We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • If you login via your manager account and use the application’s file manager to upload a malicious script in a buried directory, then manage to call it again from within the manager via a URL param that at quick glance otherwise looks normal, all bets are off.
      Ryan Thrash, MODX Co-Founder
      Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
    • On a related note, were these sites recently upgraded to 1.0.4 and if so how were the upgrades performed, and from what versions if so, for getting the new file to the server? (Note: we really would like to figure out what’s going on here for sure!)
        Ryan Thrash, MODX Co-Founder
        Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
        • 30879
        • 40 Posts
        in my case.

        current version 1.04 upgraded from 1.03

        Upgraded via file overwrite method - so there very well could be some old files around.

        uploaded via FTP - iv also checked the 1.04 files i uploaded from the file in question does not include any malware reference.

        My ftp logs go back many months, and as i have a static ip i can see its only me thats been on via FTP and no hits to that file (apart from when update was completed).

        as i also mentioned i run CXS which notifies me any time a file is uploaded via

        PHP upload scripts (via a mod_security or suhosin hook)
        Perl upload scripts (via a mod_security hook)
        CGI upload scripts (via a mod_security hook)
        Any other script type that utilizes the HTML form ENCTYPE multipart/form-data (via a mod_security hook)
        Pure-ftpd

        that includes a base64 decode statement or matches a known exploit fingerprint. When i ran this scan manually on the home dir it detected my infection.

        So this means it was inserted via some other method than above.

        edit im also the only member/admin on the site - with an extremely secure password
          • 2762
          • 1,198 Posts
          in my case:

          - version 1.04
          - "Clean" upgrade on a new server (deleted all old files and folders , before upgrade to 1.04)
          - uploaded via FTP (Filezilla)
          - i’m the only admin on the site/manager
          - nothing in FTP logs (only my ip address)
            Free MODx Graphic resources and Templates www.tattoocms.it
            -----------------------------------------------------

            MODx IT  www.modx.it
            -----------------------------------------------------

            bubuna.com - Web & Multimedia Design
            • 18913
            • 654 Posts
            BTW, the timestamp on the infected document.parser file was the same as the timestamp on the help_y.php file found in assets/media. Unfortunately, I can’t seem to get the material in that file "gzuncompressed". Unless it’s just some fluke, but I doubt it, that file is also related to the problem.
              • 30879
              • 40 Posts
              i cant find any reference to help_y.php in my file structure - nothing in dom or FTP logs either

              ill send you a pm now - can you zip and email me the file?

                • 2762
                • 1,198 Posts
                Quote from: tworak at Aug 05, 2010, 03:13 PM

                i cant find any reference to help_y.php in my file structure

                quote
                  Free MODx Graphic resources and Templates www.tattoocms.it
                  -----------------------------------------------------

                  MODx IT  www.modx.it
                  -----------------------------------------------------

                  bubuna.com - Web & Multimedia Design
                  • 30879
                  • 40 Posts
                  Quote from: mconsidine at Aug 05, 2010, 03:10 PM

                  BTW, the timestamp on the infected document.parser file was the same as the timestamp on the help_y.php file found in assets/media. Unfortunately, I can’t seem to get the material in that file "gzuncompressed". Unless it’s just some fluke, but I doubt it, that file is also related to the problem.

                  the file you sent does indeed appear to be corrupt. cant get any useful info from it
                    • 18913
                    • 654 Posts
                    I’m wondering if the only reason I saw it is because it’s execution failed. Can you post what it was trying to do?
                    Matt
                    EDIT - right, I see that you can’t get useful info from it ...
                      • 30879
                      • 40 Posts
                      Quote from: mconsidine at Aug 05, 2010, 03:26 PM

                      I’m wondering if the only reason I saw it is because it’s execution failed. Can you post what it was trying to do?
                      Matt

                      no no useful info that i can see