Virus on the MODX website - ModX.XSSI.1, who faced it?

V

Vladimir Bespyatykh2021-06-08 20:09:08

MODX

Vladimir Bespyatykh, 2021-06-08 20:09:08

Hello!
Please help me in the following situation. The antivirus on reg.ru hosting reported that on all sites on ModX, there is a certain ModX.XSSI.1 virus, and an infected file /connectors/modx.config.js.php. I rummaged through everything, I did not find anything about this virus, what and how to do. Treatment from hosting did not give a result. On a fresh installed CMS, this virus also shows. Moreover, the contents of the files are different. This is what modx.config.js.php contains (any changes result in an empty admin), the virus message remains

<?php
/**
 * @package modx
 * @var modX $modx
 */
define('MODX_CONNECTOR_INCLUDED', 1);
define('MODX_REQP',true);
require_once dirname(__FILE__).'/index.php';
$_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key'));
$modx->request->handleRequest(array('location' => 'system','action' => 'config.js'));

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

m0ze, 2021-06-08
@Vimir89

Hello.

Antivirus hosted reg.ru

It gives both a lot of false positives and reacts to publicly disclosed software vulnerabilities, so it's not necessarily a virus.

I rummaged through everything, I did not find anything about this virus, what and how to do.

Because it's not a virus, but a vulnerability :)
Version 2.8.2 has security updates:

Prevent access to sensitive user data [#15678]
Add permissions to enforce access to specific resource types [#15655]
Flatten nested lexicon parameters by dot notation [#15490]
Restrict static resources to predefined path [#15656]
Prevent XSSI access to MODx.config by requiring auth token [#15644]

XSSI - Cross-Site Script Inclusion is your case.

A

archelon, 2021-06-08
@archelon

It's not a virus, it's a vulnerability. Update your distribution to the latest version.