<![CDATA[ 2.6.5-pl Site compromised via AdvSearch SQL injection

<![CDATA[ 2.6.5-pl Site compromised via AdvSearch SQL injection - My Forums]]> https://forums.modx.com/thread/?thread=104219 <![CDATA[2.6.5-pl Site compromised via AdvSearch SQL injection]]> https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560519
After rolling back a hacked website, upgrading to 2.6.5-pl, following the ModX hardening documentation the site I'm working on has been compromised.

After checking through the access log for the server I've found a few SQL injections via the "/?search" parameter which led to a large payload attack a few minutes later.

The only extension I have on the site related to the search is the AdvSearch module, I've not heard of any vulnerabilities with this module and it has been updated to the latest version.

I'm going to roll the site back as the site as hacked 07/08 after a few days of brute force attacks.

So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?

Thanks]]> joshratcliffe Aug 08, 2018, 02:12 PM https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560519 <![CDATA[Re: 2.6.5-pl Site compromised via AdvSearch SQL injection (Best Answer)]]> https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560560
So I'm now searching through and removing files that had gotten onto my new server via the /assets/ folder.

For anyone who is also suffering from the hack try looking for .php files in your assets folder and .ico files in index.php files all over the site.

I will mention that even when compromised with hardening only publicly accessible sections of the site have been compromised, so I would highly recommend hardening your Modx sites after upgrading to to 2.6.5-pl.]]> joshratcliffe Aug 09, 2018, 09:30 AM https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560560 <![CDATA[Re: 2.6.5-pl Site compromised via AdvSearch SQL injection]]> https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560528 stefany Aug 08, 2018, 03:43 PM https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560528 <![CDATA[Re: 2.6.5-pl Site compromised via AdvSearch SQL injection]]> https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560526 Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via [email protected].
Hi Mark thanks for the reply.

I will get in touch with both and see what I find out and post back here. It might be a vulnerability on my server but whatever the cause/fix I'll update here.

Thanks]]> joshratcliffe Aug 08, 2018, 03:25 PM https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560526 <![CDATA[Re: 2.6.5-pl Site compromised via AdvSearch SQL injection]]> https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560521 Quote from: joshratcliffe at Aug 08, 2018, 02:12 PM

So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?

Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via [email protected].]]> markh Aug 08, 2018, 03:00 PM https://forums.modx.com/thread/104219/2-6-5-pl-site-compromised-via-advsearch-sql-injection#dis-post-560521