D
D
den-masonov2017-05-23 13:01:59
MODX
den-masonov, 2017-05-23 13:01:59

The problem with malicious code. wp-xml-rpc.php?

Got a site (evolution 1.2) in which you need to fix problems with sending letters. The hoster blocked the /assets/snippets/wayfinder/examples/wp-xmlrpc.php file and the sending of emails, and writes:
>>> You should understand that deleting these files is not a solution to the problem. You need to find the vulnerability with which they were introduced and fix it. Repeating the situation will mean blocking all sites on the account.
I'm not very familiar with modx. Are there any standard scenarios according to which this file could be infected? Or is it still enough to delete the file, change the password to the hosting and the site and write to the TP that the problem is solved?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Z
zooks, 2017-05-23
@zooks

There are no such files in MODX. It is necessary to treat the site and change passwords.

S
Sanes, 2017-05-23
@Sanes

wp-xmlrpc.php is kind of related to Wordpess

U
ugodrus, 2017-05-23
@ugodrus

Faced such a problem. The site was under Apache. Treated htaccess'om. Unfortunately, the source file has not been preserved. The problem is easily solved if you manage from a fixed IP. The principle of the rule is this:
if this is a POST request
AND it is NOT addressed to typical scripts (such as index.php in the root and there is a receiver for AJAX requests in the public part in some other place)
And if the request is not from the specified IP,
then we redirect it to a stub, in which we write the request parameters to the log, who, where, and with what data.
thus, the attacker will not even enter the admin panel, and about requests for something else is generally useless.
further, while collecting logs for the scripts placed by the attacker, we analyze all the scripts of the site where the following functions are mentioned: mail, eval, fsockopen and its variations, base64_decode, exec and its analogues.
I had this feature: The malicious code was at the beginning of the file in the form of <?php, then a bunch of spaces to hide from the eyes in the editor, then the code ended with ?>, respectively, if it was originally a php file, then after that, <?php of the native file was opened

O
Oleg Spiridonov, 2017-05-23
@spd78

There was a problem with evolution, before a certain version there was a vulnerability. Here you can see the instructions for fixing it: https://modx.ru/novosti-i-stati/article/289/
If it’s thesis, then you make a backup of files and a database, look for problem files with Aibolit, clean or delete them (according to the situation), update to the latest version of MODX, update all modules.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question