If you login via your manager account and use the application’s file manager to upload a malicious script in a buried directory, then manage to call it again from within the manager via a URL param that at quick glance otherwise looks normal, all bets are off.
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
On a related note, were these sites recently upgraded to 1.0.4 and if so how were the upgrades performed, and from what versions if so, for getting the new file to the server? (Note: we really would like to figure out what’s going on here for sure!)
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
-
- 40 Posts
in my case.
current version 1.04 upgraded from 1.03
Upgraded via file overwrite method - so there very well could be some old files around.
uploaded via FTP - iv also checked the 1.04 files i uploaded from the file in question does not include any malware reference.
My ftp logs go back many months, and as i have a static ip i can see its only me thats been on via FTP and no hits to that file (apart from when update was completed).
as i also mentioned i run CXS which notifies me any time a file is uploaded via
PHP upload scripts (via a mod_security or suhosin hook)
Perl upload scripts (via a mod_security hook)
CGI upload scripts (via a mod_security hook)
Any other script type that utilizes the HTML form ENCTYPE multipart/form-data (via a mod_security hook)
Pure-ftpd
that includes a base64 decode statement or matches a known exploit fingerprint. When i ran this scan manually on the home dir it detected my infection.
So this means it was inserted via some other method than above.
edit im also the only member/admin on the site - with an extremely secure password
-
- 1,198 Posts
in my case:
- version 1.04
- "Clean" upgrade on a new server (deleted all old files and folders , before upgrade to 1.04)
- uploaded via FTP (Filezilla)
- i’m the only admin on the site/manager
- nothing in FTP logs (only my ip address)
-
- 654 Posts
BTW, the timestamp on the infected document.parser file was the same as the timestamp on the help_y.php file found in assets/media. Unfortunately, I can’t seem to get the material in that file "gzuncompressed". Unless it’s just some fluke, but I doubt it, that file is also related to the problem.
-
- 40 Posts
i cant find any reference to help_y.php in my file structure - nothing in dom or FTP logs either
ill send you a pm now - can you zip and email me the file?
-
- 1,198 Posts
Quote from: tworak at Aug 05, 2010, 03:13 PM
i cant find any reference to help_y.php in my file structure
quote
-
- 654 Posts
I’m wondering if the only reason I saw it is because it’s execution failed. Can you post what it was trying to do?
Matt
EDIT - right, I see that you can’t get useful info from it ...