Some of my modx 1.0.14 are hacked

Do you update the site to 1.0.15?

We used to have the problems as well.. Our solution (and still without any problems)

Update to version 1.0.15
delete all files from manager dir(excluding config file and onces added by us)
delete all files from assets dirs(excluding files added to us (snippets/plugins) and files addes by webmaster (img/files) delete all php files in those directories!)

after that they weren't infected anymore!

Yesterday I have cleaned an installation with a similar method than Rogier. Three hours later is was sending spam again.

After looking through the access log I have found the attacking vector. It was not located inside of MODX. In this case it was a awstats installation containing some additional php files.

So if you clean an installation, be sure that other public accessible folders beneath your MODX installation are cleaned too.

I have had infected files in lower as root folders in the past.
If I remember correct it was awstats aswell. Check every folder and keep your Modx up to date .

So, I guess the solution is in the permission of folders and files. But, which chmod can I choose without bother MODX?

@neoziox: Depends a bit on your installation. If the ftp and apache user are not the same, all ftp folders with 755 are not writable for apache (i.e. for php). Same for files: files with 644 are not writable for apache.

If the ftp and apache user are the same you could set them readonly by ftp but the rights could be changed by i.e. a php script.

How can I be sure about the installation of my server (phpnet.org)?
What do you do to stop this hacks?
Update to 1.0.15 change really the situation? (all my website is on 1.0.14)

Quote from: neoziox at Dec 04, 2014, 10:26 AM

Update to 1.0.15 change really the situation? (all my website is on 1.0.14)

Yes, because a serious security flaw was fixed in the 1.0.15's core and 1.0.15 hence is a mandatory upgrade. Since the security flaw is now widely known, everything below 1.0.15 is unsafe to use.

http://forums.modx.com/thread/94952/multiple-vulnerabilities-xss-remote-command-injection#dis-post-514187

Quote from: timo_w. at Dec 04, 2014, 10:34 AM

Quote from: neoziox at Dec 04, 2014, 10:26 AM

Update to 1.0.15 change really the situation? (all my website is on 1.0.14)

Yes, because a serious security flaw was fixed in the 1.0.15's core and 1.0.15 hence is a mandatory upgrade. Since the security flaw is now widely known, everything below 1.0.15 is unsafe to use.

http://forums.modx.com/thread/94952/multiple-vulnerabilities-xss-remote-command-injection#dis-post-514187

You are right and wrong. All the security issues fixed with 1.0.15 needs manager credentials (despite of the Jot XSS issue). So if you are the only manager in the installation you should be safe. The Jot XSS issue should be fixed if Jot is used.

But the command injection issue is a nasty one. With that issue someone could insert a system setting that executes an hidden php command that is executed every time the site is called. This system setting could have been set in an earlier hack of the site and it is not removed during an update. So if you have a site that seems to be hacked just after an update you should use 1.0.15 or remove the bad system setting (php code in the setting key).

As for Jot, I don't think it matters whether it's used or not. If you have the (old) Jot files uploaded, you're probably screwed. See Ajax Search previously. Having the php file on the server was enough to allow hacking the site.

Anyway, the problem with security flaws is that even small ones, which individually don't allow hacking, may form a possible attack vector in combination. So everyone not updating to 1.0.15 or at least doing the hox-fix by replacing the two files should consider its MODX installation as easy hackable.