you didn't completely remove Gallery and delete all files in its directories.

If you're running the latest version of Gallery and the latest version of MODX core then I agree with BobRay that it's most likely you missed something left behind by the previous hack. Perhaps something in the cache?

Quote from: muzzstick at Feb 11, 2019, 04:04 AM

If you're running the latest version of Gallery and the latest version of MODX core then I agree with BobRay that it's most likely you missed something left behind by the previous hack. Perhaps something in the cache?

Hi,

It was a more recent file, so not from previous hacks.

However, it could not spread to other folders this time, luckily. So that dirty php virus stayed in
assets/components/gallery/cache/

Is it possible to prevent php code execution from cache and file folders ?

Because in previous hacks, the virus spread itself by injecting code-scripts from that one php file, and inserting and changing all sorts of other php & htaccess files elsewhere. It even prepended trojan code in existing php files (I guess it was not them Russians

thanks

For starters, I'd suggest uninstalling and then removing *every* version of Gallery in Package Manager. Then delete assets/components/gallery and core/components/gallery if they still exist. If you have any images in those directories, save them somewhere and analyze them with a virus checker. Then re-download and re-install Gallery (or some other gallery plugin).

I would also move the core directory above the web root if you haven't done so already, as described here:https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution.

Putting this in an .htaccess file will prevent the execution of .php files in that directory and ones below it, but be careful because it can also break MODX some MODX extras.



If it's in a place where there shouldn't be any .php files, though. It should prevent attacks via .php files placed there. OTOH, if an attacker can place a .php file on your site, you need to fix something.

As of Apache 2.4, a different method applies:

http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require



[ed. note: BobRay last edited this post 5 years, 2 months ago.]