manager/includes/protect.inc.php
A member of my marketing team brought to my attention that our Crawl Errors in Google webmaster tools. All of our pages where returning 500 errors.
While troubleshooting, I started with Reports / System Events in MODx Evo (1.0.14) and found that this GZINFLATE error was happening in the file above.
I went to the file, removed the base64 code that had been inserted and our site went back to working as expected in Google Crawls.
A few days later, this happened again, so this time around, I disabled all Manager Users / Changed the password on my admin account and Disabled FTP on my server while fixing the issue once again. Things went back to normal and no more errors.
Today it has happened for a 3rd time in the span of a month and I need to figure out how this malicious code is getting into the file (listed above).
FTP Logs show nothing (but it is now disabled)
MODx shows nothing except for the GZINFLATE Error
The funny thing is that the file date modified hasn't changed since that last time I updated it, but the code is back.
Please help.
Thanks in Advance
Jason