Bogus 'POST http://fxxo.com/proxy5/check.php' requests causing alteration of 'site_url'

Hi,

I've just noticed that one of my websites is receiving repeated bogus requests. Sadly, because there are malicious people out there, this happens.. So far, so non-MODx-specific, apart from the fact that it appears that the specific request that I am receiving:

[Edit: Sorry, it didn't occur to me that these dubious (fxxo) URLs would become clickable in my post. Since I don't know what kind of malware may be hosted there, please don't click on them unless you are using a suitably protected environment and know what you are doing!]


POST http://fxxo.com/proxy5/check.php HTTP/1.1

somehow manages to cause the 'site_url' variable to be changed (to point to http://fxxo.com/ instead of the correct value for my website), and this bogus value then finds its way into MODx's cached pages as (presumably?) new cached copies are made (where 'site_url' is used in part of our page template).

I'm not sure how this is happening: I thought that 'site_url' was supposed to be automagically known to MODx when it checks what hostname (and folder?) it is running in. But I don't know how the fxxo.com value is getting into MODx (and how it is able to alter the 'site_url' value)?

We have previously discovered, when (unsuccessfully) trying to make the site manager available by https, that when the manager is accessed via https, MODx picks up on this and "helpfully" updates the 'site_url' value, which is not desired as we don't want the URLs for normal site pages to be changed to https on future accesses.

I suspect that something similar must be happening here, but I don't know what is being POSTed via these requests, how the request is being received on our site in the first place, and most importantly, how it is managing to tickle something in the site manager area which is managing to alter the 'site_url' value.

I have a feeling that something is somehow proxying requests to our site, and this seems that it may be backed up by the following, which are the only relevant pages that I have found:

http://board.issociate.de/thread/463850/Security-problem-in-apache-with-forms.html
http://wiki.apache.org/httpd/ProxyAbuse

I don't think that our Apache installation has proxying enabled: "ProxyRequests On" is commented out, unchanged from the default, so I assume that it is off (assuming that the virtual host config for the site will inherit this setting from the main httpd.conf file?).

The only other thing that I can think of is that maybe one of our manager users has a compromised computer which is somehow diverting (MITM) their accesses to the manager area via something nefarious (but we have another, separate, layer of non-MODx login security further protecting the manager area from unauthorised access, and I also don't see any requests from the attack host (it's just the one IP address so far) for any other URLs on the server..).

Can anybody offer any advice?

Many thanks!
[ed. note: david55 last edited this post 11 years, 9 months ago.]

It does sound like your site has been hacked. Compare the .htaccess and index.php files with the ones in the original MODX .zip file (or a new install of MODX). Correcting those isn't going to help if some miscreant has your MODX, cPanel, or FTP credentials (and I suspect that they have at least one of those -- possibly all of them).

Also, look for a bogus user on the site.

If you have a backup made before the hacking, you could change all your passwords and then restore the backup.


------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using.
MODX info for everyone: http://bobsguides.com/modx.html

hi,

two little things,

you can esaily have the manager only being accessed by https with htaccess

you may have a look at you php files source to see if you don't find out a base64 line in them (quite a fashionable hack those days)
if yes, bob suggestion to replace all the php files by your backup one will be the only way to get rid of it (except if you want a play with a search/replace in all you php files

have swing

Thanks, Bob, and virtualbear, for your advice. I'm not certain that the site has actually been hacked (although a reinstall is probably a wise precaution anyway [1]), as, from what little I've found on the web about the bogus URL, it looks as though it's some kind of spider periodically scanning various sites (presumably trying to check for potential vulnerabilities that could be exploited). What I don't understand is how an attempted POST request, to an entirely-different URL that has nothing to do with my site, is even showing up in my logs? I was hoping that this would be a web issue that was already known about and that there would be more information somewhere online about what it was.

[1] Doing a reinstall is going to be awkward. We do backup files and databases daily, but (if there is a rogue file somewhere), I don't know how long this has been going on for (assuming that the requests aren't just a remote spider). Is it possible to re-run the MODx installer, with the existing database present and retain the data? If I need to start with a totally fresh reinstall and a completely empty database, then trying to transfer content and user (etc?) data from a database backup into a new database is going to be ..unpleasant.

Seeing those requests in the log is no cause for alarm, but if links on the front-end of your site or links in the Manager are leading to that domain, your site has almost certainly been hacked.


One possibility, easily fixed, is that your cache directory is writable by the outside world. If that's it, correct the permissions on that directory. If the problem stops, you may not need to reinstall, though a clever enough hacker may have been able to leverage that to get access to the Manager or the DB.

Fixing the permissions and changing all Manager usernames and passwords *might* be enough.



------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using.
MODX info for everyone: http://bobsguides.com/modx.html

Thanks, Bob. I haven't found any indication that anything else had been changed other than the 'site_url' variable. As I said, I had previously discovered that that value could be "passively" changed inadvertently by legitimate manager users, by accessing the manager area via a different URL (if it was (also) set up to be available by that different URL), eg https versus http.

My gut feeling (although I may be wrong, of course) is that somehow whatever weird proxying is attempting to access my site is perhaps convincing MODx that the manager area is being accessed via a different URL and so causing the 'site_url' value to be changed (I don't know whether a manager user actually needs to be logged in for 'site_url' to "update" itself, or whether just accessing the manager login page via a different URL would be sufficient?). What seems strange is that nobody else seems to have encountered this problem before on MODx, and that I can find very little about the strange URL on the web in general (usually strange requests get noticed and discussed somewhere online by somebody).. [ed. note: david55 last edited this post 11 years, 9 months ago.]

I have now taken a copy of the MODx installation from the website and compared it against the contents of the original MODx zipfile (with the help of du -ab and sort -k2, and kompare).

There don't seem to have been any changes to any files other than those few that I have made (eg, to manager/includes/config.inc.php). If need be, would I be able to reinstall MODx just by overwriting the files with a fresh copy of the originals (putting my changed files back into place)? Would I need to re-run the installer in "upgrade" mode, or do nothing further? (Running the installer in "install" mode would presumably wipe my existing database, and be a Bad Idea.)

AFAIK, site_url is set on the fly based on the URL the user uses to reach the site, so it's common for lots of bogus URLS to show up in the Apache logs. But with a bogus URL, the user should not actually reach either the Manager or the front-end.

You haven't actually said whether the bogus URLs are appearing anywhere in the Manager or in pages on the front end. That's the key question.

If the files haven't changed, there's not much point in reinstalling, but I would take a close look at any index.php files, index.html files (which shouldn't exist on the site), php.ini files, and .htaccess.files. Most of those are not in the MODX .zip file so you can't compare them. They're the most common targets for hacking.

Look also for .php files that are not part of the MODX install.

Make sure you're using the latest version of MODX, which is more secure than earlier versions.

If you were using MODX Revolution, you could install the BotBlockX and LogPageNotFound extras. Maybe there is something similar for Evolution.