-
- 4 Posts
I discovered the same for one of my sites too:
- manager/includes/document.parser.class.inc.php had an eval(base64(...)) code at the end
- there was a probably randomly named php file at assets/docs that contained binary data ready to be server (from the header it seamed to be a zip file data)
modx version 1.0.2
ajaxsearch 1.8.4
hosted at hostgator servers
So is it ajax search for sure? Any Updates on this?
Thank you in advance!
If you have a file called /snippets/ajaxsearch/ajax.php on your file system, it could be the cause. That was removed in the 1.0.3 update which was essentially labeled as a "if you don’t upgrade you’ll likely get hacked" must upgrade release, as was 1.0.4. 1.0.3 and later included several security updates ... see the security thread in the Important announcements (also fed directly to your manager every time you login) for more information.
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
-
- 4 Posts
I do indeed have a not updated version of modx (I have upgraded the site to 1.0.4), but there was not a /snippets/ajaxsearch/ajax.php file at my file system. Maybe the security hole is somewhere else?
Please see the security threads under important announcements. You need to upgrade.
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
-
- 204 Posts
I too just discovered that I had two infected "eval(base64_decode" files (manager/includes/document.parser.class.inc.php & manager/includes/protect.inc.php) that was injecting an iframe at random intervals into pages.
This was not an upgrade and I am using v1.0.4 at Hostgater.
Oddly enough, I am using a DynamicDrive script on the site, which someone mentioned in an earlier thread.
I am not using any ajax search on the site.
Not sure why you are posting this stuff here tbh. If Hostgator is blaming MODx for the exploit, they need to identify the vector; otherwise, they need to identify the vector before blaming MODx.