XF 1.2 Unknown column 'forum.node_id' in 'where clause'

MistyMeanor

Active member
Hi,

Since today, I can't access to my forum due I see the following error:
Code:
Server Error

Mysqli prepare error: Unknown column 'forum.node_id' in 'where clause'
Zend_Db_Statement_Mysqli->_prepare() in Zend/Db/Statement.php at line 115
Zend_Db_Statement->__construct() in Zend/Db/Adapter/Mysqli.php at line 381
Zend_Db_Adapter_Mysqli->prepare() in Zend/Db/Adapter/Abstract.php at line 478
Zend_Db_Adapter_Abstract->query() in XenForo/Model.php at line 219
XenForo_Model->fetchAllKeyed() in XenForo/Model/Forum.php at line 133
XenForo_Model_Forum->getExtraForumDataForNodes() in XenForo/NodeHandler/Forum.php at line 85
XenForo_NodeHandler_Forum->getExtraDataForNodes() in XenForo/Model/Node.php at line 571
XenForo_Model_Node->mergeExtraNodeDataIntoNodeList() in XenForo/Model/Node.php at line 760
XenForo_Model_Node->getNodeDataForListDisplay() in XenForo/ControllerPublic/Forum.php at line 40
XenForo_ControllerPublic_Forum->actionIndex() in XenForo/FrontController.php at line 337
XenForo_FrontController->dispatch() in XenForo/FrontController.php at line 134
XenForo_FrontController->run() in /home3/nomuscle/public_html/community/index.php at line 13

I've disabled all add-ons (through config.php file) but the error still there and I can't figure how to resolve it. I've a backup so please let me know if I need to restore a specific table (not the entire database) in order to fix this.

Thank you
 
Quick glance of your add-ons show nothing that should be causing this to sporadically do anything.

If you look into your ACP, do you see the Node List? If you would like me to look into it, you can PC me admin details and I'll give it a poke to see if I can see anything that might be the cause of it.

Also, if you would rather Ivan post under his own name, you can associate his license here and he will receive the same level of support as you.
 
This particular issue is not due to an add-on (at least in MistyMeanor's case) or XenForo itself. I am working with her privately to solve this.
 
Can you expand? Last time I saw something like this (with xf_user.user_id being dropped), it was pretty clear that it was some form of security issue on the server or the host. (There was at least one example of it being dropped via phpMyAdmin in the logs).
 
Hi there,

It looks like MistyMeanor is being helped privately with her forum. Although the initial problem was the same as mine, is the latest outage similar?

If there is a definite conclusion I would like to hear it please, I am now very nervous of Xenforo.

Kindest

Neil
 
Can you expand? Last time I saw something like this (with xf_user.user_id being dropped), it was pretty clear that it was some form of security issue on the server or the host. (There was at least one example of it being dropped via phpMyAdmin in the logs).
This is Claudio (tech guy)

Hi Mike,

I don't think this is a coincidence. Today somebody made a deface and modified index.php file. The forum is hosted under Bluehost and yesterday we changed all passwords (admin passwords, cpanel password, ftp passwords, mysql passwords...everything). Community folder (where XenForo is installed and index.php was modified) have 755 chmod. Chmod permissions are the same as before, when the file was edited.

We're running XF RC2 and all the add-ons I detailed above.

The bad thing, is that BlueHost (the actual hosting company where the forum is hosted) doesn't provide enough information to understand where the attack has been made. They told me that a Proxy IP accessed to the forum (they got it from cPanel Access Logs):
Code:
IP - - [28/Jul/2013:06:17:01 -0600] "GET /community/ HTTP/1.1" 200 341 "http://domain.com/community/" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"
at the same time, Index.php file was modified.

Now, if all admin passwords have been changed, Cpanel and FTP passwords as well, how this happened? I think it might be an add-on, any other suggestions?

Edit: apart from this, this person has deleted all nodes and deleted xf_node.breadcrumb_data.
I've restored a backup, disabled all add-ons through config.php, re-uploaded xf files (and checked them), rebuilt xf master data, deleted all fpt accounts, changed mysql username and password associated to xf database, changed cpanel password, changed mysql password, change all forum admin passwords.
 
