-
- 24,544 Posts
Do you have a URL shortener plugin running?
-
- 24,544 Posts
That would make me very nervous. See if you have any unfamiliar new users. Keep an eye out for suspicious content in the cache files.
discuss.answer
Perhaps someone ended up on your site via a different domain accidentally or on purpose (if the server responds properly, it's quite easy to spoof stuff like that through your hosts file), causing the cache to be written with that weird domain.
Simply set the base tag to be uncached, and it shouldn't stick with it in the future.
<base href="[[!++site_url]]">
Alternatively, use htaccess rewrite rules to force the proper domain so they can never get to your site on an invalid domain in the first place.
This could have been done by DNS poisoning, there has been a lot of that going around lately, and it could have gotten cached that way. The site_url is calculated at each page request, so if your hosting DNS got poisoned in some way at some point it would have calculated that URL. That would have nothing to do with MODX itself being compromised.
That's not really a very effective deliberate hack, as it only affects images and other external files. You could uncache the placeholder [[!++site_url]] which should prevent it from happening again in any case.
Alternatively, you could use absolute URLs for your images and other external links, it just means putting the leading slash in front of the URLs - /assets/images/etc - and then the base meta tag isn't necessary.
-
- 1,118 Posts
Thanks all. Have gone with <base href="[[!++site_url]]"> as suggested - hopefully fixes the issue going forward.
Cheers
-
- 8 Posts
I'm experiencing this same problem. It appears that the base url is hacked. It happens every couple weeks, and seems to be a different site each time (often chinese). Clearing the cache fixes it.
I've gone through the steps to harden the site, moving core outside of the webroot, changing the admin login url, etc.
I've also set the base tag to: <base href="[[!++site_url]]">
And if I view source on the page (when it's been hacked), the base url does appear to be set right, but all the menu (wayfinder) links have a different url as the base url. None of the pages load when clicked, because the path doesn't exist on the other site.
And again, clearing the cache fixes this problem every time.
My config.inc.php's permissions are set to 644.
My cache's permissions are set to 750.
But I still continue to get hacked. I'm at a loss. Any help would be most appreciated.