We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 50878
    • 7 Posts
    Our site has recently experienced a hack and we’ve upgraded to Modx 2.3.5.
    The code was inserted before the closing </body> tag.
    You can see the code when viewing the page source of the home page or subsequent pages that use the same template. Canadian viagra.
    How do I find the file that was hacked to remove the code?
    I've already looked at index.php and through our entire database.
    Our site is ww.teco.com.au
    Any help would be greatly appreciated. [ed. note: teco_aus last edited this post 8 years, 11 months ago.]
    • Check your core/config/config.inc.php file. It should NOT be writable after the installation is complete, change its permissions to 444 or 644 if that won't work.

      Also look for any .php files that have an older date, especially in odd places like assets/images or assets/js. There should very rarely be an .php files at all in the entire assets/ directory, although occasionally in assets/components there will be one associated with a specific component. The hack-files filenames are usually pretty stupid and obviously don't belong there.

      And check your Users for unknown users.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
      • Oh, and delete the entire core/cache/ directory to make MODX re-create all of the cache files.
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
          • 50878
          • 7 Posts
          Quote from: sottwell at Aug 06, 2015, 07:11 AM
          Oh, and delete the entire core/cache/ directory to make MODX re-create all of the cache files.

          Thanks softwell.
          I've checked the permission of config.inc.php and it was set to 644. It's now 444.
          I'll search for all index.php files throughout the site and check them all.
          We moved server recently, so the core/cache has been deleted a few times.
          It's a large site with many files. It will take some time to check all the files.
          I suspect one of our files that renders the pages has been hacked and they inserted code at the bottom of our pages (home, about, privacy, etc).
          <div style="position:absolute;left:-3114px;top:-3180px;">
          • No, this is done in either the index.php file (the main one), the config.inc.php file, possibly the core.cofig.php file in the site root, or even the .htaccess file.

            If the hacker was able to create himself a Manager user, he also could have made a plugin, or added the code to the templates.

            The reason we look for an odd file in a place where it doesn't belong is that this file can be accessed by the hacker to get access again even if you clean everything up.
              Studying MODX in the desert - http://sottwell.com
              Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
              Join the Slack Community - http://modx.org
              • 36763
              • 70 Posts
              You may wish to search through your articles, templates, chunks etc too in the db to see if there was anything "special" inserted in to those records.
                • 3749
                • 24,544 Posts
                It's difficult to know the extent to which your site has been compromised, so be sure to change your cPanel, FTP, and Database credentials in addition to your MODX ones. Even then, it's possible that the server itself has been compromised, in which case the trouble may be back.

                Also, to help protect your site in the future, see this: https://rtfm.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution
                  Did I help you? Buy me a beer
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/modx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting
                  • 50878
                  • 7 Posts
                  Hi guys,
                  Thanks a lot for your feedback. I've been away on leave but will go through all your suggestions this week and post any results here.

                  Cheers!
                    • 47401
                    • 295 Posts
                    we have setup the following permissions on modx 2.3.x for folders which works fine for us.

                    ${site_dir}/core/cache \
                    ${site_dir}/core/export \
                    ${site_dir}/core/packages \
                    ${site_dir}/core/components \
                    ${site_dir}/core/config/config.inc.php \
                    ${site_dir}/assets \
                    ${site_dir}/setup

                    all of the above folders are 0772

                    we had a similar problem ages ago, but found that the hack came from cpannel whereby somebody added a cron job. the problem is if the hacker gains root access then becuase the passwords for the database side is held in plane text i.e php file, it would be easy for an attaker to take advantage.

                    before you susspect modx, check your environment, patching the environment, updating cpannel or whm, add ssl certificate. becuase the index has changed i wouldnt assume that nothing else has been changed or added, i.e cron jobs, so i would get a linux expert in, or what we did, create a new vps server and migrate from the old hosting to the new hosting. it sounds very time consuming and i assure you it was a massive headache for us....
                      • 50878
                      • 7 Posts
                      Thanks comp_nerd26, this whole issue has been put on the back burner after going through every index.php file on the site with no results.
                      We're negotiating having the entire site rebuilt.
                      I simply don't have enough experience to find where the hackers inserted the links to purchase Canadian viagra. I suggested to our sales team to get on board.