We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

First time I've had a Revo site hacked

    • 18270
    • 68 Posts
    marcushouse Reply #1, 11 years, 7 months ago
    Hi there,
    I found a little
    echo '<iframe....hack garbage.... ></iframe>';
    sitting in the middle of my core/config/config.inc.php.

    Revo version is 2.1.3
    Are there any security issues for this version of Revo? Just wondering if I should be advising the client to upgrade or not. I cant see any security issues in the forums.

    I did have the perms of the config fiel set to 644, I've changed it to 444 in the hope that it will prevent the issue.
    But I don't know how they got in to do this in the first place.

    Any ideas where I should look to find more info?

    kind regards

    Marcus
    • sottwell Reply #2, 11 years, 7 months ago
      That doesn't really look like a hack, it looks more like somebody was testing something (probably paths; they are at little complicated in Revo's config file) at some point and forgot to remove the debugging echo.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
        • 18270
        • 68 Posts
        marcushouse Reply #3, 11 years, 7 months ago
        It was an iframe that was outputing and hitting a dodgey website. Seeing as it was doing an echo in the config it was across all templates and the manager.

        A number of antivirus programs had picked it up as malware and it was reported by a client. Defainatly not somethign that one of the developers placed there as a test or by mistake.
        • sottwell Reply #4, 11 years, 7 months ago
          Ah. All you mentioned was the echo ""; and I often put those in when I'm debugging something.
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
          • opengeek Reply #5, 11 years, 7 months ago
            It could be any number of things without further knowledge of your environment:

            1) Someone used brute-force (or some other method) to get your FTP password.
            2) A manager user, possibly with access to the Files tab.
            3) A shared server not running PHP as your user account (i.e. another account got hacked and was used to hack others).
            4) An insecure form implemented on your MODX site allowed the user to write to the file or upload a malicious file used to then modify other files.
            5) Something else...

            I would make sure there are no other modified files, suspicious files, etc., but there are no known attack vectors in that version of MODX Revolution which would allow this without a manager login. Analyzing log files, if available, for suspicious POSTs, checking the most recently modified files on the account, and other techniques may help you narrow down the source of the problem.
              Jason Coward
              Chief Architect @ MODX
              http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek