Not sure why you are posting this stuff here tbh. If Hostgator is blaming MODx for the exploit, they need to identify the vector; otherwise, they need to identify the vector before blaming MODx.
I’ve had two out-of-the-box, latest-version Evolution sites compromised with an identical type of attack (document.parser/eval).
Tbh, I am posting this here to give others a heads up, as this is happening to more than just me, and nobody can figure out how it is happening.
http://www.google.com/search?hl=sv&source=hp&q=eval64+hack&aq=f&aqi=&aql=&oq=&gs_rfai=
I don’t know if any type of provisional solution can be created?guess this is somewhat similar: http://modxcms.com/forums/index.php/topic,40576.msg307614.html#msg307614
Something similar to http://www.oscommerce.com/community/contributions,5914.
Any thoughts?
That’s a pretty general assumption. Hackers will look for the weakest link in any chain of security, using automated tools to try and gain entry onto a server, or reverse engineer open-source software looking for exploits. OSCommerce was hacked not too long ago via the integrated file manager and language utility files. Evo uses eval extensively and has file management features, which make it just as likely a candidate as an insecure server for the source of these exploits. I love this product, but it is frustrating that I could not provide an answer or a solution to my clients affected by this hack, other than an upgrade to Revolution.
Yes, knowing what CMS a site is using lets the hacker know which files to infect, but the CMS is not allowing the original access. That’s a server security breach.
If someone can identify an attack vector which explains how MODx was used to carry out the attacks on your sites, we will be glad to do whatever is necessary to patch the hole as quickly as possible. But there has not been identification of such a vector and until there is, you need to work with your hosting provider to determine what that vector was. Then they can either close it if it’s a server security breach, or they/you can notify us of the vector details and we’ll follow up. As of this point in time, I am not aware of such a vector in the core MODx Evolution product.
Quote from: sottwell at Oct 31, 2010, 03:42 PMThat’s a pretty general assumption. Hackers will look for the weakest link in any chain of security, using automated tools to try and gain entry onto a server, or reverse engineer open-source software looking for exploits. OSCommerce was hacked not too long ago via the integrated file manager and language utility files. Evo uses eval extensively and has file management features, which make it just as likely a candidate as an insecure server for the source of these exploits. I love this product, but it is frustrating that I could not provide an answer or a solution to my clients affected by this hack, other than an upgrade to Revolution.
Yes, knowing what CMS a site is using lets the hacker know which files to infect, but the CMS is not allowing the original access. That’s a server security breach.
In my experience, most attacks of this type are done through systems with some kind of front-end file upload system or via FTP or other server infrastructure attacks, especially on shared server accounts.