Did you rerun setup after importing the db?
Here is a link to the docs for moving a site:
https://docs.modx.com/current/en/getting-started/maintenance/moving-your-site
I have found that most of the time my blank screen issues are caused by wrong file/folder permission settings. So that might be a place to start.
Ok, succeeded. Don’t know how exactly, but after fresh install, copying assets, emptying database and importing old database and rerunning setup again, it worked.
I’m aware of the docs on ‘Moving your site’. To be honest, I find it quite complex to read. It’s not a simple step by step tutorial. I’m not a developer.
In the Dashboard I’m getting the infamous “Core folder is accessible by web” message. Don’t know what’s wrong, I did every as supposed to. Except for moving the /core folder outside the public_html folder, which is too complicated for me on a live site.
Have you renamed the htaccess in the core folder to .htaccess (This will only work if you’re on apache server).
Yes, and all the other things that are mentioned in several topics.
Despite a fresh installation, the site is still hacked. Lots of complaints from visitors who get to see a spam site.
How come these files are injected again? I’m pretty desperate on how to solve this. I replaced the files below with the original files, but the site remains hacked.
'/var/www/vhosts/website.com/httpdocs/core/components/redactor/model/encryptedvehicle.class.php'
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
'/var/www/vhosts/website.com/httpdocs/core/docs/version.inc.php'
# Script version check [OK] [MODX Revolution v2.7.2 >= v2.7.2]
'/var/www/vhosts/website.com/httpdocs/core/model/modx/filters/modinputfilter.class.php'
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
'/var/www/vhosts/website.com/httpdocs/core/model/modx/mysql/modaccesspolicytemplategroup.class.php'
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
'/var/www/vhosts/website.com/httpdocs/core/model/modx/rest/modrestserver.class.php'
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
'/var/www/vhosts/website.com/httpdocs/core/model/smarty/sysplugins/smarty_internal_method_getautoloadfilters.php'
# Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
'/var/www/vhosts/website.com/httpdocs/core/packages/formit-4.2.5-pl/modSystemSetting/cinoesex.php'
# Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
There must have still been malicious files in the assets you copied over or the db you imported, or both. How did you scan those before importing to the new site?
In case you haven’t seen these:
And this thread is 5 years old but has some great tips and insights:
https://forums.modx.com/thread/94643/how-to-clean-up-your-hacked-webspace
Don’t know. My provider scanned the site with some sort of PHP Malware Scanner.
Yes, I’m aware of these tutorials and followed the instructions. As far as I understood them… But it was no success as you can see.
I replaced the files above with original files. I hope it’s fine now.
All the files listed above are in the core directory, so likely not the source of the infection since you did a new install. I think you’ll have to scour the assets directory that you copied over from the old site and the db as well.
When I copy assets from a compromised site, I only take the files that I have actually looked at and know to be clean and are unique to the site. Generally css, js, image and pdf uploads. Be especially careful about the js files, but other file types can be compromised as well.
There were a few (overlooked) corrupted files in the assets dir as well, but I did not show them here.
How to scour the db? I’m not a developer, so when I look at PHP or JS files it’s all the same to me.
You probably need to bring in someone who knows what to look for then. MODX will help – I believe Ryan mentioned a contact email up towards the top of this thread.
Yes, I know. I once choose for MODX hoping not to rely on developers 
.
Forgive my directness, but “hoping not to rely on developers” does not sound like a viable business model.
LOL. The reason I once started with MODX was the easiness to start and flexilibity amongst other reasons. But more and more I find out that MODX is not easy at all if you’re not a developer, especially in cases like this.
One should be able to build and maintain a website without any backend knowledge is my opinion. A bit is ok for me, but MODX is given me headaches from time to time.
I think rebuilding a hacked website on any platform is very difficult, and for someone that isn’t a developer, makes this process so much harder. If your site isn’t too large i.e. less than 1000 resources then try something like this:
Scrape all content of your website. Personally I use Google Sheets (I know it’s not the right tool but it is the easiest) you can grab data using =ImportXML($A2, "//h1") for example
Download and reprocess/ check all your images. Using something like ImageOptim for Mac, it will optimize the file size but for any image that it can optimize you might want to run it through a virus checker. This is not foolproof but its a good start.
Download your CSS files. These should be clean but just run your eye through them to be sure.
Don’t download your JS, you want to rebuild this. If you’re using Jquery and other libraries locally, either redownload them from source our use a CDN going forward. Any Custom JS files you have need to be manually checked to ensure that don’t contain malicious code.
Reinstall Modx, i’d actually go as far as moving the site root. If you’re on cloud hosting then create a new cloud, if you’re on shared or dedicated hosting then see if you can create a new directory in your web root as you just don’t know what type of malicious files could potentially be left behind.
Setup Modx and download your extras. If you have access to your current Modx setup then copy across the chunks, TVs and templates. If you have custom snippets then manually check each one for malicious data.
Starting from scratch is the only sure fire method for ensuring no malicious files are copied across.
Thanks, thanks, thanks.
I seem to remember reading on the old forums that someone else had an experince like yours and it turned out that their shared hosting environment had a Wordpress site on it that was used to corrupt the MODX site on the same host. I can’t find the post now.
No worries,
I was thinking last night about number 6. Since chunks, snippets and templates are held in the DB, you might want to check them all for malicious code before inserting into the new site.
I was thinking last night
Yes, a lot of work.
The site looks ok for now. I will double check all files. Thanks everyone for providing best practices for when a MODX site is hacked.
Get a copy of phpMalware scanner from Github and run it. I can virtually guarantee there are hacked files still there, and possibly a malicious plugin or user added to your site. Also remove all old versions of packages and make sure everything is upgraded to the latest versions, including all Extras.