Most security holes reside in Extras being uploaded to assets folder.
There are 3 things you can do to secure old sites:
1. Don't allow http, https and ftp as values for URL vars. (See first line)
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)(reflect\.php|contact\.php)(.*) [NC,OR]
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /blackhole/index.php? [R,L]
2. Restrict access to .tpl and .php files in assets folder:
<FilesMatch "\.(php|tpl)$">
Order allow,deny
Deny from all
</FilesMatch>
3. Never log into FTP on a public network.
http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329/FTPS-vs-SFTP-What-to-Choose.htm
3b. Delete "Forgot manager password" plugin, AjaxSearch snippet+folder (if you decide NOT to upgrade them) and index-ajax.php in root
---------------------------------------------------------------
The 3 first things to do when/if you find a remote file inclusion:
1) Scan all folders for newly created files by checking the file timestamps.
2) Make sure no Manager/Web Users has been added
3) Change passwords (MODX, MySQL, FTP etc.)
IMHO: Best protection is a backup offline on a local webserver. Then if a site gets compromised:
1) Download the latest assets (pics, pdfs etc) and make sure they are legit.
2) Secure the site patch/ upgrade
3) Wipe everything on the server and replace with the fixed/up2date backup.
4) Change passwords (MODX, MySQL, FTP etc.)
[ed. note: mrhaw last edited this post 9 years, 8 months ago.]