PhotoWebMax Posted October 9, 2014 Share Posted October 9, 2014 Hi All, I have been away from PW for a few months. Busy with life etc... I have a couple of important MODx sites that are displaying the dreaded Malware warning: "visiting this site may harm your computer"... My intension was to switch these sites (one Evo and one Revo) to PW at some point. The timing is not great right now. So, what to do? How hard is it to restore the MODx sites so the Malware warning goes away? Or should I just start fresh and rebuild the sites using PW? Just accessing all the pages to copy the content will be all kinds of fun I am sure. Looking for suggestions please... Thanks! Max Link to comment Share on other sites More sharing options...
cstevensjr Posted October 9, 2014 Share Posted October 9, 2014 Can I suggest you please change the title to "MODx Sites Hacked" or something similar? I hope you get your issues worked out. 1 Link to comment Share on other sites More sharing options...
PhotoWebMax Posted October 9, 2014 Author Share Posted October 9, 2014 Can I suggest you please change the title to "MODx Sites Hacked" or something similar? I hope you get your issues worked out. Good point. I changed the thread title... 1 Link to comment Share on other sites More sharing options...
kongondo Posted October 9, 2014 Share Posted October 9, 2014 Sorry to hear that. Here's a post that might help: https://processwire.com/talk/topic/6736-pharma-hack/ I am also moving this topic to the 'off-topic - dev talk' forum....since it is not directly related to PW... 2 Link to comment Share on other sites More sharing options...
pwFoo Posted October 10, 2014 Share Posted October 10, 2014 After site / server is hacked it's important to collect information about it. Is "only" the webspace affected by the hack? Are files changed? Often code is injected to index.html vor index.php files. But code could also be inserted to the database... Are strange processes running (ps aux). Maybe changes made in system / user environment (search /proc with strange process id). Or emails send? Via URL call or a local spawned process? A new listening port or strange traffic (use tcpdump)? Check logs to find hack attempts and maybe the entry point. If attacker reached root permissions binaries (ls, ps, ...) could be replaced to hide things! 1 Link to comment Share on other sites More sharing options...
Recommended Posts