MODX Community

Infected since Feb 2020

Hi,

Just to inform.
We have discovered yesterday after an imunifyAV scan over our website (vps Plesk at OVH) that the whole site was infected by something

many index.php have been added in many directories and 3 lines have been inserted at the top of some major index.php modx files.
some includes are calling files in an added directories.
some index.html.bak.bak corresponding to some rendered page have been added in some folders too, next to the crappy index.php.

I did not received any complaint from anybody except sometime some google search for us are directed to crappy pages. (very rare, never saw it myself directly).
Don’t even know if this in relationship with our hack.

In the manager home page I always trusted the security frame. I was in 2.6.5 since this release appeared. Never saw anymore security alert.

We updated yesterday to 2.7.0 in order to refresh native files. everything were ok and we manually started to clean the rest. (will go up to 2.7.2 and 3 later)
This night at 3am the crap came back.

So there is some vulnerability remaining …but where…?

I have added an .htaccess into the core folder right now. This could be a track.
Is this mandatory ? if so why not installing it by default ?

the gallery extra once was vulnerable

Can you use your servers access log to track the entry point? If you know it happened around 3am it should not be too hard to track down the exact request. There could be a shell left anywhere on the filesystem, or an active vulnerability.

If not a known (and fixed) issue, it’s better to not discuss the details publicly until a fix is available.

Most recently we’ve indeed had the gallery exploit as Raffy mentions. Make sure that, and all other extras, are up to date.

Hi

Yes I saw the previous reply a few minutes ago and I’ve just uninstalled and deleted Gallery.
Was here since the beginning but not used…

So now
Core as htaccess
Gallery not here anymore

We will check how the situation evolved

I’ll let some info here next week, but if we find something precise, how to report it 'not publicly?

There’s a dedicated form on the MODX website:

hi,

Seems the closing of the /core directory gave results.
but we were not able to find out what was the exploit as we don’t have enough long lasting logs to go back in the past.

Is this a shared server? It’s also a possibility it hasn’t been secured properly if so.

it’s a VPS, Plesk. supposed to be pretty ok. Note the infection is only de httpdocs/ modx tree nothing else.
the closure of the /core folder looks like to be the cure.

Locking down the core folder is always recommended, but can you please inquire with the host about access logs? If there’s a loose vulnerability, even if it requires the core to be open, that’s something I’d want to investigate.

Perhaps your host keeps logs around longer than are available to you by default precisely for investigating hacks. In this case you indicate the hack returned 4 days ago - most hosts I’ve worked with keep access logs for about a month.

Hi Mark,

Unhappily, this low sound infection probably took place in Feb 2020.
Since we had to migrate from the old VPS to a new one in April (OVH)
There is no way to recover logs from the old OVH vps that does not exist anymore.

We kept a copy of the tree like it was on Monday before doing the cleaning and the upgrade to 2.7.0.
But looking at he numerous PHP craps won’t probably help you in any way…
Very sorry.
I’d have been the first to be interested in knowing what was the vulnerability.

Surely you still have logs for when “this night at 3am the crap came back”? At best, that points to a shell you’ve since cleaned up. At worst, that points to an as of yet unknown vulnerability in the core.

oh… ok I see with my better skilled partner.
I’ll be back

Mark,

We will extract the lines with the attacker ip.
However I’m not able to expertise those file.
Do you want me to send you the files when I have it ?
if yes how ? Pm?
On the submit Security Report link ?

Thank you

PM is fine, I’ll take a look at it to see if it’s a core issue or a shell, and forward it to the security inbox if needed. (I’m also on the security team.)

1 Like

Ok probably tomorrow.