MODX website keeps getting infected with malicious code injections

The symptoms reported are identical to the compromise of sites at or below 2.2.15. Many sites became compromised within a year of the exploit being released. Unfortunately, despite repeated pleas, emails, social media posts and security reminders, people for one reason or another do not keep their MODX sites abreast of current versions. The exploits are growing deeper and more harmful yet we continue to see people with sites running 2.2.8 and etc.

If a site is running 2.2.15 or below, it should be assumed that it's compromised with both backdoors, plugins, snippets and malicious users, in addition, it's likely that originally legitimate users have had their passwords changed to allow for undetected access. I've seen lots of Manager Logs that indicate that in many cases attackers are, in fact, logging in, if they have good enough access to do things like send email or mine bitcoin (which is something we're seeing happen now).

Thank you Jay.

Thank you all for your contributions.
Many of the given solutions have already been done.
In my case, no special plugins or users have been created. Alle passwords are changed and inactive users were removed.
The website was created back in the 2.2.15 days.. But has been frequently updated since.
I will investigate the site further. A fresh installation is an option but not an easy one.. Just hoping to find the infected source..

@Jay: You mentioned that lots of sites are infected. What I don't get is that I don't find any posts / examples of this exploit on the forums or even the web?
There have to be other users/developers facing the same problems.. Hope to hear from them too!

@hartmanrik

It sounds like there’s a backdoor on your webserver, as Mark suggested. Try searching your assets folder for php files. They will be named deceptively, like “logo.php”. Using grep can also help you locate malicious files.

If, after performing these tasks, you still experience the same issues, you’ll likely need to rebuild the site on a different webserver. As you say “it’s not easy” but if the other steps suggested have been tried unsuccessfully then there is no easy solution.

It can, however, be not too difficult, and even rewarding, to rebuild a site. Some things to watch for:

1. Start on a new webserver. Not a new virtual host / folder—a new server. If you’re on a cPanel server, and the server software is up-to-date, you may be ok with a new cPanel account, but the easiest would be to spin up a MODX Cloud instance.

2. Install all the Extras you had in the previous site, directly from the Extras Installer. Do not copy/paste any of them from the infected server.

3. Take a copy of your site’s database and import it to your localhost, to inspect it. There are tutorials online on how to search for malicious code. Be diligent in this. You are trying to salvage Resources (site_content), TVs (several tables required), Templates, Chunks (htmlsnippets), and likely you’ll want System Settings, and Context Settings.

4. Once you have inspected and cleaned those tables, move only those tables to your new install. Do NOT migrate snippets, plugins, nor Users in this way. Set those up from scratch in the new site, including User Groups, and Permissions.

5. The next part is tricky: migrate only good assets from your old site to the new. Two ways you can try:
5.1 Copy everything to localhost and scan/inspect for malicious files. Careful not to open/execute any files!!!
5.2 Maybe safer is to use wget to crawl your existing site pulling down only files with specific extensions, like jpg, png, etc. There are tutorials online for doing this. You can more reliably avoid bringing over php files this way. Don’t migrate font files and ico files. Scan/inspect JS files carefully!!! CSS files should be ok but I’d inspect them anyway.

At that point, if you’ve done everything above, you should be close to having a new, clean site, along with a very thorough understanding of everything that goes into it. You could do a seamless DNS cutover at that point, after testing fully that everything works. You could then back up the old site, quarantine the backup files and then delete the old webserver, never to point traffic at it again.

Hope this helps.

@hartmanrik,

You should have received an email from me from [email protected] or some similar email.

The reality is that most people do not post about site compromises and fixes in the MODX Community. They either rebuild it or try and resolve in their own way.

We see it frequently because we run MODX Cloud and host thousands of sites across our data centers and help customers resolve the issues through a combination of scanners and patterns we have found that help find the malicious files. It can be painstaking and can, in some cases, require months of scanning and review before we can declare a site clean.

It is possible that someone has a new exploit for a later version, as there are vulnerabilities (though far less severe) in versions up to 2.5.2, but the symptoms you posted look identical to the signatures of the <2.2.15 compromise.

Other things you can look for if you want to DIY are POSTS in your access logs, GLOBALS and COOKIE in PHP files.

You can also completely replace your Manager directory and the core, and reinstall your extras one by one. But, this will not guarantee it will get resolved either.

We've also seen attackers modify existing snippets, htaccess, index.php and more.

@sepiariver Great post. Do you mind if I adapt some of it for a blog post?

@JayGilmore. Same question for you.

@sepiariver
@JayGilmore

Great additions.
Thanks a lot!

Not sure if I mentioned it before: index.php files are indeed altered. Yesterday I did a thorough search and clean operation. Found numerous malicious files and includes.
Searched the database for suspicious code (found nothing). After that I changed all the passwords.

Unfortunately, overnight several index.php have been altered.
This particular website is not on a virtual/shared host.

Apache logs are full with strange and unwanted requests, like: "GET /docs/c6n97.php?27a1=wp-content%2Fthemes%2Ftwentysixteen%2Fjs%2Fskip-link-focus-fix.js HTTP/1.1" 301 383" (and this is a modest one, if you know what I mean ;-))
Those request will be redirected to a 443 page as far as I can see and test.

I think my only option is to rebuild the websites.
The thing is that I'm not certain what the source / nature of the hack is. Is it 'just' a malicious backdoor or is my webspace compromised?

Hi,

Just got noticed that someone have been able to login and modify files in our Revolution environment (2.5.2). A certain template file had been modified to include the JS for the Miner-C Trojan.

Our log file show calls to the manger/index.php, with the following GET parameters:

?a=system/file/edit&file=site/units/PageTitle/PageTitle.tpl&wctx=mgr&source=1

We are also seeing POST calls to /connectors/index.php

What did they do and how do I prevent this action?

The first thing to do is look at your Users to see if there are any that should not be there. Then, see if you have any plugins you did not install (especially ones with names like "core services").

Version 2.5.2 is somewhat old (Nov. 2016) and there have been several security updates since them. Upgrading won't solve your current problem, but you once you have things straightened out, you should definitely update to 2.6.0, then the current version.

If you are on a shared server, it's worth asking the hosting service if other sites on your server have been compromised.

I had a similar problem but tried this tool and it worked: https://revisium.com/aibo/
You should scan a full local copy of the website and then clean all the mess manually according to the scan report generated.
These code injections could survive version upgrades. I had the infection even with 2.6.5 system upgraded. [ed. note: nickyz last edited this post 5 years, 5 months ago.]

Quote from: nickyz at Nov 02, 2018, 04:11 PM

I had a similar problem but tried this tool and it worked: https://revisium.com/aibo/
You should scan a full local copy of the website and then clean all the mess manually according to the scan report generated.
These code injections could survive version upgrades. I had the infection even with 2.6.5 system upgraded.

Thanks for the contribution!
I'm still having issues, even after a thorough cleanup. (and also on 2.6.5....)
I will try your solution.