404 Page Not Found

It sounds more likely to me that a backdoor was left in-place after a previous hack, than a “drive-by” attack on v2.6.5 or up. Cleaning up properly is crucial to avoid it from happening again, as such backdoors can be left dormant for a long time before rearing their ugly face again.

I’m more about prevention than cleaning up myself, and MODX LLC has vastly more experience doing cleanups (and I believe a fixed-fee model for cleanups including a guarantee, tho that might be limited to MODX Cloud), but I’d be more than happy to take a look to see if I can figure out what happened to your site and how to avoid it moving forward.

Also, I built SiteDash to help monitor and quickly upgrade sites to keep them safe. I’m also working on more security features to help detect backdoors/unexpected changes/other signs of a potential compromise. Especially if you don’t have the time or experience to constantly stay on top of sites, I’d encourage you to check it out as a second pair of eyes on your site.

I’ve been here a long time, and can tell you that with any CMS, changes made by the host can make the site go down. It’s not uncommon for a host to move you to another server and forget to transfer some key part of your CMS, put you on an older version of PHP, use their default .htaccess file instead of the MODX one, or introduce a change to the .htaccess file that breaks things.

Many of us have MODX sites that have never been hacked.

In my experience, it’s very rare for a hacked site to produce a 404 error, so it’s quite possible that it’s not a hack at all.

Also, uploading the MODX files individually with FTP often results in missing or corrupted files.

Another possibility with the MODX Manager after an upgrade is that a leftover browser cache file or cookie can make the Manager unusable. (try going to your Manager with the browser in private or incognito mode to test this out).

As Mark says, though, hackers will often leave a back door and come back later (sometimes a long time later) to use it. So upgrading or restoring a pre-hack version of your site won’t help if the site hasn’t been fully cleaned.

Take a look in the database in the modx_users table to see if there are any users that shouldn’t be there.

Also look for suspicious code in the .htaccess and index.php files and check the paths and URLs in the core/config/config.inc.php file and the three config.core.php files in the MODX root, manager, and connectors directories.

As for making sure it doesn’t happen again, see these pages:

Hardening MODX Revolution

Hardening Your MODX site

You can use the UpgradeMODX extra to upgrade, which makes it a lot easier to stay current. You can also set your settings_version System Setting back, clear the cache, and use UpgradeMODX to “upgrade” to your current version. That will give you all new versions of your MODX files.