On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • I've got a site which I recently upgraded to Evo 1.0.15. It was hacked somehow - my hosting account got suspended for excessive database calls, there was a huge number of spammy files in my public_html directory, and the core.inc.php file had a bunch of crazy stuff in it.

    This is the first time I've dealt with something like this. The site uses Jot, but doesn't have web users or allow file uploading. It doesn't store any sensitive information.

    I deleted the spammy files, I uploaded a new core.inc.php file, set all new database passwords, and upgraded to Evo 1.0.15. (It was previously running an older version, Evo 1.0.5, maybe.) I was hoping that would do it.

    But today I got another notice from my host, saying that my database access had been suspended due to excessive calls. They included a log file, which I don't really understand, but it shows the database username for this one site as making all the excessive calls. (I have a dozen or so sites on the server, some WordPress, but most MODx.)

    I've deleted the whole folder for that site (I have backups), and deleted the database username, but not the database. I have copied a fresh MODx install in its place, and copied over just the images and media from the assets folder of the old site. I cannot install yet, as my database access is still blocked.

    My plan is to install, then copy content over from the database, but I don't know what is safe to copy. I don't want to copy infected stuff and go through this all over again. I don't know what I'd even be looking for. I was hoping someone could give me some info or resources on what tables I might have to be careful about, and what I'd be looking for.

    This question has been answered by sottwell. See the first response.

    • discuss.answer
      That all depends on what kind of access the hacker got. If he got a Manager access, then he had access to your database. He could have put anything he wanted into your resources, for example, or your templates.

      My suggestion would be to export the database, import it into a localhost installation, then go through it looking for suspicious things like base_64 encode functions, odd Javascript writing things to the document (document.write()), anything that shouldn't be there. Also check the plugins. Make sure there aren't any there that shouldn't be there.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
      • Thanks. I'll go through it.