HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

I also had a message from Direct Admin where the limit of sending e-mails / day was reached. On a 1.0.14 version. I noticed that evogallery wasn't updated.

Do you have EvoGallery?

There is a fix here:
https://github.com/Mark-H/EvoGallery/tree/master/assets/modules/evogallery/js/uploadify

My transalias folder is clean, couldn't find any other suspisious files.

I dont use evogallery, I use maxigallery. There hasn't been an update for it in a longtime..
I have found a handful of files created within the manager folder of an infected site.

So far nothing is wrong with my 1.0.14 installs, but I removed ajax-search from all of them. I really hope it is just that one snippet and its files.

Please keep reporting if you have 1.0.14 issues since the only fixes have been to upgrade to 1.0.14.... yet it seems to be vulnerable too.

Quote from: markoj at Aug 07, 2014, 12:38 PM

...
Please keep reporting if you have 1.0.14 issues since the only fixes have been to upgrade to 1.0.14.... yet it seems to be vulnerable too.

What if you wipe the server clean, change ALL passwords, make sure there are no added web users, manager users, ftp users, phpMyAdmin users and so on. Install MODX 1014 fresh and import html and secure assets. + Keep a backup of the site.

It's not enough only deleting the index-ajax file. Have you updated the manager forgot password plugin? If your eForm is old, do you filter its input? The same thing is true for AjaxSearch where we've always been able to filter input right in the config file.

+ phpThumb is a bottomless... [ed. note: mrhaw last edited this post 9 years, 9 months ago.]

mrhaw, yeah, I have decided to go with that method as I am finding the hacked files all over some sites, and upgrading just won't do, nor get rid of some new files it creates. Going in and changing all of the hosting passwords you mentioned is necessary as well, which is kind of a pain, especially when the hosting stupidly keeps the same password for the account in general, and all of the ftp , database, etc.

I had some trouble importing the database of a 1.0.5 site into a clean install of 1.0.14 . I remember ditto not working quite right.. I am about to do it again so I will take notes on what needs some more manual work, or even a downgrade of a snippet, which I really don't want to do.

Another interesting/crappy thing I found with this is a folder named "cached" with a "_testimonials.html" file that has all these links an more:

Online Pharmacy

Shopping Cart 0
Home
About
FAQ
Contact
Shipping
Order Status
all categories
Men's Sexual Health
Viagra (Generic)
Cialis (Generic)
Viagra® (Brand)
Levitra (Generic)
etc...etc...

It had some images as well, I think all of this is to put into emails that it sends.


Also a bunch of php files got inserted in to the "/galleries/1/" folder that maxigallery uses. [ed. note: markoj last edited this post 9 years, 9 months ago.]

Meanwhile... Russian Hackers Amass Over a Billion Internet Passwords http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=1

The sad thing is that malware can now be hidden in the code blocks of legit files (the scanners will miss it). And in files themselves: I found a slightly modified MooTools library that was shipped with a plugin (not MODX). The js contains code that act as a backdoor into the site... Found this by using: http://evuln.com/tools/malware-scanner/

That article makes it sounds like a losing battle.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

I looked up one of the ip addresses in some of the code and it is registered to someone in Ukraine.

I tried to block whole IP-Ranges from China... They never end!

Most of my original handbooks in web design and programming hardly touches on web security. Mostly because the endless
possibilities we get in our tools can't be predicted. But we have to realize people will abuse and exploit any loose end
they can find.

But how sad if we destroy the freedoms of the web in order to safe guard against script kiddies. If we learned how to backup our sites
90% of the postings to these forums would be about improvements instead of people blaming MODX for everything that is bad.

Open source can be a double edged sword like that too.

The bright side is that this is making me review all of my common practices which should be tighter anyway.... and update some really old sites.

I wish had more programming skills to contribute, but everything I know is what I picked up while learning modx in these forums.

I will be watching all of my 1.0.14 w/o ajax-search installs to see if anything pops up.

Two sites that I overlooked in my deletions of Ajaxsearch files (since I don't use the snippet at all) were hacked. I had notice of suspension of one of them from my hosting company, which led me to check all the others again.

The suspended site had a PHP file (4e6800380.php) planted in the assets/images folder. That appears to have been put there the day before using a POST to index-ajax.php, and it was later accessed to dispatch spam continiously until spotted by the hoster.

So it's not just snippet.ditto2.php you need to check for. It's any alien PHP file in your installation. I use FileZilla FTP, which now has a useful search tool - I found this file and a similar one called 4eb63fb26.php on a second vulnerable site using a search by date (anything later than 31st July).

;( KP