-
- 654 Posts
This happened to me a couple of weeks ago as well. But at the time I didn’t believe it was the site.
Matt
I can’t find that script on that page. I’m confused! There was an instance months ago where something had been corrupted; could it possibly be cached in an ISP’s proxy?
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
-
- 171 Posts
I’m not getting it anymore either but I had seen the same behavior with my own site the was hacked a few months ago. The malware I encountered did some kind of browser and crawler detection to avoid getting the site flagged by google and used a combination of cookies and random numbers to decide if to put the script in the page. They are getting clever these days.
View your cookies for modxcms.com and see if there is one that starts with d41d8cd98f0... that would give you a good clue whether or not something is wrong.
I suggest you grep the sites php files for ’eval’ and ’base64_decode’ as those functions are usually used to hide the malware in your files.
-
- 654 Posts
@rthrash : When my colleague first went to the Extras site on an old PC and error messaage came up but it didn’t get infected. Not sure why, except that it’s a very old XP box. On a different, newer machine the malware was introduced.
I just checked and found that a cached version of the MODX page generated on the old machine was still available. I’ll PM you with a screenshot showing the message, which should be useful.
Command line wget, windows xp IE 6, and Mac OS X Safari do not see any of these document.write lines - PM the screenshot to me, if you could, and let me take a look.
Thanks!
- Kevin
Kevin Marvin :: MODX, LLC
-
- 654 Posts
@rthrash, kevin.marvin : Screenshot sent via email
*sigh* ... SMF ... this should be fixed again, and will be permanently so when we finally migrate off this forum software.
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me