My website was hacked many times

[Brantdus]

Hello,

My ModX CMS website running on a web host. For some reason, I always get index.php files in many directories that contain a specific line. And where the index.php already exists, this line is added to the top:

Spoiler

You don't have permission to view the spoiler content. Log in or register now.

That file also exists and has an encrypted script. When I delete it a few hours later, it shows up in another directory with a different name, and the includes are all updated.

I know there's no single solution to hardening security. I went through the cms guide about hardening the installation (mostly setting permissions), but maybe someone here has any tips on what else I could try or have to look out for.

 

[KennethJer]

It would be best if you had been making backups before your website got compromised, not after. Chances are now you will transfer over whatever vulnerabilities and back doors the current site has.

 

[Jasondep]

First, do you have access to ssh on your site, and can you access crontab?

If you do, check if the hacker has any script installed to run via cron on reboot.

If you are setting up the LAMP stack, shut down your web server before you make any changes. The hack may have injected a PHP script into an existing file (wrong 777 permissions) or created one to run somewhere. Shutting down the web server helps to prevent the php engine from being called by the web server.

That's all I can think of based on the info you posted.

 

[Brantdus]

Since it's PHP, I don't have a repo with untouched code anywhere. But that's learning now, and after setting the site up again, I'll do that.

 

[PHPAMP]

Take a fresh backup of your full website and one separate backup of database and upload/configuration directory. Remove all files and directories excluding database configuration file.

Reinstall ModX, use same database. Change your account, FTP, etc., password. Look for suspicious username in your ModX database and remove that account.