We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

A URL Injection hides itself

    • 3749
    • 24,544 Posts
    BobRay Reply #11, 8 years, 11 months ago
    You said you made a clean install, but did you delete all existing files first?

    Did you also delete all the files in the cache folder before doing the install?

    Does it happen if you visit the site in private or incognito mode in your browser?
      Did I help you? Buy me a beer
      Get my Book: MODX:The Official Guide
      MODX info for everyone: http://bobsguides.com/modx.html
      My MODX Extras
      Bob's Guides is now hosted at A2 MODX Hosting
      • 9995
      • 1,613 Posts
      fourroses666 Reply #12, 8 years, 11 months ago
      Maybe some files below the root?
      If I remember good I had some .php files in AWstats years ago.
        Evolution user, I like the back-end speed and simplicity smiley
        • 45896
        • 9 Posts
        raskolt Reply #13, 8 years, 11 months ago
        Thanks for your replies.

        I had checked "email me new replies" but the website has just sent me the replies. I am sorry for that.

        What I did until now is:

        1. I had made a completely new install on my localhost. I just installed the old database sql. The website looks without no css but the page was still there.

        2. I am not an sql expert. I looked for the injection code, eval 64 or all the other stuff. Even I looked at the modx content tables. No luck for that.

        2. Google webmaster tools warned me about the injection.

        4. Also Acunetix found it.

        They all told me about the page but I still cant find the injection code.

        That is why I thought that sql injection. Also Acunetix reported as sql injection.
          • 50383
          • 2 Posts
          voyager22 Reply #14, 8 years, 11 months ago
          This sounds like what happened to one of my clients' websites, except that it happened to an installation of MODx Evo. Not sure how helpful this will be, but here's what I did to fix it.

          1. Zipped my MODx installation on my server, then downloaded it locally
          2. My antivirus (!) detected a folder called "buyvalium" in one of my older directories and flagged it.
          3. I removed that directory via FTP
          4. Then I looked inside assets/cache and saw a bunch of fishy files - assets/cache/1.data.php, 2.data.php, 3.data.php, 4.data.php, and 5.data.php. I deleted all of these.
          5. I also found a mysterious Core Services plugin that I never installed, so I disabled and deleted that. After I deleted that, the pharma pages disappeared from my site (though they still exist to Google).
          6. Also removed QuickManagerManager and ForgotManager plugins
          7. Then I upgraded my MODx installation and changed my FTP and MODx passwords

          Hope this helps... it's been a nightmare to clean. sad Also, make sure you remember to ask Google to Re-Review your site so that it removes the pharma pages from your site index.
            • 50383
            • 2 Posts
            voyager22 Reply #15, 8 years, 11 months ago
            http://forums.modx.com/thread/89564/warning-hacking-attack-on-revo-2-2-4-using-core-services-plugin?page=4 might be helpful too?