We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Malicious Files Detected on my server account

    • 3749
    • 24,544 Posts
    BobRay Reply #11, 9 years, 9 months ago
    Quote from: nonatomicretain at Aug 10, 2014, 11:51 PM
    ... all hacks were affecting old versions of Evolution only from what we can see so far.

    How old were the MODX versions?
      Did I help you? Buy me a beer
      Get my Book: MODX:The Official Guide
      MODX info for everyone: http://bobsguides.com/modx.html
      My MODX Extras
      Bob's Guides is now hosted at A2 MODX Hosting
      • 48548
      • 4 Posts
      nonatomicretain Reply #12, 9 years, 9 months ago
      Quote from: BobRay at Aug 11, 2014, 02:22 AM
      Quote from: nonatomicretain at Aug 10, 2014, 11:51 PM
      ... all hacks were affecting old versions of Evolution only from what we can see so far.

      How old were the MODX versions?

      Two that I've been looking through to work it out:

      v1.0.5
      v1.0.8
        • 48544
        • 2 Posts
        evo_andr4 Reply #13, 9 years, 9 months ago
        I was looking into:
        v1.0.5
        v1.0.7

        v1.0.10 was also affected.

        I found this (very old) post http://seclists.org/fulldisclosure/2012/Nov/142
        Look at section Full path disclosure (WASC-13).
        I don't know if these were patched in newer versions, but I found it interesting because some of these files/directories display similarities with the affected files/directories in my case.
        I will take a closer look at these:
        /assets/cache/siteCache.idx.php
        /assets/snippets/ditto/formats/rss.format.inc.php
        [ed. note: evo_andr4 last edited this post 9 years, 9 months ago.]
          • 36551
          • 416 Posts
          Terry Reply #14, 9 years, 9 months ago
          This as happened to two of my evo sites in the last few days. One of them was was running an older version of evo 1.0.05 (since updated). The other is running 1.0.14.

          In both cases, Hostmonster sent a note to my client stating that the site had been infected and that they have corrected the compromised files. Then included a list of about 40 files that were compromised.

          Can I assume that this taken care of?

          How would I find the infected files if Hostmonster hadn't sent the list? [ed. note: terrybarth last edited this post 9 years, 9 months ago.]
            • 36551
            • 416 Posts
            Terry Reply #15, 9 years, 9 months ago
            I just went through my notes and realized that the site running 1.0.14 was just infected last June. When that happened, Hostmonster indicated they cleaned up to two infected files:

            /home3/lastcal3/public_html/assets/images/logo.php
            /home3/lastcal3/public_html/lang.php

            In June, I updated the site to modx to 1.0.14. Now it's infected again with 40 files infected (which Hostmonster says they've corrected).

            Anything else I should be doing?
              • 48548
              • 4 Posts
              nonatomicretain Reply #16, 9 years, 9 months ago
              I've been looking through access and error logs all day in an effort to find the entry point for this with no luck. I initially suspected an RFE hack but found no evidence of it.
                • 39195
                • 1 Posts
                neveri Reply #17, 9 years, 8 months ago
                Any news from this issue?

                One of my client site also affected with modx version 1.0.6 and php 5.3.
                I see the newest version also affected so the modx updgrade is not a solution.

                The hosting provider blocked the site and my client want his site back.
                Until the fix is arrive I take off the write permission from the directories and files (except the cache) can prevent the crack in?

                Thanks.

                  • 9995
                  • 1,613 Posts
                  fourroses666 Reply #18, 9 years, 8 months ago
                  Only updating won't be the solution if you still have infected files, it won't overwrite files which have a not standard name like the logo.php. TinyMce can have infected files and that has allot of files. So would be best to clear all snippets/plugins/modules and reinstall the ones who are not default.
                  Updating will close the AjaxSearch and ForgotLogin leak but you have to update Evogallery aswell if you have this module. Just to be sure you can change the login passwords etc. and check your log and users etc.
                  I haven't had any hacks on my (70+) 1.0.14 sites for what I know of..

                  http://forums.modx.com/thread/93126/some-of-my-modx-1-0-14-are-hacked
                  [ed. note: fourroses666 last edited this post 9 years, 8 months ago.]
                    Evolution user, I like the back-end speed and simplicity smiley
                  • Jako Reply #19, 9 years, 8 months ago
                    Quote from: nonatomicretain at Aug 12, 2014, 06:01 AM
                    I've been looking through access and error logs all day in an effort to find the entry point for this with no luck. I initially suspected an RFE hack but found no evidence of it.

                    The AjaxSearch/Ditto hack was often used in a POST line that is not saved with the parameters in the access log. Difficult to detect. But if you know the creation time of the php-shell, the access log could help a bit further and you could install a POST logger in that file or in that MODX resource. Maybe it is helpful to write a plugin and install it on many sites to increase the chance of detection.
                    • gallenkamp Reply #20, 9 years, 8 months ago
                      Which thread is more up to date? This or this?: http://forums.modx.com/thread/93126/some-of-my-modx-1-0-14-are-hacked