GZINFLATE Hack - protect.inc.php

manager/includes/protect.inc.php

A member of my marketing team brought to my attention that our Crawl Errors in Google webmaster tools. All of our pages where returning 500 errors.

While troubleshooting, I started with Reports / System Events in MODx Evo (1.0.14) and found that this GZINFLATE error was happening in the file above.

I went to the file, removed the base64 code that had been inserted and our site went back to working as expected in Google Crawls.

A few days later, this happened again, so this time around, I disabled all Manager Users / Changed the password on my admin account and Disabled FTP on my server while fixing the issue once again. Things went back to normal and no more errors.

Today it has happened for a 3rd time in the span of a month and I need to figure out how this malicious code is getting into the file (listed above).

FTP Logs show nothing (but it is now disabled)
MODx shows nothing except for the GZINFLATE Error

The funny thing is that the file date modified hasn't changed since that last time I updated it, but the code is back.

Please help.





Thanks in Advance
Jason

Can you tell us more about your hosting, what do your access logs indicate, and how did you last upgrade the site?

Windows Server 2008 R2 Enterprise Edition
PHP 5.3.8
MySQL 5.5.17
MODx 1.0.4 (June 05, 2014 Release Date)

Last updated site by downloading .zip on windows, extracting files, copying to MODx folder and then connecting to my websites install path and selecting upgrading existing MODx install.

MODx is configured and host on my server in the Rackspace Cloud.
Running on Windows because of some .NET apps we have.

I have been using MODx for 4 plus years and this is the first time I have experience anything like this.

Access files show nothing. I am thinking INJECTION, but they are writing to a physical file.

Thanks,
Jason