Investigating Suspicious Files in manager/media/browser/mcpuk/

A random PHP file inside manager/media/browser/mcpuk/ is not something to ignore. In the original case, a hosting provider flagged a file with a generated numeric name, antivirus marked it as suspicious, and the site owner needed to know whether this was a one-off event or part of a larger compromise.

The old mcpuk browser has a long history in the MODX and Evolution world. On outdated sites, especially ones with exposed manager areas or forgotten install tools, it can become part of the attack chain.

Immediate response checklist

• Delete the malicious file only after copying it for later analysis.
• Check the rest of the directory for other unexpected PHP files.
• Review config.inc.php, manager files, and writable folders for injected code.
• Remove or lock down any leftover install/ directory.
• Reset manager credentials and audit administrator accounts.
• Upgrade the site if it still runs an old branch such as 1.0.5.

If the site still depends on mcpuk-era components, plan a cleanup instead of assuming the problem is solved once one file is removed. The safer long-term answer is reducing legacy surface area: patch the core, review browser and upload tools, and eliminate unneeded writable entry points.

Security incidents like this are rarely isolated. Treat them as evidence that the whole manager and file-handling surface deserves review.