This article is part 2 of a 3-part series on recovering a MODX website after it has been compromised and keeping it safe in the future.
Help! I've been hacked!
Just Hacked and Your Host Takes Backups?
If you have an excellent host—one that does regular backups—and you have a backup from before you believe the attack on your site took place, your solution could be relatively straightforward.
In the case of the recent widespread compromises of MODX websites, we believe these attacks began on July 19, 2018. If the compromise of your site took place during that week, a backup from on or before July 18, 2018, should be safe to restore from
For MODX Cloud customers affected by these attacks who had Backup retention set to 5 days or higher, you should have a viable backup. As an added measure, the MODX Cloud team have safely stored backups taken on July 18th, for each account that had one. We did this to ensure we do not lose a vital backup through the regular backup rotation.
Recovery With a Backup
Restoring a backup from July 18 or prior ensures that no malicious files remain and you have a clean state. You must reapply any changes made between the time of the backup date and the restoration. See note below.
- Take a backup of the hacked site, and it's database in case there is data or legitimate assets you need to recover later
- Restore the backup and verify it is working
- Immediately upgrade MODX Revolution to version 2.6.5
- Upgrade all Extras—especially Gallery (not moreGallery)
In MODX Cloud restoring backup and upgrading should be straightforward for many. Help is available for those who need it.
If you find you need to recover critical data from between the time of your site backup and the site restoration, a developer should be able to deploy the hacked website and database to a safe place and get that data for you.
Site Hacked; No Viable Backup?
Services to Help
There are web hosts and third-party organizations that offer services to identify and quarantine malicious files. However, few such companies have experience in restoring a CMS-based website to full functionality. They may successfully find all the compromised files; this doesn't ensure a fully functional site in the end. Some people have had a positive experience with Sucuri.net, though they mostly identify and quarantine compromised files.
MODX Expertise Important to Recovery
You'll want to have someone restore your site who has familiarity with moving, installing and upgrading MODX Revolution. If that's not you or your developer, you may wish to get in touch with a MODX Professional or MODX Support.
Skills Required for Hack Remediation
Manually restoring and cleaning a site after a hack is quite involved. A reasonably experienced developer should perform this. You'll need familiarity with web hosting tools such as cPanel/Plesk or SFTP/SSH and MySQL. Additionally, server command line skills are useful (when SSH is available).
There are several approaches, but at a high level, the process is as follows:
- Locate and remove all malicious or compromised files.
- Upload and upgrade the latest version of MODX Revolution.
- Login to the MODX Manager and upgrade all Extras indicated as out of date.
Find the Bad Files
Locating all the malicious files is not easy. The best way to do this is by using some form of malware scanner (such as the PHP Malware Scanner) to identify the files and their locations on the file system. Removal is most comfortable by doing so over SSH but can be done by hand via cPanel File Manager or (S)FTP, if necessary. Your host may be able to do this and place all files into a quarantine folder and altering the file name.
Most web hosts do not know how to properly repair and restore web software such as a CMS, like MODX or WordPress. Generally, when they "fix" a hacked site, they only remove or quarantine malicious or compromised files. This approach could leave the website in a non-functioning state.
Upgrading MODX is the next part. You'll be uploading the files which replace MODX core and manager files and running the setup in upgrade mode. This action should recover access to the manager if broken and allow you to proceed to upgrade the Extras.
Replacing Lost Assets
Once you've upgraded the site, recovered functionality and got as much of the lost assets back, you'll want to login to the MODX Manager and upgrade your Extras via Extras>Installer. If during the scanning of your site you found and deleted malicious files within the core/components or core/packages directory, you should download and replace Extras that were affected.
Conclusion. Yes, We're Talking Upgrades Again
These steps should be all that's needed to get your site back to normal or as close to normal as possible. Again, we have to highlight the importance of upgrades when releases come out. It's such a critically vital habit to be in. Developers should have deployment strategies and site owners need to budget to make sure it gets done regularly.
More in this Series
For more in the Recovering from a Hacked Site Series, you can read Part 1 on vigilance and how to identify a compromised MODX site, and Part 3 covering the tips and tools recommended by MODX Community.