My modx site got hacked (modx 1.0.5)

@Halfnium: Yes, the latter one. While developping I found php files on the server that I never put there. Which made me wonder.

And the site was once down because the hacker removed the dot from .htaccess (as far as I remember). And when I checked the file, it had double line breaks (which came from saving the file with the file manager I guess).

It sounds like you took the right steps to fix the website by installing from fresh and repointing back to the database.

You should also check your plugins in MODx Manager to make sure you don't have any rogue scripts / code in there as we have seen a number of sites exploited and the hacker added code in the plugins which were still present after doing an install from fresh and pointing to the original database.

Aaron

Indeed, that's the problem with these Manager access hacks. Once the hacker gets into the Manager, he can add snippets and plugins, as well as modifying existing code.

Some important questions regarding the hack and protection:

1. The attacker "changed settings" as stated in the logs. Is there any chance to see what he changed?

2. Can I disable the file manager somehow? Or is it an essential part of modx?

3. Are plugin codes saved in files and not DB?

4. Are template, chunks, snippets saved into the DB?

5. How can I rename the manager folder so that the hack bot will not find my manager-folder again. That would add much more security. I tried this tip but it does not work. I get "Could not load DBAPI class." when accessing the install folder.

FYI:
- the bot (or human?) accessing one of the hacked files was http://neplohoybiz.ru/man/index.php with IP 95.68.219.222
- the hacker's IP I don't have, as logs from June has been deleted by the provider
- others accessing the malicious files had IP 128.72.113.203 and IP 77.52.137.55 and 188.27.175.58 [ed. note: kajus99 last edited this post 10 years, 8 months ago.]

Evo doesn't allow for custom manager paths that I know of... that's only possible in Revolution.

Chunks, templates, Snippets, etc. are saved in the database (Revo has options to store them in the file system, but they will always have a stub pointer reference in the database).

Tracking down what steps a hacker took can take a long time and ultimately it may not be be guaranteed to tell you what happened or yield valuable info. At a minimum, you should have incremental backups so you can restore to a clean state and start patching from there.

Quote from: Everettg_99 at Aug 03, 2013, 06:14 PM

Evo doesn't allow for custom manager paths that I know of... that's only possible in Revolution.

What happens if I protect the /manager/ folder using htaccess? Does everything work still normal frontend?
[ed. note: kajus99 last edited this post 10 years, 8 months ago.]

An .htaccess rule can be a good secondary line of defense to help cut down on the scans and what-not, but like all things security, you sacrifice some convenience.

Quote from: Everettg_99 at Aug 03, 2013, 06:36 PM

An .htaccess rule can be a good secondary line of defense to help cut down on the scans and what-not, but like all things security, you sacrifice some convenience.

Thanks for your reply. So the manager folder must not have "open" access so that modx will work completely? It can be htaccess-protected and modx will still work normally? if so... why haven't I known before!

Live and learn, I guess. Most site owners don't want the hassle of a second set of usernames/passwords to get to the manager. Keep in mind that most hosts do not implement a secure .htpassword module, so those passwords get sent plain text (just like posted data on a non-ssl site... and even SSL has cracks available). .htaccess rules let the local site src assets all it wants, they usually block FOREIGN access onlyl. E.g. look at the .htaccess rules for preventing image hot-linking: the local site can include the images, but some foreign site cannot src the image. Same idea here. It's *not* a silver bullet, but it can help improve your security posture.

Thanks for the hint.

For complete information on the hack, here these are the suspicious files that were uploaded:
class.php
enlightenment.tgz
stats.php
update.php
zp.php [ed. note: kajus99 last edited this post 10 years, 8 months ago.]