0.9.2.1 site hacked?

I’ve kind of inherited a site built with MODx 0.9.2.1 that is getting flagged by Safari’s new malware detector. When checking the source code, I noticed six iframes loading suspicious domains appearing after the /HTML tag.

So, I checked the relevant template in the manager, and there’s nothing but a blank line there.

Any ideas how this is occurring and how to stop it?? Any help would be greatly appreciated!

Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect. Look at this post for more info: http://modxcms.com/forums/index.php/topic,30850.0.html

and here for the official notice: http://modxcms.com/forums/index.php/topic,30875.0.html

I will go ahead and say since someone is bound to do it, you should also upgrade to a more recent release, there have been significant improvements from 0921 to 0962

Quote from: dev_cw at Dec 12, 2008, 01:01 PM

Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect.

Thanks Shane -- unfortunately, it’s least likely, as the site isn’t using Reflect...

Here’s my list of installed Snippets:

AListApart - Drop down menu snippet
cloak - Use this to cloak emails in template variables
ContactForm - Simple, configurable XHTML-validating contact form for delivery to email accounts.
DateTime - Outputs the current date and time to the page.
dropdown - Create a select box of sub pages
DropMenu - Robust and configurable XHTML-validating menu and site map builder. Output an unordered list.
FlexSearchForm - Robust site search with like and partial matching.
gallerydropdown - Select box for photo stories
GetStats - Fetches the visitor statistics totals from the database
MemberCheck - Selectively show chunks based on logged in Web User’ group memberships.
menu - Old Static Menu
NewsFeed - Enable RSS2 news feed from your website.
NewsLetter
NewsListing - Updated: Versatile news/article display system.
NewsPublisher - Updated: Publish news articles directly from the web.
PageTrail - Outputs the page trail, based on Bill Wilson’s script
Personalize - Basic personalization for web users.
PoweredBy - A little link to MODx
UserComments - Updated: Add user comments to any document.
WebChangePwd - Web User Change Password Snippet
WebLogin - Updated: Web User Login Snippet
WebSignup - Web User Signup Snippet

Quote from: dev_cw at Dec 12, 2008, 01:01 PM

...you should also upgrade to a more recent release, there have been significant improvements from 0921 to 0962

I definitely plan to upgrade, but I’m wondering if an upgrade will automagically fix the issue. It seems more prudent to remove any offending code or whatever is causing/allowing the issue before upgrading, but I simply haven’t a clue how this trick is being accomplished. Is it possible that the server (Yahoo hosting) is infected and ’flowing in’ these iframes when parsing the PHP somehow?

One last thing -- as a tester, do you have any idea if there’s an ETA for 0.9.6.3?
It would be big time-saver to just upgrade once if it’ll be released soon.


[Edit: Attached relevant PHP config as an HTML file... you may need to remove the TXT extension to view properly]

The first thing you really need to change is this:

Next I would look at your cache files to see if this code was added there. If so, then someone was probably able to hack your account using a cross-site scripting (XSS) attack, for which there have been several patches since 0.9.2.1. None of these attacks would’ve worked if register_globals had been off, however (whether you’d updated or not).

Given that you’re going to have to do some radical cleaning to be sure that you got rid of any back doors that the hackers may have left, I think that this is probably a very good opportunity to upgrade MODx. I would change all of your passwords, rename the assets and manager folders to xassets and xmanager, upload the new version, and perform an upgrade installation. Then I’d try to restore all your image and other files from a clean local backup and delete the old directories and their contents (and only restore selected files if absolutely necessary from the old installation, since everything in there is suspect now).

No need to wait for the next version of MODx; the current stable release is solid and light years ahead of what you have now.

Quote from: NameCat.com at Dec 13, 2008, 06:10 AM

Quote from: dev_cw at Dec 12, 2008, 01:01 PM

Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect.

Thanks Shane -- unfortunately, it’s least likely, as the site isn’t using Reflect...

You wouldn’t need to be using it to be vulnerable, as long as the file is there somewhere. I think it’s reflect.inc.php. Deleting it from your installed snippets list wouldn’t delete the file.

As Zap suggested, you’re only vulnerable is register_globals is on (and, if it’s on, that could open some other doors to miscreants).