Today I had a look at a compromised modx installation. Two plugins had been added to the installation causing pharmacy links to appear on the homepage.
The get to the root of problems like this, It would be very helpful to store information in the effected tables for all elements (plugins, chunks, tvs, templates and snippets):
For plugins it would also be useful to add
I see the following advantages for this feature:
Did you check the manager actions log? They'll tell you who worked with what element and what action was performed on it and when.
I'm aware about this. It seems that either the manager action log was limited to about 100 entries in prior versions (2.2.x), or the attacker removed all relevant data from the manager log.
I think consistent use of important data is always a good thing. It can help to solve minor problems in day to day work and in edge cases it might give an extra hint to understand important details.