We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 22815
    • 1,097 Posts
    If anyone is reading this and isn’t sure whether they have register_globals set to On or Off, remember that you can view the PHP Info within the Manager:

    In 0.9.2.1:
    Administration > View System Info and then click View next to phpInfo()
    In 0.9.5:
    Reports > System Info and then click View next to phpInfo()

    Look for register_globals. It is the On/Off in the first column that you should be concerned by (I think).
      No, I don't know what OpenGeek's saying half the time either.
      MODx Documentation: The Wiki | My Wiki contributions | Main MODx Documentation
      Forum: Where to post threads about add-ons | Forum Rules
      Like MODx? donate (and/or share your resources)
      Like me? See my Amazon wishlist
      MODx "Most Promising CMS" - so appropriate!
      • 28439
      • 222 Posts
      On a shared webspace server I had the same problem. The hacker left a file: assets/hack.html
      The server was also used as spam relay.

      Here is an additional possibility to fight against these hacks by editing your .htaccess file:
      __________________________________________________
      RewriteEngine On

      RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC]
      RewriteRule ^(.*) - [F]
      __________________________________________________

      Description:
      RewriteCond %{QUERY_STRING} (.*)=http(.*) = Controls the value after index.php?XXXX if there is an external file included, for exampleindex.php/site=http://xxxx.com/yyyy.php
      [NC]= Ignore case sensitivity
      RewriteRule ^(.*) - [F]
      __________________________________________________

      What about a security mailing list?

      And thanks to Ryan for solving the problem very fast .
        Gone away and found a better place to stay
        • 727
        • 502 Posts
        I had a site that was hacked. I simply removed hello.html, index.html and alp.html and my site was back up and running. I’ve deleted mcpuk. Everything seems to be fine. Is there anything else I need to do? My config.inc.php was not modified (set to read only and owned by the account user).

        Andy
          • 16429
          • 254 Posts
          Quote from: OncleBen31 at Nov 04, 2006, 07:33 PM

          I’ve add the feature request FS#653 to ask a box in the manager to display announcement of the official MODx site like in admin page of SMF.
          This feature will permit to transmit security warning quicker than an announcement in the forum

          Quote from: kudolink at Nov 04, 2006, 08:28 PM

          I thought the same and I plan to add a rss feed from this forum in the manager welcome page tomorrow.

          Done.
            kudo
            www.kudolink.com - webdesign (surprised?)

            [img]http://www.kudolink.com/kudolinkcom.png[/img] [sup]proudly uses[/sup] [img]http://www.kudolink.com/modx.png[/img]
            • 10816
            • 28 Posts
            Do you know if there is a way to catch the remote-script they are trying to execute?
            Not to reuse grin, but to see what they want to or can modify?
              • 32982
              • 674 Posts
              hi i have a atach and find a file main.php in the directory
              and all my documents in my server are 755 config
              what kind of access has this vulnaryty ¿ii need to rechmod all files of my server?
              could put another file for later make the same or badly?
              im in a shared hosting whith 10 domains in a acount and all are chmodd
              ¿could it have access to a lower than public_html?
              thanks in advance
                Jabiertxof (formerly XYZVISUAL)
                My bussines: http://marker.es
                https://www.youtube.com/user/jabiertxof/videos
                • 28439
                • 222 Posts
                Quote from: xyzvisual at Nov 05, 2006, 10:24 PM

                hi i have a atach and find a file main.php in the directory
                and all my documents in my server are 755 config
                what kind of access has this vulnaryty ¿ii need to rechmod all files of my server?

                The access to your files is the access of the user who runs the php scripts. It’s a "normal" hack.

                Quote from: xyzvisual at Nov 05, 2006, 10:24 PM

                could put another file for later make the same or badly?

                This is possible, if a file is included with a global variable and the php option "register globals" is set on. This option ist set on the most shared hostings. Because of that, I posted the way of defending this with a .htaccess file.

                Quote from: xyzvisual at Nov 05, 2006, 10:24 PM

                im in a shared hosting whith 10 domains in a acount and all are chmodd
                ¿could it have access to a lower than public_html?
                thanks in advance

                The best way is to restore a backup of your sites. But change that Thumbnail.php file as described by Ryan at the beginning of this task, before you load that your backup to your sites.

                Hope, that will help
                  Gone away and found a better place to stay
                  • 32982
                  • 674 Posts
                  thanks very much i ask to my host to restore the acount
                    Jabiertxof (formerly XYZVISUAL)
                    My bussines: http://marker.es
                    https://www.youtube.com/user/jabiertxof/videos
                  • I’ve reviewed several of them. Most are a collection of various checks for certain PHP extensions that might enable them to try particular hacks. For instance, one I saw looked for shmop and tried to write to a shared block of memory and then remove it. Others attempted to chmod or chown everything it could. By executing their own script on your server, as the PHP user account, they can do anything possible with PHP on that server; they just have to figure out what they can do in your configuration and exploit it. And that’s exactly what they are doing. And they are not going to stop anytime soon from the looks of it...

                    You can see all the attempts in your Apache server logs and typically just go to the address being set as base_path to see the file they are using in the attempt.
                      • 32982
                      • 674 Posts
                      thaks again
                        Jabiertxof (formerly XYZVISUAL)
                        My bussines: http://marker.es
                        https://www.youtube.com/user/jabiertxof/videos