Question for people whose sites were hacked

I can't answer your question directly Bobray as some had not had the core moved but had been updated and weren't touched.

Just to expand things a little further if I may: What are the traits an extra would have that would make them vulnerable to an attack like this? In other words is there a piece of code (such as core_path) we could look for in an extra, that would show it might create a vulnerability?

I'd also love to find a quicker way to password protect those directories. On shared hosting where there's no access to apache config, it's quite laborious.

We've been shouting "Upgrade your sites NOW" since the patch became available...

Not many people see any of these shouts. And that's a legitimate concern.

A lot of the shout happens either on Slack (where a tiny fraction of MODXers hang out) or here on the Forums, posted in places that users never see/click.

It is finally finally finally that a red alert bar has been set up here on the forum.

BTW we are no longer talking the old school renaming of folders, we are talking, passwording them, and taking other serious (not-so well documented preventative methods).

I still insist that for many MODXers, in the light of the things I mentioned above, hardening their websites is paramount!
And no reasonable MODXer will use this as an excuse, I hope not, and especially if UpgradeMODX finally finally becomes part of the MODX Core.

This indeed is a huge learning opportunity for all. Let's recap:

1. Harden your website by PASSWORDING
2. Beg MODX to ship with UpgradeMODX in the core/package (with all kinds of email/text alerts)
3. Centralize the MODX Official info (is it Slack or is it Forums)
4. Keep MODX and Extras updated (devs and users)

Quote from: chrisandy at Jul 27, 2018, 11:24 AM

I can't answer your question directly Bobray as some had not had the core moved but had been updated and weren't touched.

Just to expand things a little further if I may: What are the traits an extra would have that would make them vulnerable to an attack like this? In other words is there a piece of code (such as core_path) we could look for in an extra, that would show it might create a vulnerability?

I'd also love to find a quicker way to password protect those directories. On shared hosting where there's no access to apache config, it's quite laborious.

Surely your hosting should allow .htaccess ? MODX uses it for friendly URLs anyways.

Quote from: markh at Jul 27, 2018, 10:37 AM

As long as renaming folders does not become an excuse to wait with upgrades "because my site is safe", then that's good advice. Rename folders all you want, it is helpful to buy you a little more time, but ALWAYS keep your site and extras up to date.

We've been shouting "Upgrade your sites NOW" since the patch became available, but when people equate "now" to "at some point in the next few weeks or months when we have the time" instead of the recommended "right away", that's when the shit has a chance to hit the proverbial fan. Add that the details of the vulnerability and a proof of concept exploit became public knowledge in less than a week, and you have a recipe for the massive number of sites getting hacked.

Renaming folders would have reduced the chance of getting hit in a first blast, buying you a little more time, but it's not going to stop a targetted attacker. Take this as a learning opportunity that 1) backups matter and 2) upgrading regularly matter.

Absolutely!

This discussion is interesting, but I was really trying to determine if there is a hacked site anywhere that was running < 2.6.5, didn't have Gallery installed and did have the core above the web root. So far, I don't see a case like that.

Surely your hosting should allow .htaccess ? MODX uses it for friendly URLs anyways.

Yes - I'm just saying it's laborious on shared hosting, whereas with apache config it would be much quicker

Quote from: chrisandy at Jul 28, 2018, 06:28 AM

Surely your hosting should allow .htaccess ? MODX uses it for friendly URLs anyways.

Yes - I'm just saying it's laborious on shared hosting, whereas with apache config it would be much quicker

Oh, I understand.

Quote from: donshakespeare at Jul 27, 2018, 11:28 AM

We've been shouting "Upgrade your sites NOW" since the patch became available...

Not many people see any of these shouts. And that's a legitimate concern.

A lot of the shout happens either on Slack (where a tiny fraction of MODXers hang out) or here on the Forums, posted in places that users never see/click.

I'm a bit late to the party... I was able to upgrade my site within a few days of the initial 2.6.5 announcement, before the "attack" announcement was posted. I just happened to visit the MODx forum that day, spotted the upgrade news and upgraded because I had a free moment. I definitely don't visit daily, or even weekly. Is the forum and Slack really the only ways to be notified? There used to be RSS feeds that I subscribed to, but they appear to be non-existent now. Is there no way to receive email updates of security issues currently?

Is there no way to receive email updates of security issues currently?

Emails were sent to the list you can sign up for here: https://modx.com/insider-subscribe/

Joining that would be the best bet for the short term.

I won't go into detail about how this came about but this might help somewhere down the line BobRay...

2 sites in one web space, neither of which had core moved out of root or directories renamed:

Site 1: Modx 2.5.7 + Gallery + Roxy. Site infected.

Site 2: Modx 2.5.5 NO Gallery or Roxy. Site unaffected.