HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

Quote from: markoj at Jul 21, 2014, 05:07 PM

I know this maybe the lazy way out, but having a bunch of sites done for clients over the years, with various versions of Evo, I don't necessarily want to have to upgrade Evo, nor ajaxsearch for all of them.

Not only is it lazy it's also irresponsible and can damage your client's brands and trust.
This assumes you know how to charge money for your work. At least you can point your clients to MODX Developers who are willing to do the job. AMDBuilder is one!

you need to delete the snippet, files and index.ajax.php file and that one is clean.

but its better to upgrade, last month I updated about 70 sites. Its a pain for some sites. Just make sure you backup.

So here it was on one of my clients' sites.
The file that was used to create some hack files was /index-ajax.php

/assets/snippets/ditto/snippet.ditto2.php
/assets/plugins/639b7s.php
/assets/templates/01knd3.php

Since we do not use search at the site, we chos to remove /index-ajax.php

then remove /assets/snippets/ajaxsearch aswell! or update. only remove index-ajax isn't gone work

If I don't do a full modx upgrade, I also remove the snippet from the manager once logged into the backend as well.. just to make sure.

I remove the snippet entirely in all the areas suggested even with a fresh install of 1.0.14 since I never use ajax search on any site, and I don't want to risk the newer versions getting hacked either.

Has anyone found out what the hack actually does to a site?

Quote from: markoj at Jul 28, 2014, 05:43 PM

Has anyone found out what the hack actually does to a site?

> http://forums.modx.com/thread/91266/modx-evolution-1-0-13-and-prior-ajaxsearch-vulnerability

> https://github.com/modxcms/evolution/issues/264#issuecomment-45465789

Thanks mrhaw,
That second link is the one I had never seen before, it gave me the full run down.

I have updated almost all of my client's sites to 1.0.14 now, and deleted the ajax search from all necessary areas since I never use it and it seems to have a history of vulnerability.

As for some of my older, no longer paying clients that have fallen off the map so to speak... also freebies and such, I went with just deleting all of the ajax search files and folders, first making sure they haven't been hit as well.

Quote from: markoj at Jul 28, 2014, 07:05 PM

Thanks mrhaw,
That second link is the one I had never seen before, it gave me the full run down.

I have updated almost all of my client's sites to 1.0.14 now, and deleted the ajax search from all necessary areas since I never use it and it seems to have a history of vulnerability.

As for some of my older, no longer paying clients that have fallen off the map so to speak... also freebies and such, I went with just deleting all of the ajax search files and folders, first making sure they haven't been hit as well.

Excellent!

The 3 first things to do when/if you find a remote file inclusion:
1) Scan all folders for newly created files by checking the file timestamps.
2) Make sure no Manager/Web Users has been added
3) Change hosting passwords (MySQL, FTP etc.)

IMHO: Best protection is a backup offline on a local webserver. Then if a site gets compromised:
1) Download the latest assets (pics, pdfs etc) and make sure they are legit.
2) Secure the site patch/ upgrade
3) Wipe everything on the server and replace with the fixed/up2date backup.

Hi all,
Ok, this is interesting. I got hacked through most likely the same security hole, with files created by index-ajax.php.

I upgraded as advised to 1.0.14. New passwd etc for ftp.
However, yesterday I received another email from the host stating that a new attack had been made shortly after my update to Evo 1.0.14. It now seems to be in the transalias folder, where a file is72ha.php has been created. And the .../assets/snippets/ditto/snippet.ditto2.php is there again.

BTW:

Has anyone found out what the hack actually does to a site?

In my case SPAM ("Payment for driving on toll road") was distributed from my domain, I haven't been able to track quite how much, but it seems serious enough...

Grateful for any comments on this. I cannot find any feedback on this possible vulnerability in Evo 1.0.14.

That is terrible news.
Just after I read your post, modness, a friend called me saying that her hosting found it on her site and she should change all her passwords including ftp. I found all of the tell-tale signs, that snippet.ditto2.php. I am going to upgrade her to 1.0.14 as soon as I get a chance.

After spending a lot of time upgrading a lot of sites to 1.0.14, I am going back through it all to make sure that I also delete all traces of ajax-search.
I hope that the vulnerability is limited to ajax-search.
If it is still happening in 1.0.14 I think it should be considered to NOT have it as a default in the vanilla install of modx.

Here was a piece of code I found in one of the files made, just when I am getting told that the russians have millions of peoples passwords: