the last two weeks I got two times a message from my hoster that my website was hacked.
The first time I unfortunately used MODX version 2.2.13 with the known security issue "Blind SQL Injection". After I got the mail that my website was hacked, I immediately installed the current 2.2.14-pl MODX version without that issue and uploaded a backup from my website I made one month before. Well, then everything works fine and my hoster unlocked my website because they couldn't find malware or virus any more.
So I thought I got this hacking attack under control, but it wasn't.
Yesterday, five days after the first attack, I got an email again that the same website was hacked. I couldn't believe hat, because the system was updated. So I wanted to found out where the problem is. I got a txt file that contains the infected data, code lines and which software is out of date. There I found these lines:
Discovery: .../core/components/elrte/testing/phpthumb for PHP 5.3.x and higher/phpthumb.class.php
After I installed a new MODX again and uploaded the backup, ran the setup and logged in the manager, I checked my packagaes. There were updates for Gallery and getResources which I didn't made before. I don't think that this was the problem. I checked the package elRTE (a text editor), because it was listed in the txt file by the hoster. elRTE was list in the package managent, but I couldn't find it in the core/packages directory but in the core/components. I tried to unstall but no effect. So I enforced the deletion. And it works. Additionally I deleted the elrte directory manually with my FTP Account in core/components.
Now I think the poblem was the elRTE package. In the databse I found out that I used elrte-0.0.1-beta6
Could it be possible that this package has a security vulnerability?
If not, I don't know what I did wrong. I don't use any own scripts or codes. And I don't know what to do if my website will be hacked again. I will tell you if it happens again...
[ed. note: dracovina last edited this post 5 years, 1 month ago.]