Recovering from a Hacked Site: Part 2

This article is part 2 of a 3-part series on recovering a MODX website after it has been compromised and keeping it safe in the future.

Help! I’ve been hacked!

Just Hacked and Your Host Takes Backups?

If you have an excellent host—one that does regular backups—and you have a backup from before you believe the attack on your site took place, your solution could be relatively straightforward.

In the case of the recent widespread compromises of MODX websites, we believe these attacks began on July 19, 2018. If the compromise of your site took place during that week, a backup from on or before July 18, 2018, should be safe to restore from

For MODX Cloud customers affected by these attacks who had Backup retention set to 5 days or higher, you should have a viable backup. As an added measure, the MODX Cloud team have safely stored backups taken on July 18th, for each account that had one. We did this to ensure we do not lose a vital backup through the regular backup rotation.

Recovery With a Backup

Restoring a backup from July 18 or prior ensures that no malicious files remain and you have a clean state. You must reapply any changes made between the time of the backup date and the restoration. See note below.

  1. Take a backup of the hacked site, and it’s database in case there is data or legitimate assets you need to recover later
  2. Restore the backup and verify it is working
  3. Immediately upgrade MODX Revolution to version 2.6.5
  4. Upgrade all Extras—especially Gallery (not moreGallery)

In MODX Cloud restoring backup and upgrading should be straightforward for many. Help is available for those who need it.

If you find you need to recover critical data from between the time of your site backup and the site restoration, a developer should be able to deploy the hacked website and database to a safe place and get that data for you.

Site Hacked; No Viable Backup?

It is possible to recover reasonably well—if not entirely—from a hacked website if there is no clean backup to restore. Recovery without a backup requires some technical expertise. In many cases, it requires familiarity with SSH, SFTP, and languages such as PHP, JavaScript and more.

Services to Help

There are web hosts and third-party organizations that offer services to identify and quarantine malicious files. However, few such companies have experience in restoring a CMS-based website to full functionality. They may successfully find all the compromised files; this doesn’t ensure a fully functional site in the end. Some people have had a positive experience with Sucuri.net, though they mostly identify and quarantine compromised files.

MODX Expertise Important to Recovery

You’ll want to have someone restore your site who has familiarity with moving, installing and upgrading MODX Revolution. If that’s not you or your developer, you may wish to get in touch with a MODX Professional or MODX Support.

Lost JavaScript Files

One very frustrating part of this attack is that in many cases, the malicious file creation also overwrites legitimate JavaScript files on the website. If this is the case for you, many open source JavaScript and design libraries can provide a source for some of the JavaScript files your site may have used. Permanent loss of custom JavaScript files is possible. Sometimes these files may be recovered from the Internet Archive.

Skills Required for Hack Remediation

Manually restoring and cleaning a site after a hack is quite involved. A reasonably experienced developer should perform this. You’ll need familiarity with web hosting tools such as cPanel/Plesk or SFTP/SSH and MySQL. Additionally, server command line skills are useful (when SSH is available).

The Process

There are several approaches, but at a high level, the process is as follows:

  1. Locate and remove all malicious or compromised files.
  2. Upload and upgrade the latest version of MODX Revolution.
  3. Replace and rebuild any lost files such as overwritten JavaScript files.
  4. Login to the MODX Manager and upgrade all Extras indicated as out of date.

Find the Bad Files

Locating all the malicious files is not easy. The best way to do this is by using some form of malware scanner (such as the PHP Malware Scanner) to identify the files and their locations on the file system. Removal is most comfortable by doing so over SSH but can be done by hand via cPanel File Manager or (S)FTP, if necessary. Your host may be able to do this and place all files into a quarantine folder and altering the file name.

Most web hosts do not know how to properly repair and restore web software such as a CMS, like MODX or WordPress. Generally, when they “fix” a hacked site, they only remove or quarantine malicious or compromised files. This approach could leave the website in a non-functioning state.

Upgrading MODX

Upgrading MODX is the next part. You’ll be uploading the files which replace MODX core and manager files and running the setup in upgrade mode. This action should recover access to the manager if broken and allow you to proceed to upgrade the Extras.

Replacing Lost Assets

As mentioned above, one of the telltale signs of this compromise has been the replacement of all JavaScript files that are locally hosted on and referenced by the website. By replacement, this could mean as empty files or containing the malicious code that redirects visitors to other sites.

For JavaScript files that are part of open source projects such as jQuery, Bootstrap, Foundation, etc., this should all be available either via hosted solutions or from the project repositories.

For JavaScript files that were unique to the site, if, you or the original developer doesn’t have a copy, the last resort is likely the internet archive. You can see if the site was indexed at some point in the past and if the JS was there.

Upgrading Extras

Once you’ve upgraded the site, recovered functionality and got as much of the lost assets back, you’ll want to login to the MODX Manager and upgrade your Extras via Extras>Installer. If during the scanning of your site you found and deleted malicious files within the core/components or core/packages directory, you should download and replace Extras that were affected.

Conclusion. Yes, We’re Talking Upgrades Again

These steps should be all that’s needed to get your site back to normal or as close to normal as possible. Again, we have to highlight the importance of upgrades when releases come out. It’s such a critically vital habit to be in. Developers should have deployment strategies and site owners need to budget to make sure it gets done regularly.

More in this Series

For more in the Recovering from a Hacked Site Series, you can read Part 1 on vigilance and how to identify a compromised MODX site, and we’ll soon publish Part 3 covering the tips and tools recommended by MODX Community.

Hi. We’re MODX.

We’re here to help you fix, build and grow fantastic sites. How can we help?

How can we help?

Tell us the general reason for reaching out so we can connect you with the right team.

MODX Diagnostics

MODX’s Open Source software is 100% free for anyone to download and use. As the team behind it for more than a decade, we know it inside, out, and then some.

Like any software, sometimes things break; we can usually fix them very fast. But, we do have to charge for our time to support our families and fund its ongoing development. There are almost an unlimited variety of things that can cause problems, including server upgrades, corrupt files, accidental changes, outdated software, database hiccups and more. We will save you a lot of time and frustration, and get you back in action.

With our MODX Diagnostic service, we determine the source of issues, and often fix them on the spot. For more extensive problems needing more time, like hacked sites or overdue upgrades, we provide additional estimates and guidance. MODX Diagnostics cost $99 for standard business hours support (US Central Time), or $500 for priority, rush or after-hours emergencies.

If you don’t have budget for professional support from the source, you look for answers in the MODX Forums or Documentation, or seek help from MODXers in the Community Slack, or from MODX Professionals near you.

Get Support Now

After submitting this we will contact you to collect any access credentials in a secure support ticket. We look forward to helping restore your site back to full health.

Hi! We’d love to work together.

If you have a simple problem that needs our assistance, please request quick fix help here.

What should we keep in mind?

The project involves:
(select all that apply)
What are you planning?
(select all that apply)

Some other considerations

Specific project information

Commercial Support Customers

Customers with a current Commercial Support agreeement can get help using this form. Learn more about MODX Preferred Support.

Let’s get started

What seems to be the issue?

Contact MODX

We welcome conversations, ideas, inquiries and even the occassional cold sales call, but support and requests about how to use MODX software sent via this form cannot be guaranteed a response. That said, we try to respond to everyone that reaches out to us within two business days.

To report a security issue or file a bug for MODX software, please email security [at] modx.com to reach our security team. If you are looking for help with MODX, many times you can find an answer in the MODX Forums or MODX Documentation, from MODXers in realtime at the MODX Community Slack Channel, or from a MODX Professional near you.

How can we help?