We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

ModX 10.0.4 hacked

    • 48855
    • 4 Posts
    oscarg Reply #1, 9 years, 7 months ago
    Hi,

    Sorry that my first post here is not good news.

    A couple of days ago I installed ModX Evo 1.0.14 over Ubuntu 14.04 virtual machine. The site was only https and was not public.

    The page 1 got hacked by replacing the base tag to an Asian site. That made local links point to this site.

    I downloaded the entire modX install to check the files with git (by comparing it with a version in my computer) and all seems to be OK. Also I could not find anything unusual in the database.

    I also didn't saw any changes in the user logs.

    Could it be that only the cache was modified? How can I prevent this from happening again?

    Thank you for your help.

      • 48855
      • 4 Posts
      oscarg Reply #2, 9 years, 7 months ago
      Just to clarify that what was modified was the base tag but only in the live page, not in the document in the database.

      In the resource <base href="[(site_url)]" />

      It's the original Minimal template. No snippets.

      In other pages <base href="" /> was not changed, just in the document 1.

      Best
        • 48855
        • 4 Posts
        oscarg Reply #3, 9 years, 7 months ago
        May I ask if there's a special forum / bugtracker to report specific security issues?

        Is there anything I can do to help to fix it, specially if it happens next time?

        I looked at the logs but as I'm not sure what to look for...
        • gallenkamp Reply #4, 9 years, 7 months ago
          There is no forum for security issues yet.

          If I got you correct, the html base tag has been changed. But not in the template itself. That would be a new hacking approach to me. Can you check if you have other users in the user management? Or maybe in the database? Sometimes they appear there without a name, so they dont appear in the backend. With the creation date of that user you could search for server log entries.
          • Jako Reply #5, 9 years, 7 months ago
            The issue that happens on your site is a very special one. I think the MODX installation is running on the first or on the only vhost of the machine. In that special case your result is thinkable, since $_SERVER['HTTP_HOST'] could be spoofed by the client browser (The site has to be called by IP and the Host header could be set to everything else, if I remember the discussion on http://tracker.modx.com right – see http://stackoverflow.com/questions/1459739 for further explanations) and the result is cached afterwards.

            The only thing that could resolve this situation is to fill 'Tools -> Configuration -> Site -> Valid hostnames' system setting. The first entry of the comma separated list of valid hostnames is chosen, if $_SERVER['HTTP_HOST'] is not in this list of valid hostnames. [ed. note: Jako last edited this post 9 years, 7 months ago.]
              • 48855
              • 4 Posts
              oscarg Reply #6, 9 years, 7 months ago
              Hi Jako and all.

              Indeed ModX is running as the only vhost and I didn't had this configured, but now I do. Thank you Jako. Your answer with the Stackoverflow link made sense. I also didn't knew $_SERVER['HTTP_HOST'] could give wrong results based on the browser request. Makes sense.

              I suspected it was the cache only because after I saved the page as it was the problem vanished.

              gallenkamp: Indeed I'm the only editor and I took more than one hour making the git test with the files and reading the MySQL export (it's a small site) after checking the user tables in PhPMyAdmin. But thanks, it's good to ask, I could have forgotten.

              Thank you both for your help.