Hi,
I have recently discovered a successful hack against my 0.9.6.2 based website. I am not sure how the hack has been executed but it appears to be specifically modx related as the symptoms cannot be replicated when serving php pages outside of modx.
The attack has appended the following html to the end of every page
<style> .love {display:none}</style><p class="love">
<a href="http://www.artfromscrap.org/?p=769" title="cialis usa">cialis usa</a>
<a href="http://www.artfromscrap.org/?p=842" title="cialis 5 mg for sale">cialis 5 mg for sale</a>
<a href="http://www.artfromscrap.org/?p=753" title="active ingredient in cialis">active ingredient in cialis</a>
<a href="http://www.artfromscrap.org/?p=921" title="cialis generika rezeptfrei">cialis generika rezeptfrei</a>
<a href="http://www.artfromscrap.org/?p=504" title="cialis tadalafil">cialis tadalafil</a>
<a href="http://www.artfromscrap.org/?p=534" title="cheap generic drugs viagra cialis levitra">cheap generic drugs viagra cialis levitra</a>
<a href="http://www.artfromscrap.org/?p=1119" title="comprare cialis">comprare cialis</a>
...
<a href="http://www.artfromscrap.org/?p=701" title="how does cialis work">how does cialis work</a>
<a href="http://www.artfromscrap.org/?p=832" title="acquistare cialis generico">acquistare cialis generico</a>
</p>
<?
n.b the URL is also a compromised server (I have contacted the owners).
We are in the process of preparing an upgrade to the latest version of evolution which will hopefully close the exploit but at present I am unable to remove the injected code. Has anyone experienced the same attack or have any suggestions as to how I could get rid of it.
Due to the location at the end of the html I expected an sql injection hack to append to the templates or introduce/modify a plugin or module that could alter $modx->documentOutput. Checking of the templates and disabling all modules and plugins had no effect.
The additional html does not appear in the individual page cache files.
I have search through the database dumps for any occurence of the strings in the appened code or include or require functions to no effect. The injection is definitely being performed server side.
If anyone has experienced a similar attack or has any suggestions as to how this is being done please let me know.
Many Thanks
Steve