https://forums.modx.com/thread/?thread=104219
https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560519
After rolling back a hacked website, upgrading to 2.6.5-pl, following the ModX hardening documentation the site I'm working on has been compromised.
After checking through the access log for the server I've found a few SQL injections via the "/?search" parameter which led to a large payload attack a few minutes later.
The only extension I have on the site related to the search is the AdvSearch module, I've not heard of any vulnerabilities with this module and it has been updated to the latest version.
I'm going to roll the site back as the site as hacked 07/08 after a few days of brute force attacks.
So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?
Thanks]]>joshratcliffeAug 08, 2018, 02:12 PMhttps://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560519
https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560560
So I'm now searching through and removing files that had gotten onto my new server via the /assets/ folder.
For anyone who is also suffering from the hack try looking for .php files in your assets folder and .ico files in index.php files all over the site.
I will mention that even when compromised with hardening only publicly accessible sections of the site have been compromised, so I would highly recommend hardening your Modx sites after upgrading to to 2.6.5-pl.]]>joshratcliffeAug 09, 2018, 09:30 AMhttps://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560560
https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560528
stefanyAug 08, 2018, 03:43 PMhttps://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560528
https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560526
Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via [email protected].
Hi Mark thanks for the reply.
I will get in touch with both and see what I find out and post back here. It might be a vulnerability on my server but whatever the cause/fix I'll update here.
Thanks]]>joshratcliffeAug 08, 2018, 03:25 PMhttps://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560526
https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560521
Quote from: joshratcliffe at Aug 08, 2018, 02:12 PM
So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?
Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via [email protected].]]>markhAug 08, 2018, 03:00 PMhttps://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560521