Modx 2.7.1 infection after clean install

Hi, my site kept getting infected no matter what I did. I tried hardening site, fresh install, everything imaginable for few past month and ico files keep coming back.

Last procedure that last longest (without being infected for 1 month) was clean install of version 2.7.1, reupload database (with changed password), reupload images and pdfs into assets.
Installed extras: breadcrumbs, codemirror, firstchildredirect, formit, getpage, getreourcefield, getresources, googlesitemap, simplesearch, tinymce, translit, utlimateparent, wayfinder.
All of that is latest version.
Today my site was loading for long time (which is first sign of site beeing infected), so I rescan for ico files and found one in connectors/system, there was also one php file with random name and folder security was missing.
Because of location I am suspecting phpthumb.php…

Any ideas? I am really desperate.

Have you tried scanning your files for any backdoors? Chances are there’s a file in your assets somewhere that you accidentally restored with the clean installation. That doesn’t have to be a .ico file, can also be a .php file or something else.

PHP malware scanner is pretty good:

Also worth making sure there are no users or plugins that shouldn’t be there.

If you’re seeing ico files returning, this sounds like the site’s been compromised for a long time and it is the accesson.php hack which affected versions below 2.6.5 but it may have not shown symptoms or new symptoms have showed up. In some cases there were malicious users added and in others, there were plugins added that fired on every request.

The team at MODX Cloud has successfully cleaned hundreds of sites and we’ve learned a lot in that time, hence the document I wrote that @markh linked to.

The best way to ensure the site is cleaned is to scan it deeply via SSH and then be sure there are no malicious users, plugins or snippets. For the latter, I generally just scanned (visually) the database tables related to users, plugins and snippets.

It is possible phpthumb is at issue, it’s possible that it could be phpMyAdmin but the ico files suggest to me that there is likely naughty files in the root or assets directories (or subdirectories thereof).

1 Like

Could be missing something, but did you change the FTP/CP password of all the accounts?

Hi, ok I found one suspicious php file in assets with random name, but how can this execute if its not index.php?
I also checked database for any php code, snippet, plugins or any extra - clean. I also have only 2 users, changed password for databes, ftp, and user account many times…

Are you saying that this site continues to be reinfected or has not been cleaned? If not, have you considered getting professional assistance in recovering the site?

The attacker that placed it there knows where it is and can call it simply by requesting assets/whatever_random_name.php.