-
- 230 Posts
Quote from: yoman at Sep 18, 2014, 09:50 AMQuote from: chrisandy at Sep 17, 2014, 08:39 AMI just got asked to look at a crippled Modx site. I'm seeing the same hack with every .js file on the site affected with the script as mentioned by Yoman.
It also gets mentioned here along with a possible clean-up script:
http://blog.lux-medien.com/2014/09/how-to-fix-actermoto-and-its-edited-javascript-files/
Is this a working solution to clean the site? (it's off course not the leak...)
My websites are on a server with Modruid2 installed, is it possible this is the causing the problem?
I guess, the problem lies within MODX EVO. Different sites on different systems means it is very unlikely that your system is causing that.
-
- 463 Posts
Again - if it's any help…
I just found three '.gif' files in cgi-bin, containing trojans.
I have noticed that those files only appear in folders which are "more open" and writeable. Like "\assets" or "\core/cache" or "\core/export".
By the way: How did you scan your site for trojans?
-
- 463 Posts
Zipped it, downloaded it, scanned it with ClamXav
-
- 409 Posts
In my case, I only found .php file.
Yesterday I run a find with "<?php eval(base64_decode($_POST" string and delete all results.
I will check if new hacked files come again in next days...
But I didn't find any .js files
Any tip to find them (maybe I don't have) ?
-
- 463 Posts
Just a bit more information…
The .js files don't seem to get infected until around 60 days after the initial hack.
By doing a search for files modified in the last ## days I found some .php files whose permissions were set at 200. That means they won't be easy to spot doing a 'normal' search.
I didn't find any infected files older than 60 days.
-
- 5 Posts
I have the same issue with one of my sites. It was originally hacked a on 26th September 2014 when it was running 1.0.5, following this we wiped the server, deleted the database, installed Modx 1.0.14 and manually recreated the site.
Unfortunately it's just been hacked again, every .js file has been infected.
I'm chasing the hosts to help highlight where the attackers entered but so they aren't being much use.
This suggests there is definitely a vulnerability in 1.0.14 as this was a completely clean install less than 2 weeks ago.
-
- 5 Posts
Thanks for the reply Jako.
I've been looking through the logs today and have put together some of the more interesting entries.
Before the cleanup and new install it appears /assets/plugins/qm/css/b247598be7.php was accessed regularly. After the cleanup there were still attempts to access this file even though it didnt exist on the server.
Following the new install the first hacked file to be accessed by the hackers appears to be /images/c404a14.php
I've attached the entries if you have a couple of minutes to take a look please?
Thanks