0.9.6.3-RC1 hacked?

I’ve found some strange goings on in my ModX installation - i noticed some images were missing, and when viewing the source images and scripts on the homepage are showing their resource paths as being requested from http://www.baidu.com/ rather than my site address. It seems the [(site_url)] has been replaced somehow.

Ive searched a database dump and found no reference to baidu, but then i searched the filesystem and found the references in the page cache file. My cache folder has permissions set to 777 - is that correct?

I am looking further into it. The hack seems fairly innocuous at this stage, as it just creates broken links to scripts and images - so i cant see what the purpose of that is. However it might be a ’test’ attack designed to see what is changeable and may lead to further more sinister stuff, so i want to close down the hole ASAP.

MODX 0.9.6.3-RC1
PHP 5.2
APACHE 2.0
UBUNTU 6

Sounds like someone has compromised your account or you are running on a shared server running mod_php without open_basedir restrictions enabled. This allows any other user on that server to modify your files via the Apache user account.

Also, make sure you have disabled register_globals and/or removed the reflect snippet that was causing problems in the current release.

Hi OpenGeek - thanks for the reply.
Its not a shared server, its a custom one, running only 2 sites.
i dont know if im running mod_php or not... is that the standard apache module of php? If so then its most likely. No-one has configured the server much further than the tech who set installed ubuntu.

phpinfo shows open_basedir set as <empty> so perhaps i need to put something in there
register_globals is definitely off, and i have removed the reflect snippet entirely

I’m having the same problem - my site_url is showing up in templates as "http://corp.leadtone.com/" - nothing to do with me or my domain. I’m on Ubuntu as well.

Quote from: DaveChild at Jan 13, 2009, 09:56 AM

I’m having the same problem - my site_url is showing up in templates as "http://corp.leadtone.com/" - nothing to do with me or my domain. I’m on Ubuntu as well.

The site_url is auto-determined; sounds like your attackers are setting an http_host header on requests to your site and your web server is configured to simply pass through the requested domain.  You can keep this from affecting you by simply hardcoding the site_url value, though it would be better to make sure your hosting is configured only to accept requests to valid domains you are hosting.

Thanks OpenGeek. I’m managing the hosting myself (managing might be the wrong word - am learning) and will look at the apache config and check it’s only going to pay attention to the one site that’s supposed to be there!