We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 53460
    • 69 Posts
    I have a site that I manage that appears to have been compromised. It was running v2.5.1 and when I logged in I saw the message about the need to upgrade.

    I've never upgraded a MODX installation before. Is there anything that I need to know? Will this lock out the hacker or what else should I do.

    Thank you in advance.
      • 38783
      • 571 Posts
      You should restore from a backup that was made before the 18th July.

      You can then install UpgradeMODX 1.5.5-pl to make the updating process a little easier.
      https://modx.com/extras/package/upgrademodx

      Then it would be a good idea to harden your installation using these instructions (if you haven't already)
      https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution
        If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

        email: [email protected] | website: https://andytough.com
        • 46719
        • 11 Posts
        Do I need to restore files AND database? And is there a manual way if database / file restore isn't possible?
          • 53460
          • 69 Posts
          The last backup I have is from the 18th.
            • 38783
            • 571 Posts
            @jonasdroste My understanding from some of the conversations I have seen on the MODX Slack channel https://modxcommunity.slack.com/ is that database content has not been affected by the hack.

            @jeffsydor The exploit was being used by then, but it may be that your site was not affected at that time. I suppose you'd have to restore it and see what you get.
              If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

              email: [email protected] | website: https://andytough.com
              • 46719
              • 11 Posts
              Thanks Andy Tough! Do you know which files and folders where created during the attacks? I found several of them appearing again after restore that shouldn't be there e.g. cleogiue, jposeirt, L_cephalophyma_anthropometric.html, ord-wp.php.suspected, dbs.php...
                • 53460
                • 69 Posts
                Everything seems to be working again. But is there any more information on this vulnerability?
                https://forums.modx.com/thread/104040/revolution-2-6-4-and-prior-two-cricital-vulnerabilities-upgrade-mandatory-patch

                Anything on what exactly was compromised or how an attacker could've gotten in?
                  • 24374
                  • 322 Posts
                  Quote from: jonasdroste at Jul 24, 2018, 09:32 PM
                  Thanks Andy Tough! Do you know which files and folders where created during the attacks? I found several of them appearing again after restore that shouldn't be there e.g. cleogiue, jposeirt, L_cephalophyma_anthropometric.html, ord-wp.php.suspected, dbs.php...
                  That sounds like a different hack. Not at all what I'm seeing from this recent one. What's the date of the backup you used for the restore?
                  • The entry points were connectors/phpthumb.php and assets/components/gallery/connector.php - the latter being most easily abusable.

                    The problem with this hack is that it's a remote code execution vulnerability - so anything can be done when an attacker gets in. Initially the attacks seem to have primarily been file based (lots of php, js, json, ico files), but I've also heard of at least one case a little more recently where a file was created that would create a MODX admin user, so the database is not necessarily safe if you haven't upgraded or if a shell is still in place.
                      Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

                      Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
                      • 46719
                      • 11 Posts
                      Quote from: rainbowtiger at Jul 31, 2018, 03:24 PM
                      Quote from: jonasdroste at Jul 24, 2018, 09:32 PM
                      Thanks Andy Tough! Do you know which files and folders where created during the attacks? I found several of them appearing again after restore that shouldn't be there e.g. cleogiue, jposeirt, L_cephalophyma_anthropometric.html, ord-wp.php.suspected, dbs.php...
                      That sounds like a different hack. Not at all what I'm seeing from this recent one. What's the date of the backup you used for the restore?

                      It's from 16th July. Don't know what to do know... Files appear again and again. Restores don't work. Google already told me that I was hacked and lots of 404 pages appeared. What a mess!