iis secure, htaccess hack?

I am hosting a modx site on a hsphere cluster. The web site is running on IIS(6.0) the mysql server is freebsd. The version of Modx is 0.9.6.3.

This site was hacked in the past. We ended up reinstalling modx because some hack files where hidden in the modx directeries. We also found, from a google search, files we needed to secure to protect the website / modx install. I can no longer find the details from the google search which led us to the files to secure.

This week the site was hacked/redirected. It actually only became redirected after I activated the HELICON component ISAPI REWRITE. The hack had placed htaccess files in all directories the user(server level) had access too. The file redirected all traffic to yagizmo(dot).com. Once I deleted all the htaccess files from the modx directories the site was back to normal. I noticed that the same htaccess files where in directories above the web folder. This made me think it might be someone /thing with FTP access. There are no log entries for this user so that is not true. I am wondering if anyone has heard of a modx hack that can do this. Does anyone know what files/directories I need to protect (and what settings) to make sure this type of thing does not happen. I know you may need more information. I am a newbie to this so please let me know what you need, and point me in the direction to get it for you, if you don’t think it is obvious where to find it (easily found is relative I know).

Thanks for any help!

You’re running an ancient version of MODX that should absolutely be upgraded. You likely have outdated versions of add-ons that also have had security updates. Prepare to get hacked again most likely if you keep on this version, since you’ve now been found out. 1.0.5 should be out next week with additional security enhancements.

WOW what a warning, and correct we have been hacked twice now. In your opinion do we need to go all the way to Revo or is the last version of Evolution good enough. We are using some components, we do lack some expertise, so I am concerned that going to Revolution will add alot more work. Thanks for your time and consideration.

You can go to the latest version of Evolution (1.0.5 now) and should be fine. You will need to update some calls such as search if you have it, but otherwise should be fine.

Agreed.

OK, I appreciate your help. We upgraded to 1.0.5. Is there anything on a winbox that we need to do to secure the site? It got hacked again after the upgrade. The hack is adding htaccess files to every folder and is redirecting users to g -oogl- e. com(sans spaces).

I don’t see how that has anything to do with MODx. Somebody has access to your server to be able to upload or write htaccess files to it. Possibly one of your local client computers got one of those password-sniffing trojans on it and your ftp passwords are compromised.

Again thnaks for the help. It thought the same thing, no other sites hacked and there are no entries in the ftp log. To be sure I am all ears and am just trying to exhaust all possibilities. This is one of two sites we have that are Modx. FTP password was changed immediatly and is only in the hands of my staff. We did just upgrade to php 5.2.10, if that sparks any ideas.

You might want to try upgrading to php 5.2.17 (or is it 18) just in case the issues is php related. It sounds like they have a backdoor on that site somewhere so make sure everything is updated. Don’t forget some addons (tinymce comes to mind) changed their folder so you might have older snippets/plugins laying around.

Hi,

This could be a number of things, when you noticed seen the newly created or modified files did you happen to make a note of the file timestamp?

This will help track down the source of the problem, what I tend to do is check FTP logs around that time, and also look at the IIS Web logs files in the past when there is an exploit we can usually see the hackers putting the files in via the website and the IIS Logs will show this.

Another problem might be that your NTFS Security might be incorrect on your wwwroot folder, could you check and make sure that you don’t have everyone or users with modify rights set on the folder?

Finally your remote desktop connection can be compromised, we originally locked down our servers using secureRDP but later on disabled remote desktop completely and instead use logmein which requires two login’s to get into the server.

Are you running any other sites on the server?

Aaron