Hi,
I've just noticed that one of my websites is receiving repeated bogus requests. Sadly, because there are malicious people out there, this happens.. So far, so non-MODx-specific, apart from the fact that it appears that the specific request that I am receiving:
[Edit: Sorry, it didn't occur to me that these dubious (fxxo) URLs would become clickable in my post. Since I don't know what kind of malware may be hosted there, please don't click on them unless you are using a suitably protected environment and know what you are doing!]
POST
http://fxxo.com/proxy5/check.php HTTP/1.1
somehow manages to cause the 'site_url' variable to be changed (to point to
http://fxxo.com/ instead of the correct value for my website), and this bogus value then finds its way into MODx's cached pages as (presumably?) new cached copies are made (where 'site_url' is used in part of our page template).
I'm not sure how this is happening: I thought that 'site_url' was supposed to be automagically known to MODx when it checks what hostname (and folder?) it is running in. But I don't know how the fxxo.com value is getting into MODx (and how it is able to alter the 'site_url' value)?
We have previously discovered, when (unsuccessfully) trying to make the site manager available by https, that when the manager is accessed via https, MODx picks up on this and "helpfully" updates the 'site_url' value, which is not desired as we don't want the URLs for normal site pages to be changed to https on future accesses.
I suspect that something similar must be happening here, but I don't know what is being POSTed via these requests, how the request is being received on our site in the first place, and most importantly, how it is managing to tickle something in the site manager area which is managing to alter the 'site_url' value.
I have a feeling that something is somehow proxying requests to our site, and this seems that it may be backed up by the following, which are the only relevant pages that I have found:
http://board.issociate.de/thread/463850/Security-problem-in-apache-with-forms.html
http://wiki.apache.org/httpd/ProxyAbuse
I don't think that our Apache installation has proxying enabled: "ProxyRequests On" is commented out, unchanged from the default, so I assume that it
is off (assuming that the virtual host config for the site will inherit this setting from the main httpd.conf file?).
The only other thing that I can think of is that maybe one of our manager users has a compromised computer which is somehow diverting (MITM) their accesses to the manager area via something nefarious (but we have another, separate, layer of non-MODx login security further protecting the manager area from unauthorised access, and I also don't see any requests from the attack host (it's just the one IP address so far) for any other URLs on the server..).
Can anybody offer any advice?
Many thanks!
[ed. note: david55 last edited this post 11 years, 9 months ago.]