We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • I think you're beginning to see how much of a holy pain in the ass a hack can be. The only kosher response for this is to nuke your site back to kingdom come and bring it back online from known good code and/or content. That's hardly practical, but any deviation from that dictum involves time-consuming and a risk assessment. It's something like the 3-second rule when you drop food on the floor, but in this case it's your site content and the bad stuff isn't germs, it's malicious code. Some people are ok with eating that... others not, and every point in-between.

    In the case of your database, I have in the past ditched tables that I knew I could replace (e.g. snippets, plugins, users, etc), and then I combed through the content tables meticulously row-by-row to ensure nothing malicious had ended up in there. Usually this came down to modx_site_content, modx_site_templates, modx_site_htmlsnippets (chunks). Usually it's obvious if some weird js concatenation or encoding has been injected into your tables.
    • Can't wait for the plugin you mentioned you're working on, and I was serious about donating! Thanks for all your help.
        Lucy Iannotti
        Following Sea design & development
        New Bedford, MA
        • 37024
        • 14 Posts
        Recently one of my client's website got that malicious code too. After some investigation I found two files in assets folder: .cache.idx.php and .xPDO.idx.php

        First I deleted them. Then I noticed in core/cache/includes/elements/modplugin appeared a cache file for a plugin that wasn't in elements tree in Manager.

        I opened database with phpMyAdmin and in table "site_plugins" I saw a plugin named "Core Services" with that malicious code in it. I deleted the row with the plugin. Then in table "site_plugin_events" deleted rows with events linked to plugin id for "Core Services".

        After that all injected code disappeared and the website is clean now.

        Hope with above to help others to clean their infected/hacked websites.
          • 42914
          • 8 Posts
          I found a row named "QTc" in the "modx_site_plugins" table that also needs to be deleted.
            • 49296
            • 4 Posts
            We had malicious code injected in the modx_site_plugins table.

            Entirely deleting the /core/cache/ folder did not help as it just regenerated again.

            It turned out to be a 'Highlight Search' plugin and had the following comment at the top of the plugin_code;

            // MODx Revolution Core Services

            It was attached to the 'OnWebPagePrerender' plugin_event.
              • 37042
              • 384 Posts
              Thanks for all the help here. Helped me clean up a 2.2.14 site which had the same issue.

              Same symptoms as the OP but I also found:

              A file called wp-booter.php in assets/downloads
              I'm not a programmer but from what I can make out, it references a lot of 'reverse shell' stuff and md5 formats

              A lot of up.php files dotted around the filesystem with an upload/download form

              A file called common.php and get.php in the /core directory.
              Common.php was obsfucated.

              • FYI: It's prob'ly not terribly useful to document the exact names of the files, at least not in hopes of preventing anything. There are coding libraries dedicated to fuzzing both the content and to randomizing the file names, so these attacks will undoubtedly mutate over time.
                • I found that a handy way to search for these files is to look at their date. Almost always they all have the same date, and it will be different than the dates for all the rest of your MODX files. In some cases, if you've upgraded MODX but the files were already there, their dates will be older than the MODX files. Of course, this gets obscured in the case of active folders like an images folder where files are always getting added, but then these folders shouldn't have any, or at least not many, .php files in them anyway, so that makes it easy to spot them in images, css or js folders.
                    Studying MODX in the desert - http://sottwell.com
                    Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                    Join the Slack Community - http://modx.org
                  • That is a good way to search for them. I've seen some hacks mimic the datestamps of the files in the directories around them, but it's rare: most hacks don't bother to touch files and alter the datestamp.
                      • 10357
                      • 573 Posts
                      So far have had two sites hacked (on modx cloud) in the past few days. They created hundred of spam pages that google picked up. Found wpscan.php in the root, wp-booter.php the assets and folder called phpdmyadmin, which looked like a control panel. No new users or plugins.