-
- 11 Posts
@Guido:
Let's see. My script is already done but was only tested in a sandbox. I'm going to review the code tomorrow again and if I don't find any issues, I make the code public.
Btw, I didn't make my script based on the "known code" to infect ModX. Instead, it is based on the assumption that nothing should just create php files inside the assets folder (cache excluded). It can be configured to inform the admin if something/-one does via mail incl. a list of the files, and/or to immediately delete the files so the assets folder would always stay clean.
I had malicious code also in the core tree, so assets may not be enough. I guess it was roughly in all the folders which were writable, like cache, exports, packages ie. Your attempt is very good, maybe we can integrate some checks from my list (search for suspicious files).
I can also provide a whole 1.0.14 ftp site as a zip with all infected files still present.
-
- 4 Posts
I am having multiple Evo 1.0.14 sites hacked with some regularity. So I thought I would look at what the Modx community is reporting. This seems like the most appropriate thread.
None of my non-Modx sites are having this issue. Some hacks occur in the root directory, some in assets/ (any folder or subfolder) and some in manager/ (any folder or subfolder). The IP addresses resolve to Russia, Eastern European countries and Morocco, for example.
Some 1.0.8 sites experiencing the hacks were upgraded to 1.0.14, but that did not stop the attacks. Just yesterday I received a notice from Apple that phishing files were put on one of my Evo 1.0.14 sites. They tell you exactly where to look. This is happening regularly now. I have had two sites shut down by my host. They had to be cleaned manually. I would be very interested in a script or snippet that warns of file changes. This is a nasty world.
I really recomment that tool "maldet" if you have shell access and can install linux stuff.
Nelson, do you need help cleaning up?
-
- 11 Posts
Find my script attached. It's self-contained and can be used as a snippet in MODX or as a file called by a cronjob. It's pretty much self-explaining, I think. If not, just ask.
One important thing: When using the script on new or updated MODX installations, make sure that $auto_del is set to false for the number of days given by $days_ago. Otherwise it will delete your snippets/plugins. I take no responsibility for any damage caused by the script.
[ed. note: timo_w. last edited this post 9 years, 5 months ago.]