sucessful hacking attempt

24 Posts

stevs Reply #1, 13 years, 9 months ago

Hi,

I have recently discovered a successful hack against my 0.9.6.2 based website. I am not sure how the hack has been executed but it appears to be specifically modx related as the symptoms cannot be replicated when serving php pages outside of modx.

The attack has appended the following html to the end of every page

<style> .love {display:none}</style><p class="love">
<a href="http://www.artfromscrap.org/?p=769" title="cialis usa">cialis usa</a>
<a href="http://www.artfromscrap.org/?p=842" title="cialis 5 mg for sale">cialis 5 mg for sale</a>
<a href="http://www.artfromscrap.org/?p=753" title="active ingredient in cialis">active ingredient in cialis</a>

<a href="http://www.artfromscrap.org/?p=921" title="cialis generika rezeptfrei">cialis generika rezeptfrei</a>
<a href="http://www.artfromscrap.org/?p=504" title="cialis tadalafil">cialis tadalafil</a>
<a href="http://www.artfromscrap.org/?p=534" title="cheap generic drugs viagra cialis levitra">cheap generic drugs viagra cialis levitra</a>
<a href="http://www.artfromscrap.org/?p=1119" title="comprare cialis">comprare cialis</a>

...

<a href="http://www.artfromscrap.org/?p=701" title="how does cialis work">how does cialis work</a>
<a href="http://www.artfromscrap.org/?p=832" title="acquistare cialis generico">acquistare cialis generico</a>
</p>

<?

n.b the URL is also a compromised server (I have contacted the owners).

We are in the process of preparing an upgrade to the latest version of evolution which will hopefully close the exploit but at present I am unable to remove the injected code. Has anyone experienced the same attack or have any suggestions as to how I could get rid of it.

Due to the location at the end of the html I expected an sql injection hack to append to the templates or introduce/modify a plugin or module that could alter $modx->documentOutput. Checking of the templates and disabling all modules and plugins had no effect.

The additional html does not appear in the individual page cache files.

I have search through the database dumps for any occurence of the strings in the appened code or include or require functions to no effect. The injection is definitely being performed server side.

If anyone has experienced a similar attack or has any suggestions as to how this is being done please let me know.

Many Thanks
Steve

☆ A M B ☆
24,524 Posts

sottwell Reply #2, 13 years, 9 months ago

It could be in the index.php file, or perhaps somewhere in the site cache or the config.inc.php file.

Studying MODX in the desert - http://sottwell.com
Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
Join the Slack Community - http://modx.org

☆ A M B ☆
3,112 Posts

goldsky Reply #3, 13 years, 9 months ago

did you use any form inputs?

disabling all the elements are not useful anymore.
neither do upgrading.
they are sitting on your database already.

Quote from: stevs at Jul 26, 2010, 05:51 PM

I have search through the database dumps for any occurence of the strings in the appened code or include or require functions to no effect. The injection is definitely being performed server side.

perhaps, you sought a wrong string.
try to use encoded one.

Rico
Genius is one percent inspiration and ninety-nine percent perspiration. Thomas A. Edison
MODx is great, but knowing how to use it well makes it perfect!

www.virtudraft.com

Security, security, security! | Indonesian MODx Forum | MODx Revo's cheatsheets | MODx Evo's cheatsheets

Author of Easy 2 Gallery 1.4.x, PHPTidy, spieFeed, FileDownload R, Upload To Users CMP, Inherit Template TV, LexRating, ExerPlan, Lingua, virtuNewsletter, Grid Class Key, SmartTag, prevNext

Maintainter/contributor of Babel

Because it's hard to follow all topics on the forum, PING ME ON TWITTER @_goldsky if you need my help.

249 Posts

cyclissmo Reply #4, 13 years, 9 months ago

Man I’m so sorry to hear about the hack.

You can try restarting your web server. Scripts can be set to run continuously and silently in the background.

Definitely check server logs. At the least you may be able to determine the point of entry.

Please keep us informed of your findings.

Mike

lo9on.com

MODx Evolution/Revolution | Remote Desktop Training | Development

24 Posts

stevs Reply #5, 13 years, 9 months ago

Many thanks for the replies. It turned out to be plain text included on the index.php file. I have no idea how I missed this yesterday but that’s the advantage of a nights sleep. It appears that some holes have been made in our firewall and we have tracked down a trojan on the server. It looks therefore that this may have been a generalized windows attack and not targeted at/through ModX. My only recommendation from this experience, apart from of course to security audit regularly, is to lock down write permisions on your index.php as much as possible.

☆ A M B ☆
711 Posts

onesmarthost Reply #6, 13 years, 9 months ago

Good news that you have spotted where the trojan came from, I would also advise that you upgrade MODx to one of the latest EVO Versions as there has been security alerts with the version you are currently running.

http://modxcms.com/forums/index.php/board,202.0.html

Aaron

http://www.onesmarthost.co.uk
UK MODX Hosting with love.

34 Posts

thbenda Reply #7, 13 years, 9 months ago

Hello,

Yes, firewall rules and everything around cloisonning are real priorities in informatic systems deployment.
For web applications or for anything else.

Good luck!

[img]http://www.viadeo.com/v_img8/profile/promotion/black/button_profile_en.png[/img] [img]http://www.viadeo.com/v_img8/profile/promotion/black/36x36.png[/img]

☆ A M B ☆
2,475 Posts

Everett Reply #8, 13 years, 8 months ago

Hopefully you had a backup -- it’s one of the most important security aspects:
http://tipsfor.us/2010/05/10/basic-web-security/

Hosting stuff: http://fireproofsocks.com/
Coding stuff: http://craftsmancoding.com/
Blog stuff: http://tipsfor.us/