Changing database name and table names after installing MODX

Summary

As a miscreant has discovered the database name and table prefix for one of our MODX installs, we are thinking to change the names.

Is there a recommended way to go about this, short of starting from scratch? I am wondering about the necessary changes within MODX itself, changing the MySQL database name and table prefixes is easy enough to do.

I know that these two items are covered by the config file in the core/config folder, but are there other points where this info is saved?

Attempted misconduct

So far the miscreant has been targeting the table: membergroup_names. Not sure if there is an exploit tied to that they are trying to use.

Environment

Using the current version of MODX on Apache

I don’t see how they could take advantage of knowing the DB and table name without having the username and password to the DB (or the username and password of an admin user).

First, look at the users in the administrator group or other groups with high permission levels to see if there’s anyone there that doesn’t belong.

If not, it may be enough to create a new DB user with a new password, switch to those credentials in config.inc.php (the only place MODX stores that info), then delete the original DB user account. You’ll want to manually delete all files in the core/cache directory after making the change.

I would also move the core directory above the site root as described [here] (if you haven’t already) (https://docs.modx.com/current/en/getting-started/maintenance/securing-modx).

If the problem comes back, the miscreant may have installed a back door somewhere on the site, based on one of the security vulnerabilities in the past (e.g., leaving the setup directory installed.

Thanks. Will try the username route, as well.

I have placed the core elsewhere ever since my first MODX install for security, and we always have used non-standard names for database and prefixes. Have been faithful about updating my installs and deleting the setup directory immediately afterwards.

Fortunately this website / install is reaching the end of its lifespan and will be wiped off the server in a few months. But am still bothered by the fact the miscreant has somehow discovered the names of the DB and prefixes for this install. Especially considering that this install is used as a backend, to generate static html file, not a front facing page server.

Hopefully MODX is not getting hacker groupies like WP has :wink:

How exactly are they targeting that?

I’d personally not worry too much about db names or prefixes. From a security standpoint, that’s only obscurity at best. What is someone going to do with that information as long as they can’t send queries to your database? And if they can send queries…a random prefix or database name will not stop them.

1 Like

“How exactly are they targeting that?”

They are trying to use SQL injection through a webform. Unsuccessfully.

But how can they discover the names of the MODX related database, without hacking our server or its control panel? Can this be discovered from the public facing part of MODX?

I’m no expert but if you’ve used a custom db name and table prefix and a miscreant is aware of them then I would think said miscreant already has privileged knowledge of the system. Either a vulnerability has been exploited somewhere or this person is someone with current or previous access to it.