Cache injected with code - running 1.0.10? - My Forums

Re: Cache injected with code - running 1.0.10?

xdom12 — Jun 05, 2013, 08:59 AM

thanks for your reply, I'll check that, too, but dont think those are installed

Re: Cache injected with code - running 1.0.10?

Everettg_99 — Jun 04, 2013, 10:55 PM

You should also look for the well-known exploits for the Reflect Snippet and the phpThumb vulnerability.

Re: Cache injected with code - running 1.0.10?

xdom12 — Jun 04, 2013, 07:33 PM

hi Everett, thanks for your tips, I have gone through the index.php files but nothing untoward there I'll do some grep stuff to see if that yields any results

Re: Cache injected with code - running 1.0.10?

Everettg_99 — Jun 04, 2013, 06:47 PM

Yeah, it's a pain. Remember: the cache is just a symptom. The file is in there somewhere before it gets pulled into the cache. If you're on the command line on a Linux server, you can search across multiple files for a given pattern using grep, e.g.

grep -rl 'some bit of javascript' .

And that can help you locate which file(s) are tainted. Very common, however, is that the index.php (in any directory, but most commonly at the root or in the manager/ dir) will be injected with a self-unzipping encrypted bit of code. That stuff is very hard to track down because you can't search for it using a pattern. A lot of malicious code is written so as not to be identifiable by pattern matching.

Make a full backup of your site and the database, go over it with a fine tooth comb. There's a linux utility that's useful for this called "maldet" (i.e. malware detection).

Re: Cache injected with code - running 1.0.10?

xdom12 — Jun 04, 2013, 05:37 PM

Yeah, i think I'll have to go through this painstakingly, thanks for your help and pointers, though!

Re: Cache injected with code - running 1.0.10?

sottwell — Jun 04, 2013, 10:35 AM

I would upload another copy of the entire manager directory (manager.new), copy over the config.inc.php file (check it for anything odd), then delete the original manager directory and rename the new one removing the .new suffix. I would do the same for the individual snippet and plugin directories, especially the tinymce plugin directory. Carefully check the directories for your images and templates; they shouldn't have any .php files. Also check any custom snippet or plugins for odd files. Look for any plugins not in the default installation that you don't recognize, espcially one named "quick managermanager" - that's a malicious plugin installed by a hacked Manager user.

Re: Cache injected with code - running 1.0.10?

xdom12 — Jun 04, 2013, 10:10 AM

Yeah, I've done the usual precautions, but wondered if Modx is still vulnerable. Finding a malicious php file will be hard I reckon, though...

Re: Cache injected with code - running 1.0.10?

sottwell — Jun 04, 2013, 09:54 AM

Sounds like a malicious php file is hidden somewhere. You should also make sure to change the passwords and preferebly even the usernames of all of your Manager users, as well as your hosting control panel (CPanel?). Wouldn't hurt to change the database password as well, although you'll have to edit the config.inc.php file for the new database password.

Cache injected with code - running 1.0.10?

xdom12 — Jun 04, 2013, 09:17 AM

Hi,

Had my client's site hacked, cache injection, was running 1.0.4 at the time. Have now upgraded to 1.0.10 but site got infected again. Any idea why that would be? Seems the cached gets injected with some rubbish javascript code. Deleting the cache solves it, until it gets injected again. Any help much appreciated

Thanks