Last edited:
Can you expand? Last time I saw something like this (with xf_user.user_id being dropped), it was pretty clear that it was some form of security issue on the server or the host. (There was at least one example of it being dropped via phpMyAdmin in the logs).
What was posted above. It seems like direct access to files / DB was obtained and utilized.
 
My course of action would be like this:

- Deny PHP excecution in /data and /internal_data
- Log everything. I would also add a code to XenForo logging every DROP TABLE query made through the forums.
- The moment the table gets dropped, try to match the time of the DROP TABLE query and the web server logs and see if there's a match.
- If no match is found, that means someone inside the server is messing with you.
 
What was posted above. It seems like direct access to files / DB was obtained and utilized.

Sounds to me, more so since the site was also defaced that this isn't an issue with just your account, but rather the hosting companies server was hacked and accessing all clients databases directly by a back door injection. Until the host patches how ever the server got compromised this will continue to happen.
 
Could be related, could not be but I thought I would share recent bluehost issues.

I have a client that has a site (static) running on a Bluehost server. On Thursday, the entire AT&T network blocked a specific server/servers due to one/some of them being compromised. The situation was apparently rectified Friday evening. Just an FYI
 
Could be related, could not be but I thought I would share recent bluehost issues.

I have a client that has a site (static) running on a Bluehost server. On Thursday, the entire AT&T network blocked a specific server/servers due to one/some of them being compromised. The situation was apparently rectified Friday evening. Just an FYI


Bluehost servers have been getting compromised a lot lately. About ever since EIG bought them.
 
Well that is all very good for the US problem, blamed on Bluehost and possibly others, but are you losing perspective here. I have had the same problem. I am running on a highly respected business ISP called Zen Internet in the UK. When I contacted them before I did a restore, they could find nothing wrong in the server logs or the system. They are very good and run a number of my sites. I have every faith in them.

I am wondering if there is something obscure in Xenforo which did this to both Misty's forums and mine. We are not casting blame here, just trying to find the cause so it doesn't happen again.

I tell you I am so nervous now I am doing 3 backups a day when I can - that surely can't be right!

Kindest

Neil
 
I am wondering if there is something obscure in Xenforo which did this to both Misty's forums and mine.
Based on the evidence available so far, no.

In the other reported cases it has always been the direct actions of someone who had or gained access to the server/database.
 
Well that is all very good for the US problem, blamed on Bluehost and possibly others, but are you losing perspective here. I have had the same problem. I am running on a highly respected business ISP called Zen Internet in the UK. When I contacted them before I did a restore, they could find nothing wrong in the server logs or the system. They are very good and run a number of my sites. I have every faith in them.

I am wondering if there is something obscure in Xenforo which did this to both Misty's forums and mine. We are not casting blame here, just trying to find the cause so it doesn't happen again.

I tell you I am so nervous now I am doing 3 backups a day when I can - that surely can't be right!

Kindest

Neil
No, it wasn't XenForo's fault. As Paul said, its usually direct access to services, accounts, and databases. What version were you on?
 
Hi King Kovifor and Brogan,

If you read this thread back you see it is well documented 1.15

As I said - I am not looking for a fault or blame culture (is this a US /UK thing?) just an honest appraisal of the problem and a bit of help to restore confidence in my installation and it has to be said, the product!

If anyone can help, I would be most obliged and appreciative.

Kindest

Neil
 
Hi King - no nothing. The only large activity I did was to make about 20 prefixes in a special category and start applying them retrospectively to posts. That was about 2 days before the problem.

I did have Jakes nodes as tabs installed and active a couple of weeks ago, but disabled it because it did not do precisely what I wanted. It still clearly resides in the system, but is not active.

Might either of these be a clue do you think?

Kindest

Neil
 
Well that is all very good for the US problem, blamed on Bluehost and possibly others, but are you losing perspective here. I have had the same problem. I am running on a highly respected business ISP called Zen Internet in the UK. When I contacted them before I did a restore, they could find nothing wrong in the server logs or the system. They are very good and run a number of my sites. I have every faith in them.

Never have heard of them. Anyway, just because the host says they are fine, doesn't mean they weren't compromised, they might not have found where they got in, making everything appear as OK. Also how respected of a business you are doesn't matter, hacking happens at all business levels, from new companies to top rated businesses with the best IT in the industry. I would recommend going though your logs yourself and looking what did the drop. If this was caused by xF, it would be happening far more then the few incidents reported.
 
Top Bottom