We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered Base href hacked

    • 8168
    • 1,118 Posts
    dubbs Reply #1, 9 years, 4 months ago
    Hi, Building a website on Revo 2.3.1 and noticed that it seems the base href has been hacked! It was changed form the siteURL to http://ly.com huh How can that happen and how can I prevent it?? Logged into the manager and all OK there... cleared cache and bang all back to normal... cant see any other issues...

    Note - I have a members area using Login addon if that helps??

    Any ideas?

    Cheers


    dubbs.

    This question has been answered by markh. See the first response.

      • 3749
      • 24,544 Posts
      BobRay Reply #2, 9 years, 4 months ago
      Do you have a URL shortener plugin running?

        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 8168
        • 1,118 Posts
        dubbs Reply #3, 9 years, 4 months ago
        Quote from: BobRay at Dec 29, 2014, 10:26 PM
        Do you have a URL shortener plugin running?


        no...
          • 3749
          • 24,544 Posts
          BobRay Reply #4, 9 years, 4 months ago
          That would make me very nervous. See if you have any unfamiliar new users. Keep an eye out for suspicious content in the cache files.
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
          • discuss.answer
            Mark Hamstra Reply #5, 9 years, 4 months ago
            Perhaps someone ended up on your site via a different domain accidentally or on purpose (if the server responds properly, it's quite easy to spoof stuff like that through your hosts file), causing the cache to be written with that weird domain.

            Simply set the base tag to be uncached, and it shouldn't stick with it in the future. 

            <base href="[[!++site_url]]">


            Alternatively, use htaccess rewrite rules to force the proper domain so they can never get to your site on an invalid domain in the first place.
              Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

              Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
              • 8168
              • 1,118 Posts
              dubbs Reply #6, 9 years, 4 months ago
              Quote from: BobRay at Dec 29, 2014, 10:44 PM
              That would make me very nervous. See if you have any unfamiliar new users. Keep an eye out for suspicious content in the cache files.

              No new users no. What should I look for in the cache files?
              • sottwell Reply #7, 9 years, 4 months ago
                This could have been done by DNS poisoning, there has been a lot of that going around lately, and it could have gotten cached that way. The site_url is calculated at each page request, so if your hosting DNS got poisoned in some way at some point it would have calculated that URL. That would have nothing to do with MODX itself being compromised.

                That's not really a very effective deliberate hack, as it only affects images and other external files. You could uncache the placeholder [[!++site_url]] which should prevent it from happening again in any case.

                Alternatively, you could use absolute URLs for your images and other external links, it just means putting the leading slash in front of the URLs - /assets/images/etc - and then the base meta tag isn't necessary.
                  Studying MODX in the desert - http://sottwell.com
                  Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                  Join the Slack Community - http://modx.org
                • Jako Reply #8, 9 years, 4 months ago
                  There is a similar Issue in Evo. Since the Evo solution does not work, you should use the solutions suggested by Marc.
                    • 8168
                    • 1,118 Posts
                    dubbs Reply #9, 9 years, 4 months ago
                    Thanks all. Have gone with <base href="[[!++site_url]]"> as suggested - hopefully fixes the issue going forward.

                    Cheers
                      • 52858
                      • 8 Posts
                      mclaund Reply #10, 7 years, 7 months ago
                      I'm experiencing this same problem. It appears that the base url is hacked. It happens every couple weeks, and seems to be a different site each time (often chinese). Clearing the cache fixes it.

                      I've gone through the steps to harden the site, moving core outside of the webroot, changing the admin login url, etc.

                      I've also set the base tag to: <base href="[[!++site_url]]">
                      And if I view source on the page (when it's been hacked), the base url does appear to be set right, but all the menu (wayfinder) links have a different url as the base url. None of the pages load when clicked, because the path doesn't exist on the other site.

                      And again, clearing the cache fixes this problem every time.

                      My config.inc.php's permissions are set to 644.
                      My cache's permissions are set to 750.

                      But I still continue to get hacked. I'm at a loss. Any help would be most appreciated.