Sites (MODx) hacked! what to do?

[PhotoWebMax]

Hi All,

I have been away from PW for a few months. Busy with life etc...

I have a couple of important MODx sites that are displaying the dreaded Malware warning: "visiting this site may harm your computer"...

My intension was to switch these sites (one Evo and one Revo) to PW at some point. The timing is not great right now. So, what to do? How hard is it to restore the MODx sites so the Malware warning goes away? Or should I just start fresh and rebuild the sites using PW? Just accessing all the pages to copy the content will be all kinds of fun I am sure.

Looking for suggestions please...

Thanks!

Max

[cstevensjr]

Can I suggest you please change the title to "MODx Sites Hacked" or something similar?  I hope you get your issues worked out.

[PhotoWebMax]

Can I suggest you please change the title to "MODx Sites Hacked" or something similar?  I hope you get your issues worked out.

Good point. I changed the thread title...

[kongondo]

Sorry to hear that. 

Here's a post that might help:

https://processwire.com/talk/topic/6736-pharma-hack/

I am also moving this topic to the 'off-topic - dev talk' forum....since it is not directly related to PW...

[pwFoo]

After site / server is hacked it's important to collect information about it.

Is "only" the webspace affected by the hack? Are files changed? Often code is injected to index.html vor index.php files. But code could also be inserted to the database...

Are strange processes running (ps aux). Maybe changes made in system / user environment (search /proc with strange process id).

Or emails send? Via URL call or a local spawned process? A new listening port or strange traffic (use tcpdump)?

Check logs to find hack attempts and maybe the entry point.

If attacker reached root permissions binaries (ls, ps, ...) could be replaced to hide things!