<![CDATA[ Security vulnerability probably in elrte-0.0.1-beta6 - MODX Community Forums]]> https://forums.modx.com/thread/?thread=91034 <![CDATA[Re: Security vulnerability probably in elrte-0.0.1-beta6]]> https://forums.modx.com/thread/91034/security-vulnerability-probably-in-elrte-0-0-1-beta6#dis-post-498548 sottwell May 24, 2014, 08:10 PM https://forums.modx.com/thread/91034/security-vulnerability-probably-in-elrte-0-0-1-beta6#dis-post-498548 <![CDATA[Re: Security vulnerability probably in elrte-0.0.1-beta6]]> https://forums.modx.com/thread/91034/security-vulnerability-probably-in-elrte-0-0-1-beta6#dis-post-498546
Once your site is compromised, it's easy for the hacker to plant files that will allow them in in the future. Upgrading MODX will never delete files that are not part of MODX, so those harmful files will remain.

BobRay May 24, 2014, 05:34 PM https://forums.modx.com/thread/91034/security-vulnerability-probably-in-elrte-0-0-1-beta6#dis-post-498546
<![CDATA[Security vulnerability probably in elrte-0.0.1-beta6]]> https://forums.modx.com/thread/91034/security-vulnerability-probably-in-elrte-0-0-1-beta6#dis-post-498511
the last two weeks I got two times a message from my hoster that my website was hacked.

The first time I unfortunately used MODX version 2.2.13 with the known security issue "Blind SQL Injection". After I got the mail that my website was hacked, I immediately installed the current 2.2.14-pl MODX version without that issue and uploaded a backup from my website I made one month before. Well, then everything works fine and my hoster unlocked my website because they couldn't find malware or virus any more.

So I thought I got this hacking attack under control, but it wasn't.

Yesterday, five days after the first attack, I got an email again that the same website was hacked. I couldn't believe hat, because the system was updated. So I wanted to found out where the problem is. I got a txt file that contains the infected data, code lines and which software is out of date. There I found these lines:

Discovery:      .../core/components/elrte/testing/phpthumb for PHP 5.3.x and higher/phpthumb.class.php
Module:         phpthumb
Current:        1.7.11
Discovery/Old:  1.7.9

Discovery:      .../core/components/elrte/testing/phpthumb/phpthumb.class.php
Module:         phpthumb
Current:        1.7.11
Discovery/Old:  1.7.9

After I installed a new MODX again and uploaded the backup, ran the setup and logged in the manager, I checked my packagaes. There were updates for Gallery and getResources which I didn't made before. I don't think that this was the problem. I checked the package elRTE (a text editor), because it was listed in the txt file by the hoster. elRTE was list in the package managent, but I couldn't find it in the core/packages directory but in the core/components. I tried to unstall but no effect. So I enforced the deletion. And it works. Additionally I deleted the elrte directory manually with my FTP Account in core/components.

Now I think the poblem was the elRTE package. In the databse I found out that I used elrte-0.0.1-beta6
Could it be possible that this package has a security vulnerability?

If not, I don't know what I did wrong. I don't use any own scripts or codes. And I don't know what to do if my website will be hacked again. I will tell you if it happens again...

dracovina May 24, 2014, 06:38 AM https://forums.modx.com/thread/91034/security-vulnerability-probably-in-elrte-0-0-1-beta6#dis-post-498511