Just to inform.
We have discovered yesterday after an imunifyAV scan over our website (vps Plesk at OVH) that the whole site was infected by something
many index.php have been added in many directories and 3 lines have been inserted at the top of some major index.php modx files.
some includes are calling files in an added directories.
some index.html.bak.bak corresponding to some rendered page have been added in some folders too, next to the crappy index.php.
I did not received any complaint from anybody except sometime some google search for us are directed to crappy pages. (very rare, never saw it myself directly).
Don’t even know if this in relationship with our hack.
In the manager home page I always trusted the security frame. I was in 2.6.5 since this release appeared. Never saw anymore security alert.
We updated yesterday to 2.7.0 in order to refresh native files. everything were ok and we manually started to clean the rest. (will go up to 2.7.2 and 3 later)
This night at 3am the crap came back.
So there is some vulnerability remaining …but where…?
I have added an .htaccess into the core folder right now. This could be a track.
Is this mandatory ? if so why not installing it by default ?