We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 33479
    • 15 Posts
    I have an EVO 1.0.6 site and an AD is being inserted just before the closing body tag. Below is the end of my footer chunk that is the last thing pulled into my template. The AD is being inserted between the closing paragraph tag and the closing body tag.
    <p><map name="Map">
      <area shape="rect" coords="75,1,109,24" href="[~4~]" alt="Contact Us">
      <area shape="rect" coords="37,1,71,24" href="[~7~]" alt="Site Map">
      <area shape="rect" coords="-1,1,33,24" href="[(base_url)]" alt="Home Page">
    </map></p>
    
    </body>
    </html>

    The ads div has absolute positioning that pushes it off the top-left of the page. I downloaded a fresh copy of 1.0.6 from the MODX site and took a dump of the database. I uploaded these along with my template files to a different shared hosting account but the ad still appears.

    I am really at a loss as to how to track this down and remove it. Any suggestions would be greatly appreciated!
      Darren Burns
      Zero Gravity Web Works
      • 38290
      • 712 Posts
      Are you running the latest version of Evo (I'm confused because it looks like that would be 1.0.10). Look at the page with JavaScript turned off or view the source, does the ad still appear?
        jpdevries
        • 22840
        • 1,572 Posts
        Almost certainly upgrade to 1.0.10 as 1.0.6 has known vulnerabilities and upgrading will solve that, also change your FTP password before doing the upgrade.
          • 33479
          • 15 Posts
          Thanks for your quick replies. I'm not running the latest version of EVO. I had hoped a quick reinstall with the version the website is currently using (1.0.6) would get rid of the ad problem. I was then going to immediately upgrade the site to 1.0.10.

          I turned off JavaScript using Web Developer tools in Firefox and the add still appears. The only way I can see the ad is by viewing the source. It is using absolute positioning to place the add off the viewable page. The only way I discovered it was a couple of strange keywords listed in my webmaster tools account.

          I will try a fresh install using 1.0.10 and see if that removes the add.
            Darren Burns
            Zero Gravity Web Works
            • 38290
            • 712 Posts
            To be clear, upgrading wont necessarily remove the malicious add as MODX likely has no way of knowing if its your content or was injected maliciously. It will certainly help prevent further attacks though. You will likely need to trace down where it is coming from by examining the elements in your templates and manually remove it.
              jpdevries
              • 33479
              • 15 Posts
              I had the feeling upgrading wouldn't remove the ad. I've looked through my template and all the chunks and can't see anything that might be pulling the code in. Is there somewhere else I should be looking other than under "Manage Elements" in the admin?

              It's weird that it is showing in the middle of my footer chunk.
                Darren Burns
                Zero Gravity Web Works
                • 33479
                • 15 Posts
                Just to make things stranger... On a whim I tested uploading a copy of 1.0.10. This was a clean upload, not overwriting 1.0.6. I imported the SQL dump from my infected site into an empty database and tweaked the settings that needed to be changed. Opened the site in a browser and the ad links are gone!! I repeated the same process on my live site.

                1. Put up a maintenance page
                2. deleted everything including the database
                3. uploaded 1.0.10 and the htacess and config files
                4. imported SQL dump from the infected site to a new, clean database
                5. Ran the install/upgrade
                6. Tweaked any settings that needed to be changed in the config.
                7. Loaded the site and no links!!

                I have no idea what I did and how it worked but the links are gone and I'm a happy camper. My site had been tumbling down the rankings. Now I know why.
                  Darren Burns
                  Zero Gravity Web Works
                  • 3749
                  • 24,544 Posts
                  The odds are, the attack was file-based and you've deleted the evil file(s). Be sure to change All your usernames and passwords (MODX login, FTP, DB, DB User, cPanel) or you may be re-infected.
                    Did I help you? Buy me a beer
                    Get my Book: MODX:The Official Guide
                    MODX info for everyone: http://bobsguides.com/modx.html
                    My MODX Extras
                    Bob's Guides is now hosted at A2 MODX Hosting
                  • There were a number of serious exploits found in all versions prior to 1.0.8 that allowed all sorts of nasty things to be done. Fortunately it's not easy to find MODX sites like it is to find Wordpress sites.

                      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub
                      • 33479
                      • 15 Posts
                      Thanks Guys! I changed everything. Including using a password generator to create a new DB name and DB user name. It's strange that when I did a test with a clean install of 1.0.6 the links still showed up but they didn't with 1.0.10.
                        Darren Burns
                        Zero Gravity Web Works