Blog Sections Open
Investigating WSO Web Shell Indicators in a MODX Project
Security incident analysis starts with careful observation of what the server actually did, not with guesswork.
This kind of security case is real and worth taking seriously: suspicious requests, connector activity, and signs that pointed toward a WSO web shell or similar compromise in a MODX project.
What stood out
77.120.108.186 - - [05/Mar/2014:23:15:50 +0200] "POST /connectors/resource/index.php HTTP/1.0" ...
77.120.108.186 - - [05/Mar/2014:23:15:54 +0200] "POST /connectors/security/login.php HTTP/1.0" ...
77.120.108.186 - - [05/Mar/2014:23:15:56 +0200] "POST /connectors/browser/file.php HTTP/1.0" ...Why this matters
- attack traces often show up as a sequence of connector calls rather than one obvious exploit request
- file-browser access after login-related requests is a serious signal
- permissions and stale files can amplify the damage once an attacker gets in
What to do first
Freeze the environment, inspect logs, review file modifications, and rotate credentials before trying to “patch forward.” The first goal is to understand scope, not to restore convenience as quickly as possible.
This kind of post still matters because it teaches the right instinct: treat suspicious connector traffic as forensic evidence, not as random noise.
Fixing AjaxSearch TV Queries That Reference Unknown Columns
How AjaxSearch can fail when TV-based search fields are referenced incorrectly, leading to SQL errors such as unknown columns in the HAVING clause.
Fixing “Call to undefined function startCMSSession()” in API Scripts
Why API-mode scripts can fail with an undefined startCMSSession error and what that usually means about the bootstrap sequence in Evolution CMS.