https://forums.modx.com/thread/?thread=96958 https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-524620
A friends website is labeled by Google as "This site may be hacked."

I thought that I have located it in the sql database.

Because I have made a brand new setup. I even did not bring any css or js scripts and theme files that makes the website horrible. I did everything on my localhost.

I just imported the sql database but I still can not find the malicious code. The page is still there about pharmacy. I have also looked for base64 codes in the database and in the files, still no luck.

Do you have any idea that where this code may be and in what shape. The hacker hided it well.]]> raskolt Apr 19, 2015, 06:42 PM https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-524620 https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-525068 http://forums.modx.com/thread/89564/warning-hacking-attack-on-revo-2-2-4-using-core-services-plugin?page=4 might be helpful too?]]> voyager22 Apr 30, 2015, 03:44 PM https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-525068 https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-525067
1. Zipped my MODx installation on my server, then downloaded it locally
2. My antivirus (!) detected a folder called "buyvalium" in one of my older directories and flagged it.
3. I removed that directory via FTP
4. Then I looked inside assets/cache and saw a bunch of fishy files - assets/cache/1.data.php, 2.data.php, 3.data.php, 4.data.php, and 5.data.php. I deleted all of these.
5. I also found a mysterious Core Services plugin that I never installed, so I disabled and deleted that. After I deleted that, the pharma pages disappeared from my site (though they still exist to Google).
6. Also removed QuickManagerManager and ForgotManager plugins
7. Then I upgraded my MODx installation and changed my FTP and MODx passwords

Hope this helps... it's been a nightmare to clean. Also, make sure you remember to ask Google to Re-Review your site so that it removes the pharma pages from your site index.]]> voyager22 Apr 30, 2015, 03:35 PM https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-525067 https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-525026
I had checked "email me new replies" but the website has just sent me the replies. I am sorry for that.

What I did until now is:

1. I had made a completely new install on my localhost. I just installed the old database sql. The website looks without no css but the page was still there.

2. I am not an sql expert. I looked for the injection code, eval 64 or all the other stuff. Even I looked at the modx content tables. No luck for that.

2. Google webmaster tools warned me about the injection.

4. Also Acunetix found it.

They all told me about the page but I still cant find the injection code.

That is why I thought that sql injection. Also Acunetix reported as sql injection.]]> raskolt Apr 29, 2015, 07:39 AM https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-525026 https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-524760 If I remember good I had some .php files in AWstats years ago.]]> fourroses666 Apr 23, 2015, 02:29 AM https://forums.modx.com/thread/96958/a-url-injection-hides-itself?page=2#dis-post-524760 https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524753
Did you also delete all the files in the cache folder before doing the install?

Does it happen if you visit the site in private or incognito mode in your browser?]]> BobRay Apr 22, 2015, 11:43 PM https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524753 https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524724
Also—look for any hidden php files. The filename might start with a period. View using the host file manager and make sure show hidden files is enabled. Look in your assets folders.

What about the .htaccess file. Is it possible there is a redirect of some kind happening?



]]> mmcgee Apr 22, 2015, 07:12 AM https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524724 https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524703 raskolt Apr 22, 2015, 01:10 AM https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524703 https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524699 ]]> mmcgee Apr 21, 2015, 09:41 PM https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524699 https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524662
They havent found anything but I still see the page. That is weird.]]> raskolt Apr 21, 2015, 02:50 AM https://forums.modx.com/thread/96958/a-url-injection-hides-itself#dis-post-524662