Detecting and Cleaning a Hacked Website

Website hacks are more and more common as hackers are becoming more sophisticated at attacking websites and sharing methods to exploit a website automatically. You can read more about how sites get hacked in How Websites Get Hacked and How to Protect Yourself.

The Symptoms of a Website Hack

MODX Sites

Not all website hacks are the same, however, in MODX we have seen some patterns in compromises. Here are some of the more common symptoms of a compromised MODX website:

  • Your website redirects visitors to adult websites, gambling sites, or anywhere that should not be redirecting to
  • you cannot log in to the Manager, or the Manager Login Screen is blank or missing
  • new PHP files with obfuscated code in the main directory where your MODX site sits
  • overwritten Javascript files to be empty or replaced with obfuscated code
  • a missing MODX “assets” directory, which is typically located at in the main directory of the website alongside MODX (rare)
  • PHP files in an “assets/images/” directory. The “assets/images/” directory is not a default but it is commonly created by your site builder to house files that have image extensions such as, .jpg, .png, .svg, .ico, .jpeg, .tiff, etc.
  • index.php files where they do not belong, including empty directories.
  • index.bak.bak files showing up on the file system
  • Files that end with php.suspected (these generally indicate someone has scanned your site for hacks or malware and believes this file is suspect.
  • user added to the MODX Manager with an empty Full Name field—often with a suspicious looking disposable email address
  • a Plugin added to the Plugins called either info.php or Core Services (common in very old versions of MODX)

Other Sites and Symptoms

It's not always as clear that your site is hacked and often doesn't have any outward evidence on the site or administrative tool at all. Here are some other things that might suggest you have a hacked site:

  • You cannot log into your site Admin but could before
  • Your site's search engine result displays a warning to visitors that "This site may contain Malware
  • You receive notice from your search provider that your site has malicious files
  • You receive notice from your host, including MODX Cloud, that your site has been compromised or is abusing resources or sending spam
  • You see, or visitors report search engine results for your website that do not relate to your site, including links to adult websites, male enhancement drugs, foreign language websites, etc.

Restoring a Backup: a Shortcut to a Clean Site

If your MODX Revolution site was compromised recently, you might be able to take a shortcut to resolution.

If you have a backup from on or before July 17, 2018, it may be possible to revert to this version which is before the recent spate of attacks started. If you are willing to redo any changes you made since July 17, 2018, or you haven't made any, you should be able to restore this version, immediately upgrade MODX Revolution and all your installed Extras.

For MODX Cloud customers, please send a request to support@modxcloud.com with the full Cloud address of your cloud in the format of c9999.paas*.***.modxcloud.com so that we can locate the backup. We can create a new Cloud in which to restore it, or we can restore into its original location.

File Scanning Tools

At MODX we use several tools to scan and locate malicious files on a website. You run these tools on the command line. The instructions, provided below, require understanding how to log into your Cloud site on via SSH.

  • PHP Malware Scanner is a library that looks for malicious PHP in files by extensions. We first scan and then remove suspected malicious files.
  • AI-Bolit is a free malware scanner that scans all files on the file system. Its drawback is that it provides many false positives, making it rather tedious to review the results.
  • Sucuri Site Scanner is a server-side script that is part of the Sucuri.net (a GoDaddy company) site security and monitoring toolset. We used to use this regularly. However, we're finding PHP Malware Scanner makes this unnecessary. For monitoring potential future compromises it is useful.

Hack Remediation (Cleaning Up a Hacked Site)

The following is the same process we use at MODX Cloud to clean and monitor hacked websites.

Performing the following steps requires basic familiarity with using the command line: including changing directories, the nano text editor and removing files. If you're not comfortable with this, we'd recommend engaging MODX to clean up your MODX site in MODX Cloud for $99.

Scanning for and Removing Malicious or Compromised Files

Before running any of the scanning tools, there are a couple of things you should do. First, you should back up your Cloud instance via the MODX Cloud Dashboard. Second, you should to remove any directories containing versions of phpMyAdmin. In MODX Cloud, those should be in a directory prefixed by pma. Removing phpMyAdmin reduces the false positives and phpMyAdmin can be a frequent target for attack.

