I have a site that I manage that appears to have been compromised. It was running v2.5.1 and when I logged in I saw the message about the need to upgrade.
I've never upgraded a MODX installation before. Is there anything that I need to know? Will this lock out the hacker or what else should I do.
Thank you in advance.
You should restore from a backup that was made before the 18th July.
You can then install UpgradeMODX 1.5.5-pl to make the updating process a little easier.
Then it would be a good idea to harden your installation using these instructions (if you haven't already)
Do I need to restore files AND database? And is there a manual way if database / file restore isn't possible?
The last backup I have is from the 18th.
@jonasdroste My understanding from some of the conversations I have seen on the MODX Slack channel https://modxcommunity.slack.com/
is that database content has not been affected by the hack.
@jeffsydor The exploit was being used by then, but it may be that your site was not affected at that time. I suppose you'd have to restore it and see what you get.
Thanks Andy Tough! Do you know which files and folders where created during the attacks? I found several of them appearing again after restore that shouldn't be there e.g. cleogiue, jposeirt, L_cephalophyma_anthropometric.html, ord-wp.php.suspected, dbs.php...
The entry points were connectors/phpthumb.php and assets/components/gallery/connector.php - the latter being most easily abusable.
The problem with this hack is that it's a remote code execution vulnerability - so anything can be done when an attacker gets in. Initially the attacks seem to have primarily been file based (lots of php, js, json, ico files), but I've also heard of at least one case a little more recently where a file was created that would create a MODX admin user, so the database is not necessarily safe if you haven't upgraded or if a shell is still in place.