<![CDATA[ Site hacked - My Forums]]>

<![CDATA[ Site hacked - My Forums]]> https://forums.modx.com/thread/?thread=104401 <![CDATA[Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561545
I had a site go down. It’s not a highly used site so not sure whether it happened before I upgraded to the latest version or not.

There was some strange WordPress redirect code in the htaccess file, and I found a strangely named pho document in public_html.

I removed the code from htaccess and deleted the php file, but not sure if I need to check anything else.

Has anyone any idea as to a process for checking?

Presumably this happened when on the previous vulnerable version before I upgraded but I’m not sure.]]> tm2000 Sep 14, 2018, 06:32 PM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561545 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-563829
You can probably delete the ftpquota file. It's related to having more than one FTP account user, so it might come back. I would download it and take a look in a file editor (e.g. Notepad) to see if it looks suspicious. Important: don't look at it in a browser.

Be sure to check in cPanel to make sure there are no FTP or database users you didn't create. Also check the modx_users table in the DB to look for suspicious users.
]]> BobRay Jan 29, 2019, 08:16 PM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-563829 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-563819 Quote from: nicboyde at Sep 15, 2018, 07:34 PM

Quote from: tm2000 at Sep 14, 2018, 06:32 PM

I had a site go down.

Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

Check your index php files whereever they are. The one in the webroot too. It may well have a few lines inserted just after the

Thank you so much for this helpful information. I found out that my sites had been hacked. Fortunately they had not gone down. There is still one directory in the root called ".ftpquota" containing only a number. Does anyone know what that is, and would it be safe to delete that folder? And also: Is it absolutely safe to delete all content in the core/cache directory?
]]> evalykke Jan 29, 2019, 11:28 AM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-563819 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-563815 Quote from: nicboyde at Sep 15, 2018, 07:34 PM

Quote from: tm2000 at Sep 14, 2018, 06:32 PM

I had a site go down.

Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

Check your index php files whereever they are. The one in the webroot too. It may well have a few lines inserted just after the

]]> evalykke Jan 29, 2019, 10:42 AM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-563815 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561674 Quote from: nicboyde at Sep 15, 2018, 07:34 PM

Quote from: tm2000 at Sep 14, 2018, 06:32 PM

I had a site go down.

Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.

In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:

Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.

Check your index php files wherever they are. The one in the webroot too. It may well have a few lines inserted just after the

Hi there.
I followed the process you suggested, and reviewed every individual php and ico file and removed the code which the hackers are injecting.
Reset up the site from a fresh install - then connected back to the original db.

I thought that had sorted it - but this morning the php files all have the injected code again, and I have index.php files in directories which shouldn't be there.

Interestingly - I also have the site installed on a subdomain (which is where I prepared it for the fresh install) and THAT site is fine still.
So, I'm a little confused as to how they are accessing the files - it doesn't seem as though they have access to the DB - because if they did - the dev site would also be infected, but similarly - if there were some infected files on the dev site before I moved it back - those too would be infected.

Very confused!!

]]> tm2000 Sep 20, 2018, 08:04 AM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561674 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561643 ]]> BobRay Sep 19, 2018, 05:03 PM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561643 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561627 Quote from: andytough at Sep 18, 2018, 04:33 PM

Could the hosting company have applied any sort of restrictions to the site (like disabling cURL) to limit potential damage to other clients accounts?

It might also be worth re-running Setup?

Thanks Andy,
I already ran the setup just in case.
Does disabling Curl stop anything from working in Modx?
Do you think there's a real risk that the hackers could get into other accounts on my VPS via this site?]]> tm2000 Sep 19, 2018, 07:44 AM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561627 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561626 Quote from: BobRay at Sep 18, 2018, 06:29 PM

Take a quick look at the modx_users table in PhpMyAdmin to make sure there are no bogus users there.

Thanks Bob - no unusual users in that modx_user table thankfully.]]> tm2000 Sep 19, 2018, 07:43 AM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561626 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561619 BobRay Sep 18, 2018, 06:29 PM https://forums.modx.com/thread/104401/site-hacked?page=2#dis-post-561619 <![CDATA[Re: Site hacked]]> https://forums.modx.com/thread/104401/site-hacked#dis-post-561611
It might also be worth re-running Setup?]]> andytough Sep 18, 2018, 04:33 PM https://forums.modx.com/thread/104401/site-hacked#dis-post-561611