Confirmed Hack: 500 Error at Manager login due to modification of manager/index.php

The client reported not being able to login to Manager Evo 1.0.4 and I checked the logs which directed me to an extra "<" in the index.php file on the manger directory.

I found this at the bottom of the file



is this a hack? I'm wondering if the install was compromised and what steps I should do to fix it up? Any thoughts / instructions on upgrading to 1.0.8?

Thanks! [ed. note: taiyo1578 last edited this post 11 years, 2 months ago.]

Confirmed that this was in fact a hack. Here's a related thread from a webtrees forum:

http://www.webtrees.net/index.php/en/forum/27-help-for-ver-1-3-latest-release/27169-parse-error-on-home-page-line-151

I'm seeing lots of 0kb .txt files in each of my manager sub directories.

exp. .f.512242bb42c20e37360000dd-5122432942c20e37360002c6.txt

Anyone have advice on clean up? Is this really an 1.0.4 hole and should I immediately upgrade to 1.0.8? I have tried this before via Bluehost's automatic upgrade and the website breaks. Also, I have disabled the ForgotLogin plugin btw.

1.0.4 is a old version which does have security vulnerabilities so I would recommend you do a upgrade on the site as well as changing all passwords for the manager / FTP / and cpanel ( if you have it ).

Thanks Paul. Upgraded to 1.0.6 via Bluehost one click upgrade and the ForgotLogon plugin is still disabled. Here's what's broken so far:

Friendly SEO URLSs - have had to turn these off for now as all links are going to the 404 page
SQL Error on all pages - had to turn off QuickManager
Modifications that I've made to AjaxSearch files (to be expected as I customized the CSS files)

One thing I'm seeing is that there is a .txt file that is blank in most directories and an modification to the last line of every index.html and index.php file in these directories.

My thought process around clean is deleting all of these .txt files and then deleting the on the bottom of every index file.

I've changed all FTP password and MODx user passwords.

Can anyone recommend additional cleanup? Should I be doing a GREP via SSH to find all the .txt files? or should I be looking for all files modified at the time of the hack? Can anyone post UNIX commands for performing if recommended?

Otherwise, i guess it is a manual process of looking in every directory and seeing the .txt file and deleting the code on the index file. Is this really even neccessary????

Thanks,

Eliot

Not sure if Bluehost has one click for upgrading to 1.0.8 but it was released last month with a security patch

http://forums.modx.com/thread/81645/modx-evolution-1-0-8-out-with-forgot-manager-plugin-security-fix?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+modx-announce+%28MODx+Community+Announcements%29#dis-post-450371

It sounds like the .htaccess file might also have been messed with.

Thanks JP - I requested that they add it in but they wouldn't do it. So I've been disabling the ForgotPassword Plugin which I believe is the only difference form 1.0.6 and 1.0.8.

You also should not use a Manager username of "admin". There appear to be some automated probes using that username. Whether they would be successful or not is questionable, but there's no point in making it easy.

Quote from: sottwell at Feb 20, 2013, 04:29 AM

You also should not use a Manager username of "admin". There appear to be some automated probes using that username. Whether they would be successful or not is questionable, but there's no point in making it easy.

Thanks Susan. For all new installs I will stop using 'admin' as the username. What about pre-existing installs? Attached is the warning I'm receiving when changing the name. Do you know what the impact will be?

Check your logs, check FTP for (index).php files and weird dates last changed. Could be infected files are everywhere. I don't think it can harm anything when changing admins name.