Issues with Malware and reinstalling Modx

Hi all,

I posted earlier about a load of difficulties I was having with ModX and now heres one of them I really need help with.

I made a site for a client last year and all was fine. About a month ago it starting getting malware. I found they were in some jquery files I added (eg: lightbox, supersized, etc) So I deleted them and reinstalled them and all seemed ok.

Today, however, their host actually deleted the site altogether, saying their FTP details had been compromised and serveral IPs where actually accessing the account and implanting stuff. He changed the FTP details.

Since the site was gone, but I still had the DB online, I decided reinstall the site again from scratch. I installed version 2.2.7 (instead of version 2.2.5). That went ok. I then FTP's all the old sites assets - images, .js and .css files.

But I couldnt figure out how to combine the old 2.2.5 database with the newly installed 2.2.7 database. I tried simply replacing it - that allowed me to access the back end of the site, but all my pages came up with a 500 error. Decided this wasnt the best way to go.

I then decided to try and copy and replace individual tables (eg, modx_content, modx_snippets, etc), also to the same effect

Does anyone know how to combine an older database with a new install?

Thanks!

Install 2.2.5 from http://modx.com/download/previous-releases/ and import your database.
When your site is back online, upgrade to 2.2.7:

- Extract the 2.2.7 archive
- ftp all extracted files to your server OVERWRITING the old files
- check that /core/config/config.inc.php is writeable
- open www.yourwebsite.tld/setup/
- click through Upgrade-Install
- delete everything in /core/cache
- make /core/config/config.inc.php read-only
- done

This is ALL you have to do while upgrading MODX.

- optional: check the installed addons for security (edit: or compatibility) issues. if there aren't any issues, just leave them alone.

Quote from: meltingdog at Apr 24, 2013, 07:25 AM

Hi all,
Today, however, their host actually deleted the site altogether, saying their FTP details had been compromised and serveral IPs where actually accessing the account and implanting stuff. He changed the FTP details.

I think this is the main reason why many of your MODX sites get infected. And this isn't a MODX problem at all.

At first, you should check your own computer with something like Kaspersky Rescue Disk (assumed you're using windows).
Next, advise your customers to do the same with every computer they use to edit the websites.

[ed. note: DasItsch last edited this post 11 years ago.]

Quote from: DasItsch at Apr 24, 2013, 09:35 AM

Quote from: meltingdog at Apr 24, 2013, 07:25 AM

Hi all,
Today, however, their host actually deleted the site altogether, saying their FTP details had been compromised and serveral IPs where actually accessing the account and implanting stuff. He changed the FTP details.

I think this is the main reason why many of your MODX sites get infected. And this isn't a MODX problem at all.

I would agree with this. I'd say it's a 99% chance that the attacks are due to a compromise on the client end rather than a security flaw in MODX, or even a vulnerability in the server software.

But anyway, it's still good practice to follow the 'Locking down MODX' procedures here: http://rtfm.modx.com/display/revolution20/Hardening+MODX+Revolution

Quote from: DasItsch at Apr 24, 2013, 09:35 AM

Install 2.2.5 from http://modx.com/download/previous-releases/ and import your database.
When your site is back online, upgrade to 2.2.7:

- Extract the 2.2.7 archive
- ftp all extracted files to your server OVERWRITING the old files
- check that /core/config/config.inc.php is writeable
- open www.yourwebsite.tld/setup/
- click through Upgrade-Install
- delete everything in /core/cache
- make /core/config/config.inc.php read-only
- done

This is ALL you have to do while upgrading MODX.

I have done exactly that except for the 2nd step as there are no old files to overwrite on the server anymore. I have repeated this process but just get a 500 error again

Generally 500 errors point towards an issue with permissions or your htaccess file. You might check that all your permissions are correct.