I’ve found some strange goings on in my ModX installation - i noticed some images were missing, and when viewing the source images and scripts on the homepage are showing their resource paths as being requested from
http://www.baidu.com/ rather than my site address. It seems the [(site_url)] has been replaced somehow.
Ive searched a database dump and found no reference to baidu, but then i searched the filesystem and found the references in the page cache file. My cache folder has permissions set to 777 - is that correct?
I am looking further into it. The hack seems fairly innocuous at this stage, as it just creates broken links to scripts and images - so i cant see what the purpose of that is. However it might be a ’test’ attack designed to see what is changeable and may lead to further more sinister stuff, so i want to close down the hole ASAP.
MODX 0.9.6.3-RC1
PHP 5.2
APACHE 2.0
UBUNTU 6