We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 19403
    • 15 Posts
    Dear all,

    FYI:
    Before i upgraded to 1.0.14 my older version (don't know which version it was 1.0.7!?) was hacked and was used for sending spam emails. unfortunately this upgrade did not solve the problem.

    After to many hours searching the site and the internet i found out that the mails were send by the Tinymce rich text editor plugin.
    Deleted it and replaced it by CKEditor

    Until now (3 hours later) it seems that the problem is solved.

    Kr
    Michiel
      • 3749
      • 24,544 Posts
      Interesting. Thanks for the report. smiley

      How did you find out the site was sending spam?

        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 19403
        • 15 Posts
        Hi BobRay,

        It was the Webhost who warned me. When i checked the default email account (cpanel) there were almost 80000 undelivered mails in the inbox. (Imagine how many there were delivered).
        • This was happening to me about once a month. I found malware in the folders of the following plugins:

          TinyMCE
          phpx
          managermanager
          filesource
          codemirror

          And in the folders of the following snippets:

          ajaxSearch
          ditto
          eform
          FeedX
          JWPlayer
          MaxiGallery
          Personalize
          phpthumb
          ultimateparent
          Wayfinder
          WebLoginPE


          And in the folders of the following modules:

          MultiMedia Manager
          DocManager
          CatManager





          [ed. note: rx2 last edited this post 9 years, 5 months ago.]
          • I'm moving everyone I can to Revo.
              • 23610
              • 37 Posts
              If TinyMCE is responsible for all that happens lately with MODX Evo sites (hacked), then we need ASAP (like yesterday) a new MODX release with fixed TinyMCE or its alternative on board (CKEditor?). A lot of my sites has been compromised. Even those with clean 1.0.14 without AjaxSearch and other stuff that wasn't needed.
                • 22840
                • 1,572 Posts
                If you have SSH access to a server it's pretty easy to see if any accounts are sending out large amounts of email ( through exim ), to do this log into the server via SSH and run the command:


                grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


                The above will list the accounts that have been sending out emails like below:


                434 /home/site1/public_html/blog
                1012 /home/site2/public_html/blog
                2129 /home/site3
                16808 /home/site4/public_html/assets/docs


                From this we can see that site4 has sent 16808 which will be the culperate, so we need to find out where the email is being sent from, to get this run the following command:

                ls -lahtr /home/site4/public_html/assets/docs


                This will list the docs like below, in the list we will notice that one file is owned by nobody, this is probably the script that is sending out so thats a starting point.

                -rwxrwxrwx  1 burysted burysted  16K Mar  1  2010 license.txt*
                -rwxrwxrwx  1 burysted burysted   70 Mar  1  2010 index.html*
                -rw-r--r--  1 nobody   nobody    32K Oct 20  2010 db.php


                This is the easiest way I have found for finding compromised accounts, however you can guarentee that there are other files within the account so you'll need to find and remove all of them
                  • 19403
                  • 15 Posts
                  Thanks Paul, i will try this as according to my Host, there are still mails send from my modx evo.
                  But i'm not sure if they are right as i'm not receiving any undelivered mails back in my mailbox. Before i deleted TinyMCE i had at least a dozen per minute.

                  @PMFX, i have replaced TinyMCE with CKEditor, it looks like other cms systems have had the same issue with TinyMCE
                  • Hi migiel, did you try maldet for linux? It cleaned my evo 1.0.14 site yesterday. No spam since then.
                      • 23610
                      • 37 Posts
                      Migiel, sound promising but did you take CKEditor from here http://modx.com/extras/package/ckeditorforevo ? Looks outdated (Released Mar 16, 2011) sad