Recovering from a Hacked Site: Part 2

Part 2 of a 3-part series on recovering a MODX website after it has been compromised and keeping it safe in the future.

By Jay Gilmore  |  Updated: April 24, 2019  |  6 min read
Recovering from a Hacked Site: Part 2

This article is part 2 of a 3-part series on recovering a MODX website after it has been compromised and keeping it safe in the future.

Help! I've been hacked!

Just Hacked and Your Host Takes Backups?

If you have an excellent host—one that does regular backups—and you have a backup from before you believe the attack on your site took place, your solution could be relatively straightforward.

In the case of the recent widespread compromises of MODX websites, we believe these attacks began on July 19, 2018. If the compromise of your site took place during that week, a backup from on or before July 18, 2018, should be safe to restore from

For MODX Cloud customers affected by these attacks who had Backup retention set to 5 days or higher, you should have a viable backup. As an added measure, the MODX Cloud team have safely stored backups taken on July 18th, for each account that had one. We did this to ensure we do not lose a vital backup through the regular backup rotation.

Recovery With a Backup

Restoring a backup from July 18 or prior ensures that no malicious files remain and you have a clean state. You must reapply any changes made between the time of the backup date and the restoration. See note below.

  1. Take a backup of the hacked site, and it's database in case there is data or legitimate assets you need to recover later
  2. Restore the backup and verify it is working
  3. Immediately upgrade MODX Revolution to version 2.6.5
  4. Upgrade all Extras—especially Gallery (not moreGallery)

In MODX Cloud restoring backup and upgrading should be straightforward for many. Help is available for those who need it.

If you find you need to recover critical data from between the time of your site backup and the site restoration, a developer should be able to deploy the hacked website and database to a safe place and get that data for you.

Site Hacked; No Viable Backup?

It is possible to recover reasonably well—if not entirely—from a hacked website if there is no clean backup to restore. Recovery without a backup requires some technical expertise. In many cases, it requires familiarity with SSH, SFTP, and languages such as PHP, JavaScript and more.

Services to Help

There are web hosts and third-party organizations that offer services to identify and quarantine malicious files. However, few such companies have experience in restoring a CMS-based website to full functionality. They may successfully find all the compromised files; this doesn't ensure a fully functional site in the end. Some people have had a positive experience with Sucuri.net, though they mostly identify and quarantine compromised files.

MODX Expertise Important to Recovery

You'll want to have someone restore your site who has familiarity with moving, installing and upgrading MODX Revolution. If that's not you or your developer, you may wish to get in touch with a MODX Professional or MODX Support.

Lost JavaScript Files

One very frustrating part of this attack is that in many cases, the malicious file creation also overwrites legitimate JavaScript files on the website. If this is the case for you, many open source JavaScript and design libraries can provide a source for some of the JavaScript files your site may have used. Permanent loss of custom JavaScript files is possible. Sometimes these files may be recovered from the Internet Archive.

Skills Required for Hack Remediation

Manually restoring and cleaning a site after a hack is quite involved. A reasonably experienced developer should perform this. You'll need familiarity with web hosting tools such as cPanel/Plesk or SFTP/SSH and MySQL. Additionally, server command line skills are useful (when SSH is available).

The Process

There are several approaches, but at a high level, the process is as follows:

  1. Locate and remove all malicious or compromised files.
  2. Upload and upgrade the latest version of MODX Revolution.
  3. Replace and rebuild any lost files such as overwritten JavaScript files.
  4. Login to the MODX Manager and upgrade all Extras indicated as out of date.

Find the Bad Files

Locating all the malicious files is not easy. The best way to do this is by using some form of malware scanner (such as the PHP Malware Scanner) to identify the files and their locations on the file system. Removal is most comfortable by doing so over SSH but can be done by hand via cPanel File Manager or (S)FTP, if necessary. Your host may be able to do this and place all files into a quarantine folder and altering the file name.

Most web hosts do not know how to properly repair and restore web software such as a CMS, like MODX or WordPress. Generally, when they "fix" a hacked site, they only remove or quarantine malicious or compromised files. This approach could leave the website in a non-functioning state.

Upgrading MODX

Upgrading MODX is the next part. You'll be uploading the files which replace MODX core and manager files and running the setup in upgrade mode. This action should recover access to the manager if broken and allow you to proceed to upgrade the Extras.

Replacing Lost Assets

As mentioned above, one of the telltale signs of this compromise has been the replacement of all JavaScript files that are locally hosted on and referenced by the website. By replacement, this could mean as empty files or containing the malicious code that redirects visitors to other sites.

For JavaScript files that are part of open source projects such as jQuery, Bootstrap, Foundation, etc., this should all be available either via hosted solutions or from the project repositories.

For JavaScript files that were unique to the site, if, you or the original developer doesn't have a copy, the last resort is likely the internet archive. You can see if the site was indexed at some point in the past and if the JS was there.

Upgrading Extras

Once you've upgraded the site, recovered functionality and got as much of the lost assets back, you'll want to login to the MODX Manager and upgrade your Extras via Extras>Installer. If during the scanning of your site you found and deleted malicious files within the core/components or core/packages directory, you should download and replace Extras that were affected.

Conclusion. Yes, We're Talking Upgrades Again

These steps should be all that's needed to get your site back to normal or as close to normal as possible. Again, we have to highlight the importance of upgrades when releases come out. It's such a critically vital habit to be in. Developers should have deployment strategies and site owners need to budget to make sure it gets done regularly.

More in this Series

For more in the Recovering from a Hacked Site Series, you can read Part 1 on vigilance and how to identify a compromised MODX site, and Part 3 covering the tips and tools recommended by MODX Community.