-
- 1,198 Posts
in the last two days lot of my Evo sites have been compromised. Almost all already updated to 1.0.14 (the older one was a 1.0.12).
I think the problem is not only in ajax search, but in tinymice.
I'm not a security expert, but I suspect that Tinymice is used to access to images folders of maxigallery and the old 0.9x ImageEditor (manager / media / ImageEditor)
Do you have a server access log the time it was compromised?
-
- 1,613 Posts
Quote from: kp52 at Aug 08, 2014, 11:13 AMI use FileZilla FTP, which now has a useful search tool
Good tip, didn't know about this, I use FileZilla also.
I forgot about updating EvoGallery for one domain, really did a big cleanup.
Did it by updating the /assets folder manually (remove only the snippets/plugins/modules and checking all other folders), also removed the /manager folder complete and just added the config file after checking it. Then upgrade.
There where no new users or manager logins.
Evolution user, I like the back-end speed and simplicity
-
- 1,198 Posts
Quote from: Jako at Aug 08, 2014, 11:55 AMDo you have a server access log the time it was compromised?
After more investigation, I realized that the attack to my sites occurred several weeks ago, probably before the upgrade 1.0.14.
Once inside, they had access to all folders containing images and where was available an upload script (maxigallery folders, imegeeditor, directresize folders)
-
- 1,198 Posts
I'm not an expert but this is what i can see in my today log
91.197.229.160 - - [08/Aug/2014:16:06:53 +0200] "POST /assets/galleries/184/model.php HTTP/1.1" 404 14098 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
37.59.11.161 - - [08/Aug/2014:16:07:08 +0200] "POST /assets/galleries/184/model.php HTTP/1.1" 404 14098 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
62.75.168.203 - - [08/Aug/2014:16:07:45 +0200] "POST /assets/galleries/184/model.php HTTP/1.1" 404 14073 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
46.118.124.162 - - [08/Aug/2014:13:12:29 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://fantasytown.ru/" "Opera/9.00 (Windows NT 4.0; U; en)"
46.118.124.162 - - [08/Aug/2014:13:12:29 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://www.dverprom.ru/" "Opera/8.01 (Windows NT 5.1)"
46.118.124.162 - - [08/Aug/2014:13:12:30 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://fantasytown.ru/" "Opera/9.00 (Windows NT 4.0; U; en)"
46.118.124.162 - - [08/Aug/2014:13:12:31 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://fantasytown.ru/" "Opera/9.00 (Windows NT 4.0; U; en)"
46.118.124.162 - - [08/Aug/2014:13:12:33 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://www.dverprom.ru/" "Opera/8.01 (Windows NT 5.1)"
46.118.124.162 - - [08/Aug/2014:13:12:34 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://www.dverprom.ru/" "Opera/8.01 (Windows NT 5.1)"
88.191.238.61 - - [08/Aug/2014:14:45:34 +0200] "POST /assets/plugins/tinymce/jscripts/tiny_mce/plugins/directionality/images/global.php HTTP/1.1" 403 743 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
83.169.33.16 - - [08/Aug/2014:14:50:26 +0200] "POST /assets/plugins/tinymce/jscripts/tiny_mce/plugins/directionality/images/global.php HTTP/1.1" 403 743 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
50.62.161.74 - - [08/Aug/2014:14:51:32 +0200] "POST /assets/plugins/tinymce/jscripts/tiny_mce/plugins/directionality/images/global.php HTTP/1.1" 403 743 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
64.78.58.4 - - [08/Aug/2014:13:37:03 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 737 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
217.172.32.84 - - [08/Aug/2014:13:39:41 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
80.237.132.238 - - [08/Aug/2014:13:40:14 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 737 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
89.163.225.1 - - [08/Aug/2014:13:42:38 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 737 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
195.190.28.173 - - [08/Aug/2014:13:43:53 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.240.176.17 - - [08/Aug/2014:13:44:10 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
198.57.216.208 - - [08/Aug/2014:13:48:42 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
85.143.166.103 - - [08/Aug/2014:13:49:55 +0200] "POST /assets/plugins/tinymce/js/themes.php HTTP/1.1" 200 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
-
- 1,613 Posts
3. If you don't use AjaxSearch you can remove this for sure: /index.ajax.php /assets/snippets/ajaxsearch and also the snippet in your manager. Forgot manager password can be removed also, thats what I do. When I can't access my manager there are other ways to get back or change the password.
Evolution user, I like the back-end speed and simplicity
-
- 2,877 Posts
Quote from: hgw7m at Aug 08, 2014, 02:34 PMHello mrhaw,
thanks for your "3 things to do" to secure old sites. I have a lot of MODX Evo client installations out there in the wild and as a marketer and web developper more than a server and security expert I appreciate very much your hints here. I just want to make sure I completely understand your helpful 3 things:
- Item 1: Do you recommend to include all 9 lines of your code or only line 1? They have to go to the root htaccess?
- Item 2: This restrictions should be put by htaccess into the assets folder, right?
- Item 3b: You recommend removing "Forgot manager password" and index-ajax.php also from 1.0.14 installations?
If I understand well, these things can give some better sleep also for updated and new sites?
Thanks a lot for your help!
1) I have those 9, all awesome, lines under the friendly URL rules
The last line could be a burp instead!
-->
http://forums.modx.com/index.php?topic=33783.0
I send the attacker to my blackhole folder -->
http://forums.modx.com/thread/19997/securing-your-site-wiki-instructions?page=3#dis-post-111538
but the point is you want to interrupt the attacker with an http response code.
2) Yes.
3) If it's old. -->
http://forums.modx.com/thread/81545/modx-evolution-1-0-7-and-prior-forgotmanager-plugin-vulnerability
// In the very top of my .htaccess I have this:
SetEnvIfNoCase User-Agent "Jakarta Commons" keep_out
SetEnvIfNoCase User-Agent "Y!OASIS/TEST" keep_out
SetEnvIfNoCase User-Agent "libwww-perl" keep_out
SetEnvIfNoCase User-Agent "MOT-MPx220" keep_out
SetEnvIfNoCase User-Agent "MJ12bot" keep_out
SetEnvIfNoCase User-Agent "Nutch" keep_out
SetEnvIfNoCase User-Agent "cr4nk" keep_out