-
- 24,544 Posts
It could be coming from just about anywhere, but the first place to look is in the index.php file in the root. Compare it to the original. You probably won't see that string. It will most likely be encoded.
By far the safest thing would be to restore a backup from before the infection, change all your usernames and passwords, and go from there.
-
- 24 Posts
Im struggling to understand how this got onto the website... the only thing i have done is install the new tinyMCE, new modx, and 2 news plugins... I dont understand it. I flushed permissions and flushed cache and thats when this all started.
this is what my index.php looks like:
<?php
require_once dirname(dirname(__FILE__)).'/index.php';
$modx->request->handleRequest(array('location' => 'source'));
Does this look normal??
Trev
-
- 24,544 Posts
Not if it's the index.php in the MODX root (the directory with the Manager and Core directories). You could be looking at the wrong one, though.
Malware can show up for lots of different reasons, it could be a cross-site attack from someone else on a shared server or it could be that someone has used a brute-force attack to get your MODX admin, cPanel, or FTP password by trial-and-error. It could also come from an insecure form on your site.
-
- 163 Posts
Quite a few years ago, Media Temple got hacked, and malware was inserted in to every index file on my web server. Didn't matter what system I was using (MODX, TextPattern, Wordpress etc), they all became infected.
My first instinct was to point the finger at MODX, TextPattern etc, because at the time Media Temple were being very vague about the situation, however they eventually came clean that their systems had been compromised.
The malware might not be inserting itself in the web root of your website. It might be triggered from a folder below the web root. If you have access, have a look (including any odd .htaccess files).
Have you tried googling to see if any other people on your host are having the same issues?
Could you confirm your hosting provider?
Can you also confirm, where you got the upgrade package from (was it via the MODX website)?
[ed. note: jonleverrier last edited this post 11 years, 2 months ago.]