-
- 20 Posts
While other folks have suggested the possibility of a pre-2.2.14 breach, in my case I don't believe this to be true. My system did not begin displaying evidence of this hack until after I had upgraded to 2.2.14 (I upgraded in April, and the hack first appeared in May). At first, I thought the attack vector was somewhere else, most likely a configuration of the security on the shared server I'm hosted on. I removed the hostile files and re-loaded 2.2.14 from a clean download; the hack reappeared a day later.
In my case, there was no unexpected MODx user added to my system, so I do not believe the flaw that allowed creation of users was the exploit vector here.
It does seem that the person or people responsible for this attack is/are targeting MODx. I say that because on older versions of MODx, the exploit did attack the create-user flaw, but the same attack now seems to be exploiting another flaw to accomplish the same thing. The person/people behind it would seem to have an intimate understanding of MODx.
On my system, I have examined other possible weaknesses--weak FTP passwords, bad Apache configuration, and so on--and I have been working with my shared hosting provider to examine the shared server configuration looking for flaws. So far, we have not been able to discover how the cache.php file was created or how the MODx files were modified.
I am not prepared to say with 100% certainty that a zero-day exploit exists and is being attacked, but I do think that's a possibility that needs to be taken seriously.
One person reported that the cache.php files had dates of up to a year before they were apparently activated. So you could have had the triggering file hanging around for some unspecified amount of time.
Someone just informed me that their hosting support says that the assets/cache.php file is not a hack, but is something MODX puts in when it upgrades.
-
- 24,544 Posts
I have no such file in my 2.3.1 install and IIRC, people report that file as containing clearly malicious code.
BTW, having the attack occur at some future date is an excellent strategy for hackers. Over time the malicious file(s) will make it into all possible backups.
-
- 20 Posts
This file is not part of a normal MODX install, and when it exists, it contains only one line of PHP code whose function is to allow an attacker to run arbitrary PHP commands on the server.
The person has moved his site to a different hosting provider