On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Hi,

    the last two weeks I got two times a message from my hoster that my website was hacked.

    The first time I unfortunately used MODX version 2.2.13 with the known security issue "Blind SQL Injection". After I got the mail that my website was hacked, I immediately installed the current 2.2.14-pl MODX version without that issue and uploaded a backup from my website I made one month before. Well, then everything works fine and my hoster unlocked my website because they couldn't find malware or virus any more.

    So I thought I got this hacking attack under control, but it wasn't.

    Yesterday, five days after the first attack, I got an email again that the same website was hacked. I couldn't believe hat, because the system was updated. So I wanted to found out where the problem is. I got a txt file that contains the infected data, code lines and which software is out of date. There I found these lines:

    Discovery:      .../core/components/elrte/testing/phpthumb for PHP 5.3.x and higher/phpthumb.class.php
    Module:         phpthumb
    Current:        1.7.11
    Discovery/Old:  1.7.9
    Discovery:      .../core/components/elrte/testing/phpthumb/phpthumb.class.php
    Module:         phpthumb
    Current:        1.7.11
    Discovery/Old:  1.7.9

    After I installed a new MODX again and uploaded the backup, ran the setup and logged in the manager, I checked my packagaes. There were updates for Gallery and getResources which I didn't made before. I don't think that this was the problem. I checked the package elRTE (a text editor), because it was listed in the txt file by the hoster. elRTE was list in the package managent, but I couldn't find it in the core/packages directory but in the core/components. I tried to unstall but no effect. So I enforced the deletion. And it works. Additionally I deleted the elrte directory manually with my FTP Account in core/components.

    Now I think the poblem was the elRTE package. In the databse I found out that I used elrte-0.0.1-beta6
    Could it be possible that this package has a security vulnerability?

    If not, I don't know what I did wrong. I don't use any own scripts or codes. And I don't know what to do if my website will be hacked again. I will tell you if it happens again...

    Isabel [ed. note: dracovina last edited this post 6 years, 4 months ago.]
    • You may be right, but it's also possible that the original hackers left some things in place to get them back in. Updating MODX wouldn't help with that.

      Once your site is compromised, it's easy for the hacker to plant files that will allow them in in the future. Upgrading MODX will never delete files that are not part of MODX, so those harmful files will remain.

        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
      • It may also have been an issue with that phpthumb. I seem to remember something about a vulnerability in certain versions of phpthumb.
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org