We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 3749
    • 24,544 Posts
    I'm really curious about this: Did any of you have the modx core renamed and moved above the web root?

      Did I help you? Buy me a beer
      Get my Book: MODX:The Official Guide
      MODX info for everyone: http://bobsguides.com/modx.html
      My MODX Extras
      Bob's Guides is now hosted at A2 MODX Hosting
      • 42562
      • 1,145 Posts
      Most of the people I have run into did not harden their site. Sad! But they are learning now, the hardest way.

      The owner of modhost.pro hosting, @bezumkin, has a password on all three folders: core, connectors, manager. He suffered no hack. And claims this procedure has saved him for years. Of course, I doubt he or his clients use the Gallery extra. But certainly, the core hack would not touch him with his method in place.

      He says, that this passwording is more efficient than renaming the folders, which I tend to agree. I myself, have passworded my manager folder, and often have it absent from my server completely till when I want to log in again.

      I wonder if MODX Cloud (which I hear got hit badlly) observes bezumkin's standard hosting practice?

      https://en.modhost.pro/help/nginx
      location ~* ^/(manager|core|connectors)/ {
          auth_basic "Restricted Access";
          auth_basic_user_file /home/yourlogin/.htpasswd;
          try_files               $uri $uri/ @rewrite;
          location ~ \.php$ {
              include         fastcgi_params;
              fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
              fastcgi_pass    backend-yourlogin;
          }
      }


      Upgrading stuff is one thing but basic preventative measures is money!
        TinymceWrapper: Complete back/frontend content solution.
        Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)
        5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
      • The connectors directory was the entrypoint for the core attack, and assets/components/gallery/ for the vulnerability in Gallery 1.7.0. Having only the core moved/made inaccessible would not have prevented this particular vulnerability from being exploited.
          Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

          Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
          • 38783
          • 571 Posts
          Quote from: markh at Jul 26, 2018, 10:47 AM
          The connectors directory was the entrypoint for the core attack, and assets/components/gallery/ for the vulnerability in Gallery 1.7.0. Having only the core moved/made inaccessible would not have prevented this particular vulnerability from being exploited.

          I had started following the practice of renaming core, connectors and manager folders and moving core out of the web root.

          But I have always found the name 'assets' appropriate for what it contains and do not like to rename it.

          In the Gallery attack would renaming 'assets' have helped? (I mean against people using a script to attack lots of sites - not people taking the trouble to look at your source code).

          Would changing the path be an option? ie something like: mydomain.com/storage/assets/ [ed. note: andytough last edited this post 5 years, 8 months ago.]
            If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

            email: [email protected] | website: https://andytough.com
            • 42562
            • 1,145 Posts
            if requests.get(
                target + '/assets/components/gallery/connector.php',
                verify=verify).status_code != 404:
            	print(Fore.GREEN + '/assets/components/gallery/connector.php - found')
            	url = target + '/assets/components/gallery/connector.php'
            
            The attack on Gallery Extra was looking precisely for a very specific URL.
            Had a user had theirs changed, end of story! what was looked for would not have been found, full-stop.

            It would have been found if the hacking script went further to search for it (which I doubt this particular script was doing - please someone correct me if I am so utterly and blindly and stupidly wrong ...)


            MODX allows one and facilitates and encourages one to change the assets folder name.
            "assets" might seem intuitive = cool!, but also intuitive to hackers of WP and other CMSes, and any hacker who studies the MODX code on github to see default folder structures (just saying!)

            in core/config/config.php around line 77
            if (!defined('MODX_ASSETS_PATH')) {
                $modx_assets_path= '/home/m_user/public_html/mined/gems/';
                $modx_assets_url= '/mined/gems/';
                define('MODX_ASSETS_PATH', $modx_assets_path);
                define('MODX_ASSETS_URL', $modx_assets_url);
            }
            Then, of course, create that folder, or rename the existing assets folder.

            Why is this even important? Well, some Extras, till tomorrow, require certain PHP in their folders to do the wonders that please us.

            All responsible Extras/templates should find their Extra's folder via dynamic code.
            If the Extra presumes and hardcodes "yoursite.com/assets/components/bla" ... oh well, bound to fail!


