-
- 1 Posts
I can verify the same thing happened to our site.
For a non-production website so not an immediate concern, but still worrying.
site_url was changed to an address from .cn (with a nasty script)
We’re using MODx v1.0.0 on Ubuntu 8.04 LTS
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
We added checked the site_url variable in config.inc.php and it was as expected
echo ’site: ’ . $site_url;
$_SERVER[’HTTP_HOST’] was as expected.
We updated the template and then back again and the website was fixed.
Looks like a specific MODx exploit.
The fact it switched back makes us think the cache was affected?
Any ideas?? Any other occurances?
-
- 24,544 Posts
Take a close look at the index.php and .htaccess in the MODx root and at assets/cache/siteCache.idx.php. Look for the URL of the site you were being sent to or anything else suspicious.
In index.php, look at this line around line 89 to make sure it points to the correct config file and check the content of all files in any other includes or requires to make sure there’s nothing fishy in them.
$rt = @include_once(dirname(__FILE__).’/manager/includes/config.inc.php’);
If going back to [(site_url)] in the <base href> tag sends you to a hacker’s site, your site is definitely still hacked and still vulnerable.
Quote from: benjoi at Mar 01, 2010, 03:23 AM
I can verify the same thing happened to our site.
For a non-production website so not an immediate concern, but still worrying.
site_url was changed to an address from .cn (with a nasty script)
We’re using MODx v1.0.0 on Ubuntu 8.04 LTS
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
We added checked the site_url variable in config.inc.php and it was as expected
echo ’site: ’ . $site_url;
$_SERVER[’HTTP_HOST’] was as expected.
We updated the template and then back again and the website was fixed.
Looks like a specific MODx exploit.
The fact it switched back makes us think the cache was affected?
Any ideas?? Any other occurances?
Would you mind sharing / sending me a message with this websites URL I would like to check something.
Thanks Aaron
Don’t cache your site_url in your pages if you are accepting requests from any subdomain, or setup rewrite rules to redirect any HTTP_HOST requests that don’t match what you want to accept to the proper site_url.