  1. Log in to your site via SSH
  2. You'll arrive initially in the Cloud's `/home` directory where you should install the Malware Scanner in the next step.
  3. Fetch and install the latest files for Scr34m's PHP Malware Scanner using git as follows:
    git clone https://github.com/scr34m/php-malware-scanner
  4. To run the PHP Malware scanner, copy and paste the following command into your terminal:
    php php-malware-scanner/scan.php -kwL -e ico -e php -e json -e js -e png -e jpg -e jpeg -e gif -d www/ --output-format "nano -cl$ +%L %F" > suspects-$(date +%Y-%m-%d_%HH-%MM-%SS).txt
  5. The above command creates a file containing a list of suspected malicious or compromised, files. This file starts with suspected_DATE_.txt, where _DATE_ is the creation date and time for the file, ensuring that if you run the command more than once, you'll be able to know which was the most recent.
  6. To review this file, you can use nano to see a list of the files which will look similar to the following:
    nano -cl$ +3 www/core/packages/redactor-2.2.2-pl/modPlugin/f1999d78e8b4484ce016a290191a18c2/0/redactor/lib/codemirror/codemirror.min.js
    nano -cl$ +2 www/core/packages/redactor-2.2.2-pl/modPlugin/f1999d78e8b4484ce016a290191a18c2/0/redactor/lib/jquery.min.js
    nano -cl$ +5 www/core/packages/redactor-2.2.2-pl/modPlugin/f1999d78e8b4484ce016a290191a18c2/0/redactor/redactor-2.2.2.min.js
    nano -cl$ +0 www/core/packages/analyticsdashboard-1.0.5-pl/modCategory/20590f1898cfb3223cce0ef72685f058/0/analytics/model/google-api-php-client/tests/general/testdata/cacert.json
    nano -cl$ +0 www/core/packages/analyticsdashboardwidget-1.0.6-pl/modCategory/5bba233d8055dc8354d4b10b31855912/1/analyticsdashboardwidget/model/google-api-php-client/tests/general/testdata/cacert.json
    nano -cl$ +5 www/core/packages/redactor-1.4.1-pl/modPlugin/72e1b21382efe9c0b497edca16f495cb/0/redactor/redactor-1.4.1.min.js
    ...
    The format above allows you to copy a line and paste it into your command line, run the command and arrive directly on the line where the suspected malicious or naughty code is.
  7. If there aren't too many files to remove, you can use the rm command to remove each of the files in the list that you find are malicious. If you have many many files to remove, it may make sense to bulk remove the files (Bulk Remove).
  8. Once you've removed all the files suspected to contain malicious code, you should rerun the scanner as in step 4.
  9. If the PHP Malware Scanner doesn't find any malicious files, you can move on to use AI Bolit (which is much more in-depth but outputs many more false positives).
  10. To run AI Bolit, change directories to home by running the following command:
    cd /www
  11. Then to install and configure AI-BOLIT copy and paste the following to your command line:
    git clone https://github.com/gregzem/aibolit/ ; mv aibolit/src/ai-bolit.php . ; rm -rf aibolit
  12. AI-Bolit generates reports in Russian by default. To switch to English before running, you'll need to edit the ai-bolit.php file at around line 36 as follows:
    nano -cl +36 ai-bolit.php
  13. At around line 36 you'll need to remove the // from in front of define('LANG', 'EN');so what shows in the file now is as follows:
    define('LANG', 'EN');
    //define('LANG', 'RU');
  14. To run ai-bolit.php, you can use the following command:
    php ai-bolit.php
  15. While AI Bolit is running, you'll see a progress indicator in the terminal and once complete it displays location of the report which is in your public HTML directory. To view copy and paste the file name into the browser after the URL of your website:
    Report written to '/www/AI-BOLIT-REPORT-_www-603740-12-10-2018_13-26.html'.
  16. Copy AI-BOLIT-REPORT-_www-603740-12-10-2018_13-26.html and paste it into your browser after your domain name. E.g., your domain is example.com, and you'll paste:
     example.com/AI-BOLIT-REPORT-_www-603740-12-10-2018_13-26.html
  17. As mentioned above, AI-BOLIT returns many many false positives in its standard form. If you're unsure whether the found malicious files are false positives or not, it may be worth engaging the MODX team to complete the process.
  18. Review and remove any files that look malicious from the AI-BOLIT-REPORT.
  19. If you've removed all the bad files with both AI-Bolit and PHP Malware Scanner, jump ahead to Cleaning Up Scanning Tools.

Note: For hosts outside of MODX Cloud, or where some Extras or scripts may have write access outside of the web root, you may wish to perform the aforementioned scans above he web root.

Bulk Removing Known Bad Files

If PHP Malware Scanner returns an extensive list of files, you don't want to be manually removing the malicious and corrupted files. There's a faster way to remove the files, but note, this is a blunt method for people who know which files to delete.

  1. If you logged out of your server, log in via ssh. If not be sure to change directories to the /home directory.
  2. From the /home directory run the following command to run the PHP Malware Scanner
    php php-malware-scanner/scan.php -kwL -e ico -e php -e json -e js -e png -e jpg -e jpeg -e gif -d /www/ --output-format "%F" > removelist.txt
  3. Open the removelist.txt file in nano and remove any lines of files you do not wish to delete using this method by placing your cursor on the line and using CTRL+K to delete the entire line.
  4. Once you're 100% certain the file only has a list of files you wish to remove you can do the following (Warning: this is not reversible without restoring the backup for this site):
    rm -rf $(cat removelist.txt)

Cleaning Up Scanning Tools

Once you've cleaned up the file system, you do not want to leave any of the scanners behind. Use the remove (rm) or recursive remove(rm -rf) to remove the files for AI-Bolit and PHP Malware Scanner. 

Next Steps

After you get the files all cleaned up, there are a few things that need to be done to ensure your site is back up and running—and is secure from reinfection.

MODX Next Steps

Here are the things you should do, in order after cleaning up the file system:

  1. Upgrade MODX Revolution to the latest version of the software.
  2. Log into the Manager and Upgrade all Extras from Extras>Installer
  3. Check for suspicious Users. Delete any users you don't recognize.
  4. Check for Malicious Plugins or Snippets. There are a couple found in the Elements tree such as Info.php and Core Services.
  5. Check to make sure your site is working as it should be.

If your site is still not working, you may need to reinstall some of your Extras. Be sure to check the Error Logs.

Other Software Next Steps

If you're running WordPress or other Here are the things you should do, in order after cleaning up the file system:

  1. Upgrade WordPress or your software to the latest version.
  2. Log into the Admin and Upgrade all Plugins as indicated.

Website Still Not Working Properly

If you completed all the steps above and your site is still not working, check to see if there are missing or corrupted JavaScript files. If there are, you'll possibly need to replace them by downloading or linking to hosted copies of open source libraries such as jQuery or similar. For custom JavaScript that may have been lost or defaced, you may need to try to find it with your site in the Internet Archive recover a stored version of the JavaScript.

Let Us Do The Cleanup for You

Save time and hassle of restoring your site. The MODX team can clean up your site for you—usually within 2 business days. Cleanups in MODX Cloud are $99 for MODX or $149 for WordPress websites. For sites outside of MODX Cloud, remediations start at $500.

Have more questions? Submit a request

0 Comments

Article is closed for comments.