Warning: Hacking attack on Revo 2.2.4 using "Core Services" plugin

Good point Everett, I removed the majority of the code. I'm planning to shutdown that server completely and transfer a site backup to a new machine (using a cloud server so this should be fairly quick). Also, hopefully upgrading to 2.2.13 closed any known holes.

You'll want to be vigilant about reviewing the code in the backup -- it may go without saying, but you don't want to introduce the problem in the new environment.

Fortunately I can restore from a very old backup without too much trouble, there's not a lot of recent data on this server anyway and what little there is I can transfer as plain text and inspect manually. What I don't get is, why not just install its payload and then delete itself? Why leave a plugin lying around that you can see in the manager interface? It just seems too clumsy to be part of some vast nefarious network, but presumably the only safe bet is to assume that it is anyway.

Kudos to you for having a backup.

Ha... a lot of malware is sloppy coding. What was weird about this one to me was that the hack had comments and licensing info included. Seriously, that's a first for me. I've seen MODX-specific hacks before (most saliently the notorious Reflect exploit on Evo), but I admit it is rare in my experience. It's not unusual to leave tracks uncovered though.

Re the purpose of it, we can speculate -- if you wanted to decode the payload (or the stuff ultimately uploaded to your server) it might shed some light on the intent (e.g. is there a "mothership" involved). It might be an early version of this exploit... for all we know it might be someone just testing it out and refining as they go. It might be a forum member. Probably impossible to say.

Hi - first time post here - I've been a happy modx user for years - got hit with this hack on the exact same time as Thomas - thanks for this post was very useful helping me figure out what happened.

Unfortunately my last DB backup was a bit too old - so I've upgraded, deleted the plugin from DB, removed all DB logins and moved the manager / core folders elsewhere where they (hopefully) can't be found. That's about all I could think of doing, so I'll just have to hope for the best and keep an eye on it. Any other suggestions are appreciated.

Thanks.

Definitely a good idea to change paths because if a backdoor is installed, chances are good that it's bookmarked, so changing the paths should break the bookmark. You should go through every directory with a fine-toothed comb. Ditch anything you can re-install and install a fresh copy (e.g. core directory: trash it and install a new one fresh). Same for each and every add-on. Go through your assets directory very carefully and look for any modified files, especially for php files that don't belong there. If a backdoor is still present on your site, you'll be repeating this exercise again.

Thanks - for anyone else who comes across this it might be useful to know that I found some php files (cache.idx.php, xPDO.idx.php) in assets that contain the backdoor. Searching the site for PHP files created / modified on around the date of the hack brought them to light. I'll do a completely fresh install soon anyhow.

I found those files as well. cache.idx.php was actually named .cache.idx.php (note the starting dot) That will make the file hard to spot in some environments!

I found those as well (I happen to have an image of my server from the time period when the infection was active, I spun it up to investigate), and they are the only files on my system that contain the actual text of the plugin. That doesn't mean there are not other back doors, just that if there are, they don't contain the full text.

I'm trying to help some people who have been stung by this. It looks like it started as early as end Nov 2013 and they only spotted it a week ago when someone did a check of the site for bad links. The "service" they use upgraded MODX and claimed to have removed the bad plugin but missed the support account which I have just disabled. Anything else I should check? Also their MODX says "rev 6066", is that the latest?