We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

hacked - site_url changed

    • 3107
    • 1 Posts
    benjoi Reply #11, 14 years, 2 months ago
    I can verify the same thing happened to our site.
    For a non-production website so not an immediate concern, but still worrying.

    site_url was changed to an address from .cn (with a nasty script)

    We’re using MODx v1.0.0 on Ubuntu 8.04 LTS
    Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

    We added checked the site_url variable in config.inc.php and it was as expected
    echo ’site: ’ . $site_url;
    $_SERVER[’HTTP_HOST’] was as expected.

    We updated the template and then back again and the website was fixed.

    Looks like a specific MODx exploit.
    The fact it switched back makes us think the cache was affected?

    Any ideas?? Any other occurances?
      • 3749
      • 24,544 Posts
      BobRay Reply #12, 14 years, 2 months ago
      Take a close look at the index.php and .htaccess in the MODx root and at assets/cache/siteCache.idx.php. Look for the URL of the site you were being sent to or anything else suspicious.

      In index.php, look at this line around line 89 to make sure it points to the correct config file and check the content of all files in any other includes or requires to make sure there’s nothing fishy in them.

      $rt = @include_once(dirname(__FILE__).’/manager/includes/config.inc.php’);

      If going back to [(site_url)] in the <base href> tag sends you to a hacker’s site, your site is definitely still hacked and still vulnerable.
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
      • onesmarthost Reply #13, 14 years, 2 months ago
        Quote from: benjoi at Mar 01, 2010, 03:23 AM

        I can verify the same thing happened to our site.
        For a non-production website so not an immediate concern, but still worrying.

        site_url was changed to an address from .cn (with a nasty script)

        We’re using MODx v1.0.0 on Ubuntu 8.04 LTS
        Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

        We added checked the site_url variable in config.inc.php and it was as expected
        echo ’site: ’ . $site_url;
        $_SERVER[’HTTP_HOST’] was as expected.

        We updated the template and then back again and the website was fixed.

        Looks like a specific MODx exploit.
        The fact it switched back makes us think the cache was affected?

        Any ideas?? Any other occurances?


        Would you mind sharing / sending me a message with this websites URL I would like to check something.

        Thanks Aaron
          http://www.onesmarthost.co.uk
          UK MODX Hosting with love.
        • opengeek Reply #14, 14 years, 1 month ago
          Don’t cache your site_url in your pages if you are accepting requests from any subdomain, or setup rewrite rules to redirect any HTTP_HOST requests that don’t match what you want to accept to the proper site_url.
            Jason Coward
            Chief Architect @ MODX
            http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek