We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • A while back GoDaddy’s servers were run amok by script kiddies. One compromised account led to all account on the entire box being susceptible, and back doors being installed. Not a good scene that one...
      Ryan Thrash, MODX Co-Founder
      Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
      • 6228
      • 249 Posts
      Quote from: puffin at Oct 31, 2010, 09:38 PM

      Has anyone on a dedicated experienced this hack?
      One of my hacked sites is hosted on a Verio virtual private server that we manage.
        lo9on.com

        MODx Evolution/Revolution | Remote Desktop Training | Development
        • 26931
        • 2,314 Posts
        related: http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=de&tl=en&u=http%3A%2F%2Fmodxcms.com%2Fforums%2Findex.php%2Ftopic%2C56604.msg324615%2Ftopicseen.html%23msg324615
          • 16302
          • 20 Posts
          Yes, thats my thread. My site is also infected embarrassed

          Evo 1.04 (upgraded)
          AjaxSearch 1.9
          PHP 5.2.8
          MySQL 5.0.67
          Linux dd15408 2.6.25.20-25.1-pae

          For now i removed the base64_encode code and deleted a suspicious php file in one of the folders posted before in this thread. Also i removed AjaxSearch - the snipped and all files. But now i’m uncertain with Evo, i did not really trust it further. I think i will moving to the lastest Revolution sad but it’s a lot work to do. Bad thing
            • 38162
            • 97 Posts
            There are a few things I’d like to know about those that have been affected by this exploit:

            1. Do all of you use Apache?
            2. What PHP version do you use?
            3. Do all of you use Linux? (If yes, what distribution?)

            Maybe an admin can gather these info. They might prove valuable for finding the actual problem.
            • Quote from: cyclissmo at Nov 01, 2010, 02:12 AM

              One of my hacked sites is hosted on a Verio virtual private server that we manage.

              What add-ons are you running? Do you use phpThumb?
                Ryan Thrash, MODX Co-Founder
                Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
                • 13137
                • 204 Posts
                System:
                MODx 1.0.4 rev 6981
                Apache 2.2.16
                MySQL 5.1.50
                PHP 5.2.14

                Plugins:
                WordsReplace 0.1.1
                Search Highlight 1.5 (installed but not being used in site)
                Forgot Manager Login 1.1.2
                Inherit Parent Template 1.1
                ManagerManager 0.3.8
                TinyMCE Rich Text Editor 3.3.5.
                TransAlias 1.0.1
                Easy 2 Gallery (I believe uses phpThumb)
                EditArea 0.5.2
                  • 6228
                  • 249 Posts
                  Quote from: rthrash at Nov 01, 2010, 11:26 AM

                  What add-ons are you running? Do you use phpThumb?
                  None of the sites used the phpThumb extension. They were all out-of-the-box (Evolution) installations, each with a bunch of custom snippets that I wrote for menial tasks like displaying date/time, formatting strings, etc.

                  This was a post I made on the most recent attack, based on a site hosted on a Verio shared host:
                  http://modxcms.com/forums/index.php/topic,54874.msg316479.html#msg316479

                  I didn’t log any record of the attack on the site hosted on the VPS. That site was migrated to Revo within a couple days. But the VPS server specs are
                  PHP 5.2.13
                  FreeBSD 6.4
                  Apache 2.2
                  Mysql 5.1.44
                    lo9on.com

                    MODx Evolution/Revolution | Remote Desktop Training | Development
                    • 18913
                    • 654 Posts
                    @OpenGeek : Do you have any thoughts on the approach I explored here
                    http://modxcms.com/forums/index.php/topic,53677.0.html

                    The idea was to have a plugin examine checksums and if there was a problem restore known-good copies of files from above the site root.

                    Matt