            1. MODX_ASSETS_PATH - in PHP
            2. MODX_ASSETS_URL in PHP
            3. [[++assets_path]] - MODX tag
            4. [[++assets_url]] - MODX tag

            [ed. note: donshakespeare last edited this post 5 years, 8 months ago.]
              TinymceWrapper: Complete back/frontend content solution.
              Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)
              5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
              • 53161
              • 130 Posts
              Quote from: donshakespeare at Jul 26, 2018, 06:09 AM
              Most of the people I have run into did not harden their site. Sad! But they are learning now, the hardest way.

              The owner of modhost.pro hosting, @bezumkin, has a password on all three folders: core, connectors, manager. He suffered no hack. And claims this procedure has saved him for years. Of course, I doubt he or his clients use the Gallery extra. But certainly, the core hack would not touch him with his method in place.

              He says, that this passwording is more efficient than renaming the folders, which I tend to agree. I myself, have passworded my manager folder, and often have it absent from my server completely till when I want to log in again.

              I wonder if MODX Cloud (which I hear got hit badlly) observes bezumkin's standard hosting practice?

              https://en.modhost.pro/help/nginx
              location ~* ^/(manager|core|connectors)/ {
                  auth_basic "Restricted Access";
                  auth_basic_user_file /home/yourlogin/.htpasswd;
                  try_files               $uri $uri/ @rewrite;
                  location ~ \.php$ {
                      include         fastcgi_params;
                      fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                      fastcgi_pass    backend-yourlogin;
                  }
              }


              Upgrading stuff is one thing but basic preventative measures is money!

              Forgive my obvious question, but how could locking your core and connectors with htaccess prevent a hack when those folders don't allow direct access off the bat?
                • 53161
                • 130 Posts
                Quote from: BobRay at Jul 26, 2018, 05:07 AM
                I'm really curious about this: Did any of you have the modx core renamed and moved above the web root?


                I believe the main problem was that people were behind many patches who got hacked. I updated my website straight away and for those that I did a day later were still stable, I suppose because I kept up with patches often.
                  • 42562
                  • 1,145 Posts
                  @stefany
                  Forgive my obvious question, but how could locking your core and connectors with htaccess prevent a hack when those folders don't allow direct access off the bat?

                  Off the bat, those folders are in the web root and therefore allow sweet wholesome direct wide access. And that's precisely how the hacks worked.

                  They tried the direct access, and the hack script responded:
                  Oh ooo, door found, no keys, no padlock, bring in the demons quick

                  So the upgrade patches are good, but, tomorrow another hole will be found (before a new patch is made), and those folders will still be unprotected ... and then more helter-skelter all over again. It would be awful if the same species of script is used again successfully ... like being twice beaten at home!
                    TinymceWrapper: Complete back/frontend content solution.
                    Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)
                    5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
                    • 53161
                    • 130 Posts
                    Quote from: donshakespeare at Jul 26, 2018, 06:33 PM
                    @stefany
                    Forgive my obvious question, but how could locking your core and connectors with htaccess prevent a hack when those folders don't allow direct access off the bat?

                    Off the bat, those folders are in the web root and therefore allow sweet wholesome direct wide access. And that's precisely how the hacks worked.

                    They tried the direct access, and the hack script responded:
                    Oh ooo, door found, no keys, no padlock, bring in the demons quick

                    So the upgrade patches are good, but, tomorrow another hole will be found (before a new patch is made), and those folders will still be unprotected ... and then more helter-skelter all over again. It would be awful if the same species of script is used again successfully ... like being twice beaten at home!

                    ^^ Got it thank you Don!
                    • As long as renaming folders does not become an excuse to wait with upgrades "because my site is safe", then that's good advice. Rename folders all you want, it is helpful to buy you a little more time, but ALWAYS keep your site and extras up to date.

                      We've been shouting "Upgrade your sites NOW" since the patch became available, but when people equate "now" to "at some point in the next few weeks or months when we have the time" instead of the recommended "right away", that's when the shit has a chance to hit the proverbial fan. Add that the details of the vulnerability and a proof of concept exploit became public knowledge in less than a week, and you have a recipe for the massive number of sites getting hacked.

                      Renaming folders would have reduced the chance of getting hit in a first blast, buying you a little more time, but it's not going to stop a targetted attacker. Take this as a learning opportunity that 1) backups matter and 2) upgrading regularly matter.
                        Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

                        Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.