Some of my modx 1.0.14 are hacked

But how did the /images/c404a14.php got in? The first POST line after new install was responded with 200. So the file exists at that time. Same question for /assets/snippets/ditto/8e751ef3d.php and the other random named php files.

Have you really done a clean install with no files/folders in your webroot? Have you just copied the images folder over from the old installation without looking in? Or have you left the images folder in your webroot without looking in?

I've just asked my hosts to clarify when/where the file /images/c404a14.php came from.

I deleted everything off the server via FTP and then checked local copies of the images js and css folders before reuploading them to the new install.

Another user suggested that deleting via FTP might not have deleted all of the files and that I should do it with SSH instead?

Quote from: designfresh at Oct 07, 2014, 02:30 PM

Another user suggested that deleting via FTP might not have deleted all of the files and that I should do it with SSH instead?

Could be possible if the php files have different rights for apache and ftp.

The hosts have just confirmed the file was present at the time of the clean install so the wipe of the server couldn't have been completely successful. I am going to proceed on the basis some of these hacked files had permissions preventing FTP removal and do a new install preceeded by an SSH wipe.

I'll update this thread if there are any future hacks.

Thanks Jako

Please look out for any infected gif files possibly in cgi-bin - maybe above site root. That's what happened in the site I saw.

Thanks, will do!

I wrote some lines to help cleaning up hacked sites, maybe it will help you: http://forums.modx.com/thread/94643/how-to-clear-up-your-hacked-webspace

Hi there,

I'm using ModX Evo for the websites of my clients as well, and while most are unaffected by hacking attempts so far, three were hacked in the past with one even running 1.0.14. It seems to be quite hard to find out how the hack is possible and if it's really a vulnerability of ModX or rather based on too loose file system permissions (which is my current guess). I'm always using my own stripped-down version of ModX with almost all snippets/plugins completely removed, since I don't use them. The few I leave in are unlikely to allow hacking (UltimateParent and FirstChildRedirect, TinyMCE, DocManager; that's it).

Anyway, today I wrote a "watchdog" snippet that monitors the assets folder for newly created php files, can send an email to the site admin when new files are found and even auto-delete the suspicious files immediately. I have installed it onto two websites for live testing now. If someone is interested in it and the live test is successful, I can make the snippet available.

Hi Timo,

I also started writing such a script to find all the nasty stuff whic is known to infect MODX sites. Maybe we can work together, put our findings into one script and have someone else make a MODX extra of it.

Best regards,

Guido

I'm interested by the detection script ^^