Cache injected with code - running 1.0.10?

Hi,

Had my client's site hacked, cache injection, was running 1.0.4 at the time. Have now upgraded to 1.0.10 but site got infected again. Any idea why that would be? Seems the cached gets injected with some rubbish javascript code. Deleting the cache solves it, until it gets injected again. Any help much appreciated

Thanks

Sounds like a malicious php file is hidden somewhere. You should also make sure to change the passwords and preferebly even the usernames of all of your Manager users, as well as your hosting control panel (CPanel?). Wouldn't hurt to change the database password as well, although you'll have to edit the config.inc.php file for the new database password.

Yeah, I've done the usual precautions, but wondered if Modx is still vulnerable. Finding a malicious php file will be hard I reckon, though...

I would upload another copy of the entire manager directory (manager.new), copy over the config.inc.php file (check it for anything odd), then delete the original manager directory and rename the new one removing the .new suffix. I would do the same for the individual snippet and plugin directories, especially the tinymce plugin directory. Carefully check the directories for your images and templates; they shouldn't have any .php files. Also check any custom snippet or plugins for odd files. Look for any plugins not in the default installation that you don't recognize, espcially one named "quick managermanager" - that's a malicious plugin installed by a hacked Manager user.

Yeah, i think I'll have to go through this painstakingly, thanks for your help and pointers, though!

Yeah, it's a pain. Remember: the cache is just a symptom. The file is in there somewhere before it gets pulled into the cache. If you're on the command line on a Linux server, you can search across multiple files for a given pattern using grep, e.g.



And that can help you locate which file(s) are tainted. Very common, however, is that the index.php (in any directory, but most commonly at the root or in the manager/ dir) will be injected with a self-unzipping encrypted bit of code. That stuff is very hard to track down because you can't search for it using a pattern. A lot of malicious code is written so as not to be identifiable by pattern matching.

Make a full backup of your site and the database, go over it with a fine tooth comb. There's a linux utility that's useful for this called "maldet" (i.e. malware detection).

hi Everett, thanks for your tips, I have gone through the index.php files but nothing untoward there I'll do some grep stuff to see if that yields any results

You should also look for the well-known exploits for the Reflect Snippet and the phpThumb vulnerability.

thanks for your reply, I'll check that, too, but dont think those are installed