<![CDATA[ 0.9.2.1 site hacked? - My Forums]]> https://forums.modx.com/thread/?thread=36411 <![CDATA[Re: 0.9.2.1 site hacked?]]> https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205344 Quote from: NameCat.com at Dec 13, 2008, 06:10 AM

Quote from: dev_cw at Dec 12, 2008, 01:01 PM

Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect.
Thanks Shane -- unfortunately, it’s least likely, as the site isn’t using Reflect...

You wouldn’t need to be using it to be vulnerable, as long as the file is there somewhere. I think it’s reflect.inc.php. Deleting it from your installed snippets list wouldn’t delete the file.

As Zap suggested, you’re only vulnerable is register_globals is on (and, if it’s on, that could open some other doors to miscreants).
]]> BobRay Dec 13, 2008, 02:17 AM https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205344 <![CDATA[Re: 0.9.2.1 site hacked?]]> https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205343 
register_globals On On

Next I would look at your cache files to see if this code was added there. If so, then someone was probably able to hack your account using a cross-site scripting (XSS) attack, for which there have been several patches since 0.9.2.1. None of these attacks would’ve worked if register_globals had been off, however (whether you’d updated or not).

Given that you’re going to have to do some radical cleaning to be sure that you got rid of any back doors that the hackers may have left, I think that this is probably a very good opportunity to upgrade MODx. I would change all of your passwords, rename the assets and manager folders to xassets and xmanager, upload the new version, and perform an upgrade installation. Then I’d try to restore all your image and other files from a clean local backup and delete the old directories and their contents (and only restore selected files if absolutely necessary from the old installation, since everything in there is suspect now).

No need to wait for the next version of MODx; the current stable release is solid and light years ahead of what you have now.]]> ZAP Dec 13, 2008, 01:35 AM https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205343 <![CDATA[Re: 0.9.2.1 site hacked?]]> https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205342 Quote from: dev_cw at Dec 12, 2008, 01:01 PM

Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect.
Thanks Shane -- unfortunately, it’s least likely, as the site isn’t using Reflect...

Here’s my list of installed Snippets:

    AListApart - Drop down menu snippet
    cloak - Use this to cloak emails in template variables
    ContactForm - Simple, configurable XHTML-validating contact form for delivery to email accounts.
    DateTime - Outputs the current date and time to the page.
    dropdown - Create a select box of sub pages
    DropMenu - Robust and configurable XHTML-validating menu and site map builder. Output an unordered list.
    FlexSearchForm - Robust site search with like and partial matching.
    gallerydropdown - Select box for photo stories
    GetStats - Fetches the visitor statistics totals from the database
    MemberCheck - Selectively show chunks based on logged in Web User’ group memberships.
    menu - Old Static Menu
    NewsFeed - Enable RSS2 news feed from your website.
    NewsLetter
    NewsListing - Updated: Versatile news/article display system.
    NewsPublisher - Updated: Publish news articles directly from the web.
    PageTrail - Outputs the page trail, based on Bill Wilson’s script
    Personalize - Basic personalization for web users.
    PoweredBy - A little link to MODx
    UserComments - Updated: Add user comments to any document.
    WebChangePwd - Web User Change Password Snippet
    WebLogin - Updated: Web User Login Snippet
    WebSignup - Web User Signup Snippet

Quote from: dev_cw at Dec 12, 2008, 01:01 PM

...you should also upgrade to a more recent release, there have been significant improvements from 0921 to 0962

I definitely plan to upgrade, but I’m wondering if an upgrade will automagically fix the issue. It seems more prudent to remove any offending code or whatever is causing/allowing the issue before upgrading, but I simply haven’t a clue how this trick is being accomplished. Is it possible that the server (Yahoo hosting) is infected and ’flowing in’ these iframes when parsing the PHP somehow?

One last thing -- as a tester, do you have any idea if there’s an ETA for 0.9.6.3?
It would be big time-saver to just upgrade once if it’ll be released soon.


[Edit: Attached relevant PHP config as an HTML file... you may need to remove the TXT extension to view properly]]]> rafael Dec 13, 2008, 12:10 AM https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205342 <![CDATA[Re: 0.9.2.1 site hacked?]]> https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205341 http://modxcms.com/forums/index.php/topic,30850.0.html

and here for the official notice: http://modxcms.com/forums/index.php/topic,30875.0.html

I will go ahead and say since someone is bound to do it, you should also upgrade to a more recent release, there have been significant improvements from 0921 to 0962 rolleyes]]> dev_cw Dec 12, 2008, 07:01 AM https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205341 <![CDATA[0.9.2.1 site hacked?]]> https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205340
So, I checked the relevant template in the manager, and there’s nothing but a blank line there.

Any ideas how this is occurring and how to stop it?? Any help would be greatly appreciated!]]> rafael Dec 12, 2008, 06:36 AM https://forums.modx.com/thread/36411/0-9-2-1-site-hacked#dis-post-205340