<![CDATA[ Question for people whose sites were hacked

<![CDATA[ Question for people whose sites were hacked - My Forums]]> https://forums.modx.com/thread/?thread=104131 <![CDATA[Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560008
]]> BobRay Jul 26, 2018, 05:07 AM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560008 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560561
However just to assist Bob a bit, even from me doing this nothing in the /core/ has been affected due to Modx hardening, so I highly recommend people complete the hardening.

For anyone still struggling with the hack I highly recommend they fully check their backups in case they have also missed files.]]> joshratcliffe Aug 09, 2018, 09:34 AM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560561 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560558 Quote from: BobRay at Jul 29, 2018, 09:27 PM

My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack. (Ironic, because I always thought there was no reason to rename the connectors directory if the core had been moved and renamed.)

Hi Bob,

In an attempt to fix one of the Modx sites I handle, I rolled the site back to pre-hack then took only the /assets/ and DB. Moved to a new server installed a fresh version of Modx upgraded it to 2.6.5-pl. Hardened it following the Modx documentation then inserted the assets and uploaded the DB to the server. No gallery extra installed at any point in the sites lifetime.

Currently trying to figure out how they hacked the site again, possibly there was a backdoor already in the assets folder which I missed. I'm still trying to figure it all out but there could be something else but I will update when I find the cause.

Thanks

]]> joshratcliffe Aug 09, 2018, 08:48 AM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560558 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560233 thetexan Jul 30, 2018, 05:53 PM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560233 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560230 chrisandy Jul 30, 2018, 03:56 PM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560230 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560229 Quote from: BobRay at Jul 29, 2018, 09:27 PM

@chrisandy -- Thanks. Did you have an .htaccess file on site 2 that prevented outside access to the core?

My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack. (Ironic, because I always thought there was no reason to rename the connectors directory if the core had been moved and renamed.)

@BobRay, I've had sites hacked on 2.6.4 AND 2.6.5, presumably by the same bot. Admittedly, I didnt have the core moved/renamed, but I did have an htaccess file in the core.

EDIT: I did have gallery installed, btw.]]> thetexan Jul 30, 2018, 03:49 PM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560229 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560224 Quote from: sparkyhd at Jul 30, 2018, 02:19 PM

Should sites implemented on MODX Cloud be hardened by default or at least give the option of hard or soft?

Surely it would be relatively simple for the install routine to protect and rename the vulnerable folders?

Maybe we can send the modx cloud a letter about it ?]]> stefany Jul 30, 2018, 02:36 PM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560224 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560222
Surely it would be relatively simple for the install routine to protect and rename the vulnerable folders?]]> sparkyhd Jul 30, 2018, 02:19 PM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560222 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560196 Quote from: BobRay at Jul 29, 2018, 09:27 PM

My working hypothesis is that no one with a properly hardened site and no Gallery or Roxy was hacked. Even with Gallery and/or Roxy, renaming the connectors directory would have prevented the hack....

My point exactly!

Especially if the Gallery's compromised file needed the MODX connectors' folder.

@wingnutty ... better than watching the forum like a hawk!

LOL]]> donshakespeare Jul 30, 2018, 02:37 AM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560196 <![CDATA[Re: Question for people whose sites were hacked]]> https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560195 Quote from: jcdm at Jul 29, 2018, 04:39 AM

Is there no way to receive email updates of security issues currently?

Emails were sent to the list you can sign up for here: https://modx.com/insider-subscribe/

Joining that would be the best bet for the short term.

Awesome, thanks! This is better than watching the forum like a hawk!

]]> wingnutty Jul 30, 2018, 02:10 AM https://forums.modx.com/thread/104131/question-for-people-whose-sites-were-hacked?page=3#dis-post-560195