Hi there,
some of my sites got hacked, too. The malicious files at the server look similar to yours. Spamming started some days ago, but the bad files have a timestamp of January 25th in 2011.
By now, I've had 3 or 4 hacked sites. Some Revo, some Evo. The Revo hack was noticed by a hosters IDS (intrusion detection system) so we could react quickly.
What I learned from the server logs (revo 2.2.13) was the time and target of the attack:
5.61.42.211,-,-,[06/Jun/2014:13:18:26 +0200],"GET /assets/xPDO.idx.php HTTP/1.1",404,0,Germany,-,Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
5.61.42.211,-,-,[06/Jun/2014:13:18:33 +0200],"GET /assets/xPDO.idx.php HTTP/1.1",200,647,Germany,-,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
5.61.42.211,-,-,[06/Jun/2014:13:18:38 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,18803,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
5.61.42.211,-,-,[06/Jun/2014:13:18:40 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,13304,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
5.61.42.211,-,-,[06/Jun/2014:13:18:42 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,15667,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
5.61.42.211,-,-,[06/Jun/2014:13:18:43 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,16281,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
5.61.42.211,-,-,[06/Jun/2014:13:18:49 +0200],"POST /assets/xPDO.idx.php HTTP/1.1",200,16774,Germany,http://***/assets/xPDO.idx.php,Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
5.61.42.211 is the attacking server. I can be sure of that because of two reasons:
1) I wasnt able to find out who it belongs to. Domain is separated from IP, IP is separated from the hoster etc... No chance of getting that guy. There was a german domain connected to that IP and I tried to contact the owner at the given contac data, without success.
2) This IP is hosting domains which are used to offer pills. The attacker installed a plugin at my server to redirect users to this server.
I also learned that at 13:18:26 the GET request for /assets/xPDO.idx.php resulted in a 404, not there. And the attacker claimed to be a google bot - this time. Seven seconds later, the file was present.
I called a friend and he was able to find the files, copy them and run them on his box. See attachment "webshell1".
Some weeks later, other sites were hacked and my own server sent out spam again. This time it was one revo and one evo site. Different webshells were uploaded this time. /assets/plugins/qm/css/list.php for instance or /core/packages/core/modUserGroup/code.php
Today I checked my server again and one of the sites way spamming again.
told me that there were 50,000 emails queued to be sent out.
deleted the queue. But when I checked after some time (~30 seconds), there were about 12 mails again. So I searched for the bad files again and ran into a lot of them. Including list.php.
I renamed list.php to __list.php and the mails stopped immediately. So my next step is to check the database for hidden users (with no username - I had that once!) wipe the server and install MODX from scratch.
If you have a server with many sites on it you will have trouble finding out where to look at.
You can delete the whole mailqueue and open fresh mails. They may content a user ID of the servers user. That might lead you to the correct website on your server. The Email will contain the users ID in the header. With
cat /etc/passwd | grep <ID goes here>
you can find out the username.
If you are interested in the actual attack, I can offer a part of the server log. It is containing over 900 requests, 225 GET and the rest POST. I cant make it public as it might be traced back to the clients site.
I am hopeful that we can make an end to those attacks. At least we can develop stuff to trace the attacker or at least prevent damage to site and performance.
Cheers,
Guido