# Our website was hacked!



## corgwork (Jul 10, 2008)

Hello and I hope someone could help us here.

We received notification from Google that our website has hacked content inserted into it. I looked up the source code and someone somehow was able to insert into many of the pages links to pills and stuff. Our website is chamah.org and runs on the Modx system. I am currently the "webmaster", updating news and what-not. I am not a programmer, only familiar with HTML and CSS. I attached the offending code below.

1. Is there any way to search and find all the pages that have the injected content?

2. If you look at the code they formatted it as:

```
position:absolute;left:-2311px;top:-2794px;
```
 What do they gain by formatting it that way if you can't even see?

3. How can we make sure they're not able to do it again?


```
[URL=http://www.esgena.org/adobe-photoshop-cs5-lowest-price.html]adobe photoshop cs5 mac purchase[/URL] [URL=http://www.enz-natursteine.ch/kamagra-bestellen-auf-rechnung.html]kamagra bestellen deutschland[/URL] 
[URL=http://www.enz-natursteine.ch/levitra-generika-rezeptfrei-kaufen.html]levitra generika sicher kaufen[/URL] 
[URL=http://www.enz-natursteine.ch/cialis-usa-rezeptfrei-kaufen.html]cialis in usa rezeptfrei kaufen[/URL] 
[URL=http://www.enz-natursteine.ch/levitra-ohne-rezept-preisvergleich.html]levitra ohne rezept paypal[/URL]
[URL=http://www.enz-natursteine.ch/levitra-generika-20mg-preisvergleich.html]levitra generika 20mg kaufen[/URL] 
[URL=http://www.enz-natursteine.ch/sildenafil-citrate-100mg-viagra-generika.html]sildenafil citrate 100mg viagra generika[/URL]
[URL=http://www.enz-natursteine.ch/levitra-holland-rezeptfrei.html]levitra generika test[/URL]
[URL=http://www.enz-natursteine.ch/viagra-zulassung-deutschland.html]viagra zum bestellen[/URL]
[URL=http://www.enz-natursteine.ch/viagra-online-billig.html]viagra online billig[/URL] [URL=http://www.enz-natursteine.ch/viagra-kaufen-gunstig-paypal.html]viagra kaufen holland[/URL]
[URL=http://www.enz-natursteine.ch/viagra-rezeptfrei-apotheke-holland.html]viagra rezeptfrei apotheke holland[/URL] 
[URL=http://www.enz-natursteine.ch/viagra-billig-bestellen.html]viagra billig kaufen[/URL] [URL=http://www.dmediagroup.it/upload/file/index.php?q=levitra-consegna-24-ore]levitra costi[/URL]
[URL=http://www.customforklifts.com.au/images/mail/index.php?q=prescribing-viagra-australia]prescription for viagra australia[/URL]
[URL=http://www.dmediagroup.it/upload/file/index.php?q=cialis-generico-prezzo-piu-basso]cialis generico prezzo farmacia[/URL] [URL=http://www.dkk.ie/css/index.php?q=levitra-uk-next-day-delivery]levitra uk next day delivery[/URL]
```


----------



## JiminSA (Dec 15, 2011)

corgwork said:


> 1. Is there any way to search and find all the pages that have the injected content?


I would use Notepad ++ to view all my source documents (which I would download from the server) and using the Find option would look for all the statements containing http: in all of the documents. This should then show me any other injections elsewhere on the site.


corgwork said:


> What do they gain by formatting it that way if you can't even see?


Google crawlers check sites for external references and presumably use this data to affect the referenced site's rankings, so by obfuscating their presence with positioning off page they would hope to improve their Google ranking. As it was Google who reported this to you, I don't imagine they will have achieved their purpose


corgwork said:


> 3. How can we make sure they're not able to do it again?


I rather suspect that they targeted your site because of the adobe flash player on your front page - I suspect it because they have an external link referring to adobe-photoshop and want to target adobe-friendly sights. Pure supposition on my part (thumb-sucking) but it sometimes helps when attempting to get inside the head of a hacker. So you may consider changing your flash presentation for a video, which would show on Google Chrome browsers - your presentation is dead in the water to Chrome users because of the professional friction between adobe and Google, Chrome are not supporting Flash or PDF files.
You may also consider using SpambotSecurity who do an amazingly good job of protection from hackers for free.


----------



## corgwork (Jul 10, 2008)

Thank you JiminSA for your reply! 

I'm sorry I didn't understand what you answered about finding all pages with hacked content. Could you please elaborate a bit? 

Do you mean I should download my whole website and then search all the files for any instance of "http:"? But there are many legitimate "http:" instances throughout the website!?


----------



## JiminSA (Dec 15, 2011)

corgwork said:


> But there are many legitimate "http:" instances throughout the website!?


As may there be, perhaps you could extend the search to include their domain - "
http://www.enz-natursteine.ch"


----------



## corgwork (Jul 10, 2008)

Oh man that's a job! With notepad++ you can search all the files at once?


----------



## JiminSA (Dec 15, 2011)

corgwork said:


> Oh man that's a job! With notepad++ you can search all the files at once?


Not really the search will do so on all opened pages and hopefully there won't be any


----------



## lunarlander (Sep 22, 2007)

Do you keep Modx updated ? The latest release is MODX Revolution 2.4.2-pl
Released Oct 06, 2015

Also update your PHP since Modx is based on PHP. And your database too.

You MUST keep your platform up to date in order to be secure.


----------



## corgwork (Jul 10, 2008)

I use the web version of MODx to log in I don't have anything installed on my computer. Do I still need to update something online?


----------



## lunarlander (Sep 22, 2007)

You should talk to your web admin or web programmer, they will know how to keep the platform updated.


----------



## corgwork (Jul 10, 2008)

Right we don't have anyone. We will have to hire someone if necessary. Our website is on MODx, on Cpanel, on GoDaddy. Is there something we need to do to keep it updated?


----------



## TechGuy (Feb 12, 1999)

Yes, you should update MODx frequently. If you have other add-ons or applications installed, keep an eye on those as well.

Most of these injections try to avoid being spotted in a simple search by encrypting the code they eventually display. You can search for *base64 *and see if you can find some suspicious code that way. Here is a good article to start if you have SSH access to your server:
http://www.inmotionhosting.com/support/website/hacks/clean-up-code-injection-attack

For a proper cleaning, it'd probably be a job for a programmer familiar with MODx.


----------



## corgwork (Jul 10, 2008)

Just to clarify: do you mean to say that the MODx program installed on the GoDaddy server needs to be updated?


----------



## lunarlander (Sep 22, 2007)

Yes, you need to update the programs on the GoDaddy server.


----------

