MODX setup/ Directory Site Exploit

By Ryan Thrash  |  April 24, 2019  |  3 min read
MODX setup/ Directory Site Exploit

There is currently an active exploit of sites with an intact MODX Revolution setup/ directory. This can give anyone on the internet complete access to your site and possibly your server with trivial effort. This directory should never be left in place once a site is installed.

You can check if your site is vulnerable by entering your site URL with a /setup/ added at the end, for example:

https://www.example.com/setup/

If you see a MODX installation utility, you should log into your server via FTP or SSH immediately, and remove this directory. If your site is working as expected, your site may be safe, but please review the additional information below.

Using the MODX installation script above, a malicious individual can re-install MODX and point to any database they wish including remote databases. Once a site is “re-installed” they can then use the Manager’s file manager to upload other back door files to your server. This can potentially lead to more severe issues such as having the entire server rootkitted, setting up spam mailers, or uploading crypto miners to take advantage of computing resources on your server.

If your site has been compromised or is not working correctly, and the setup folder per the above was in place, you must first re-connect your site to the correct database and server. Ask your web host or sysadmin to reset your database password and give you the new database credentials. Once you have those, update the MODX config file—by default located at core/config/config.inc.php—with the correct settings.

You should also upgrade your MODX version to the latest production release (currently 2.7.1) and upgrade all Extras if they are not current. Keeping up with updates is critical to maintaining a secure site, as it plays a key role in helping prevent sites from compromise.

Finally, you should run a malware scanner to make sure other exploits haven't already been uploaded to your site as described above. We have a series of articles that walks you through recovering from a site compromise, which hopefully will help in this effort:

If your web host, developer or sysadmin is not able to help, you can open a commercial support ticket directly with MODX by visiting https://support.modx.com and clicking the blue “Submit a request” link in the header (please mention this post and provide your site URL). In order to assist we will need access to your server, most likely via your cPanel login.