We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 28042 ☆ A M B ☆
    • 24,524 Posts
    Do you have phpmyadmin installed on those sites?
      Studying MODX in the desert - http://sottwell.com
      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
      Join the Slack Community - http://modx.org
      • 10357
      • 573 Posts
      not at the time of the hack, I installed it after.
        • 37047 ☆ A M B ☆
        • 309 Posts
        What version of Revo were the sites using, or what were they using on the date the hack happened?
          Lucy Iannotti
          Following Sea design & development
          http://www.following-sea.com
          New Bedford, MA
          • 28042 ☆ A M B ☆
          • 24,524 Posts
          I asked about phpmyadmin, because when you install it on a Cloud installation, by default it's in the /phpmyadmin/ folder, which doesn't exist until it's installed, and you mentioned one site at least that had one of the malicious files in there.
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
            • 10357
            • 573 Posts
            2.2.1 I think.

            It was not phpmyadmin, it was phpdmyadmin
              • 42166
              • 2 Posts
              This week I also noticed a site was hacked this way by inserting malicious spam code. Despite removing the corrupted files /assets/cache.idx.php ,
              /assets/xPDO.idx.php and/core/cache/xPDO.idx.php . Removing the admin users that shouldn't be there and changing all passwords for the site and database.

              Somehow the code was still there. By doing a search in the database on "Xpdo core services" I found the malicious plugin. Removed it and spam hacks are gone.

              I hope that was it.