Security issues with MODx?

I have just found something quite disturbing on one of my MODx websites.
It is a series of pages titled FaTaLisTiCz_Fx Fx29SheLL which look like a hacking management console. They contain all kind of information on the server and allow the upload of files, etc...

I found this kind of page at several different areas inside the manager and assets folders on this website. Other files seem to have been added, all in MODx folders (manager/actions, manager/includes, etc.) .
The guys used this to place various phishing pages on the server.
I am currently deleting everything suspect.

I have yet to find where this came from but the fact that the files were only in the MODx directories is quite disturbing.

Has anyone had this kind of issue with a MODx website?

What directories are the files in? Are these text items in the DB? Are you on a shared server? I’m not a security expert but often these types of things from scripts that are unleashed on an incorrectly configured shared server where a hacked account could allow permissions on any other account.

Please post more detail so that it may be isolated. It may be a case where your host knows the origin too.

Cheers,

jay

It could be related to http://modxcms.com/forums/index.php/topic,30850.msg187081.htm

Do you have register_globals enabled on your site? (It is AFAIK required for above issue)

I found files in
/manager
/manager/frames
/manager/includes
and in other folders, all part of MODx.

The website is on a shared server, but it is well monitored. I will let their support know about this.

And yes, register_globals is enabled.
I had planned to ask them to move it to a PHP5 server, but need to check that all the apps I run on this one work with PHP5.

What MODx version you are running?

I am running 9.6.2

Just found another files in the
/assets/snippets/reflect/
folder

Ive just noticied this in my web logs:

http://secunia.com/Advisories/32824/