We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 13137
    • 204 Posts
    Quote from: OpenGeek at Oct 30, 2010, 02:41 PM

    Not sure why you are posting this stuff here tbh. If Hostgator is blaming MODx for the exploit, they need to identify the vector; otherwise, they need to identify the vector before blaming MODx.

    Tbh, I am posting this here to give others a heads up, as this is happening to more than just me, and nobody can figure out how it is happening.
    I am just trying to give what ever info I can so others can be aware of this and maybe we can all find a solution.
      • 6228
      • 249 Posts
      Quote from: islander at Oct 30, 2010, 03:52 PM

      Tbh, I am posting this here to give others a heads up, as this is happening to more than just me, and nobody can figure out how it is happening.
      I’ve had two out-of-the-box, latest-version Evolution sites compromised with an identical type of attack (document.parser/eval).

      It is alarming that Evo is still available for download during this period of sites being hacked-- in the most severe of ways. Personally, I think the download should be disabled and the code should undergo a thorough security audit to identify the vector(s) used in the exploit. It’s extreme, and understandably costly in both time and money, but the alternative is a growing reputation for providing an exploitable product. I, for one, no longer trust Evolution in its current release, nor recommend it for any but the most basic sites.

      I know the core developers have their hands absolutely full working on Revolution, but Evolution desperately needs some love in the security department.
        lo9on.com

        MODx Evolution/Revolution | Remote Desktop Training | Development
        • 20413
        • 2,877 Posts
        http://www.google.com/search?hl=sv&source=hp&q=eval64+hack&aq=f&aqi=&aql=&oq=&gs_rfai=
          @hawproductions | http://mrhaw.com/

          Infograph: MODX Advanced Install in 7 steps:
          http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

          Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
          http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
          • 38162
          • 97 Posts
          Quote from: mrhaw at Oct 30, 2010, 07:36 PM

          http://www.google.com/search?hl=sv&source=hp&q=eval64+hack&aq=f&aqi=&aql=&oq=&gs_rfai=

          Good point, but this gets you ’a few’ more. tongue

          I might be wrong, but after reading through all posts, this seems to be injected through some higher access levels rather than just through some MODx snippets. It seems like it is just using the CMS as a portal to the web, but something else as an entry.

          Just my guess, I certainly might be wrong. :f
            • 13137
            • 204 Posts
            I don’t know if any type of provisional solution can be created?
            Something similar to http://www.oscommerce.com/community/contributions,5914.

            Any thoughts?
            • Yes, knowing what CMS a site is using lets the hacker know which files to infect, but the CMS is not allowing the original access. That’s a server security breach.
                Studying MODX in the desert - http://sottwell.com
                Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                Join the Slack Community - http://modx.org
                • 26931
                • 2,314 Posts
                I don’t know if any type of provisional solution can be created?
                Something similar to http://www.oscommerce.com/community/contributions,5914.
                Any thoughts?
                guess this is somewhat similar: http://modxcms.com/forums/index.php/topic,40576.msg307614.html#msg307614
                  • 6228
                  • 249 Posts
                  Quote from: sottwell at Oct 31, 2010, 03:42 PM

                  Yes, knowing what CMS a site is using lets the hacker know which files to infect, but the CMS is not allowing the original access. That’s a server security breach.
                  That’s a pretty general assumption. Hackers will look for the weakest link in any chain of security, using automated tools to try and gain entry onto a server, or reverse engineer open-source software looking for exploits. OSCommerce was hacked not too long ago via the integrated file manager and language utility files. Evo uses eval extensively and has file management features, which make it just as likely a candidate as an insecure server for the source of these exploits. I love this product, but it is frustrating that I could not provide an answer or a solution to my clients affected by this hack, other than an upgrade to Revolution.
                    lo9on.com

                    MODx Evolution/Revolution | Remote Desktop Training | Development
                  • Quote from: cyclissmo at Oct 31, 2010, 07:45 PM

                    Quote from: sottwell at Oct 31, 2010, 03:42 PM

                    Yes, knowing what CMS a site is using lets the hacker know which files to infect, but the CMS is not allowing the original access. That’s a server security breach.
                    That’s a pretty general assumption. Hackers will look for the weakest link in any chain of security, using automated tools to try and gain entry onto a server, or reverse engineer open-source software looking for exploits. OSCommerce was hacked not too long ago via the integrated file manager and language utility files. Evo uses eval extensively and has file management features, which make it just as likely a candidate as an insecure server for the source of these exploits. I love this product, but it is frustrating that I could not provide an answer or a solution to my clients affected by this hack, other than an upgrade to Revolution.
                    If someone can identify an attack vector which explains how MODx was used to carry out the attacks on your sites, we will be glad to do whatever is necessary to patch the hole as quickly as possible. But there has not been identification of such a vector and until there is, you need to work with your hosting provider to determine what that vector was. Then they can either close it if it’s a server security breach, or they/you can notify us of the vector details and we’ll follow up. As of this point in time, I am not aware of such a vector in the core MODx Evolution product.

                    In my experience, most attacks of this type are done through systems with some kind of front-end file upload system or via FTP or other server infrastructure attacks, especially on shared server accounts.
                      • 36447
                      • 98 Posts
                      In my experience, most attacks of this type are done through systems with some kind of front-end file upload system or via FTP or other server infrastructure attacks, especially on shared server accounts.

                      Has anyone on a dedicated experienced this hack?