@Sean Kimball:

I run a daily incremental backup with a 90 day history - so there was that, but it doesn't have any sort of file diffing tools that I could use to isolate the new and modified files.

It's still labor intensive, but you might find this interesting as a large-scale diffing tool: https://bobsguides.com/blog.html/2018/09/20/comparing-things-in-phpstorm-iii/. It compares whole directories showing files that are in one and not the other. When two files exist, but are not the same, you can click to see the differences.

@evalykke: That error message is "normal" in MODX 2.7.0 and probably doesn't have anything to do with your problems.

Do you have a backup of the site from before the hack?

@Sean Kimball:

I run a daily incremental backup with a 90 day history - so there was that, but it doesn't have any sort of file diffing tools that I could use to isolate the new and modified files.

It's still labor intensive, but you might find this interesting as a large-scale diffing tool: https://bobsguides.com/blog.html/2018/09/20/comparing-things-in-phpstorm-iii/. It compares whole directories showing files that are in one and not the other. When two files exist, but are not the same, you can click to see the differences.

@evalykke: That error message is "normal" in MODX 2.7.0 and probably doesn't have anything to do with your problems.

Do you have a backup of the site from before the hack?

Quote from: stefany at Aug 30, 2018, 06:46 PM

Did you revert the back-ups?

Some of them were pretty static & I was able to delete everything and restore, because this script/exploit writes extra files 'restoring over' an existing site will not do the trick - you have to delete everything and restore fresh. these remaining sites change enough that a wipe & restore are not an option.

I a daily incremental backup with a 90 day history - so there was that, but it doesn't have any sort of file diffing tools that I could use to isolate the new and modified files.

What I can say so far is that it looks like 2 different exploits - only one of the sites had any snippets or chunks added &/or modified (which was fairly easy to find - just look in the database table & look for the last id

I think I am going to have to download a clean copy of modx, the extras & create checksums from there then test the live files If I can eliminate distribution files then at least there is a step.

One thing I am also seeing is an index file being written to pretty much every directory in the site(s) with an include as well. replacing that with an index.php set to 0000 permissions (or root:root ownership) seems to be working (so far) but it certainly hasn't removed the exploit.

What is that include encoded with?? how can I decode it?

Did you revert the back-ups?

Quote from: amitpatil at Aug 30, 2018, 08:47 AM

On decoding above path, it gives "/var/www/vhosts/[replaced]/httpdocs/assets/fonts/.d34d02e3.ico" Remove this file but dont think that malware is cleaned its just a honeypot to make us believe that its cleaned. Best idea is to follow this tutorial https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution, it basically suggests to rename core folders like core, connectors, manager. password protecting them.

We moved our core folder outside of puclic_html directory.

most of the sites were hardened anyway - following that after the fact will not fix the problem nor would it have prevented it in the first place. (it was a vulnerability in gallery/phpthumb)

seems like whatever file(s) got compromised they are still there after an update and updating/reinstalling any plugins

so what is that line encoded with?