<![CDATA[ infected by iframe hack :(

<![CDATA[ infected by iframe hack :( - My Forums]]> https://forums.modx.com/thread/?thread=2700 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16985 http://modxcms.com/forums/index.php/topic,53677.0.html

The idea was to have a plugin examine checksums and if there was a problem restore known-good copies of files from above the site root.

Matt]]> mconsidine Nov 06, 2010, 09:03 AM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16985 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16984 Quote from: rthrash at Nov 01, 2010, 11:26 AM

What add-ons are you running? Do you use phpThumb?

None of the sites used the phpThumb extension. They were all out-of-the-box (Evolution) installations, each with a bunch of custom snippets that I wrote for menial tasks like displaying date/time, formatting strings, etc.

This was a post I made on the most recent attack, based on a site hosted on a Verio shared host:
http://modxcms.com/forums/index.php/topic,54874.msg316479.html#msg316479

I didn’t log any record of the attack on the site hosted on the VPS. That site was migrated to Revo within a couple days. But the VPS server specs are
PHP 5.2.13
FreeBSD 6.4
Apache 2.2
Mysql 5.1.44
]]> cyclissmo Nov 01, 2010, 11:07 AM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16984 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16983 System:
MODx 1.0.4 rev 6981
Apache 2.2.16
MySQL 5.1.50
PHP 5.2.14

Plugins:
WordsReplace 0.1.1
Search Highlight 1.5 (installed but not being used in site)
Forgot Manager Login 1.1.2
Inherit Parent Template 1.1
ManagerManager 0.3.8
TinyMCE Rich Text Editor 3.3.5.
TransAlias 1.0.1
Easy 2 Gallery (I believe uses phpThumb)
EditArea 0.5.2]]> islander Nov 01, 2010, 08:20 AM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16983 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16982 Quote from: cyclissmo at Nov 01, 2010, 02:12 AM

One of my hacked sites is hosted on a Verio virtual private server that we manage.

What add-ons are you running? Do you use phpThumb?]]> rethrash Nov 01, 2010, 06:26 AM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16982 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16981
1. Do all of you use Apache?
2. What PHP version do you use?
3. Do all of you use Linux? (If yes, what distribution?)

Maybe an admin can gather these info. They might prove valuable for finding the actual problem.]]> esrever Nov 01, 2010, 06:14 AM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16981 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16980

Evo 1.04 (upgraded)
AjaxSearch 1.9
PHP 5.2.8
MySQL 5.0.67
Linux dd15408 2.6.25.20-25.1-pae

For now i removed the base64_encode code and deleted a suspicious php file in one of the folders posted before in this thread. Also i removed AjaxSearch - the snipped and all files. But now i’m uncertain with Evo, i did not really trust it further. I think i will moving to the lastest Revolution sad

but it’s a lot work to do. Bad thing]]> KRambo Nov 01, 2010, 06:00 AM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16980 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16979 http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=de&tl=en&u=http%3A%2F%2Fmodxcms.com%2Fforums%2Findex.php%2Ftopic%2C56604.msg324615%2Ftopicseen.html%23msg324615]]> anonymized-26931 Nov 01, 2010, 04:40 AM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16979 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16978 Quote from: puffin at Oct 31, 2010, 09:38 PM

Has anyone on a dedicated experienced this hack?

One of my hacked sites is hosted on a Verio virtual private server that we manage.]]> cyclissmo Oct 31, 2010, 09:12 PM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16978 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16977 rethrash Oct 31, 2010, 04:51 PM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=11#dis-post-16977 <![CDATA[Re: infected by iframe hack :(]]> https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=10#dis-post-16976 In my experience, most attacks of this type are done through systems with some kind of front-end file upload system or via FTP or other server infrastructure attacks, especially on shared server accounts.
Has anyone on a dedicated experienced this hack?]]> puffin2 Oct 31, 2010, 04:38 PM https://forums.modx.com/thread/2700/infected-by-iframe-hack?page=10#dis-post-16976