XF 1.5 Advice needed on reinstalling Xenforo after compromise

[eggplant_casserole]

Our server recently got attacked. Some users noticed ads in random places on the site - they were invisible but you could click them. Someone reported it was obscuring their reply button - sneaky!

We found the issue was a modified xenforo.js. The admin cleaned up the server, but it then went offline. Whether this was a repair install going wrong (we run Plesk, so possible!) or the intruder retaliating for removing their ads, we don't know. It took out a lot. Plesk panel still runs, but it took out apache. I fixed that, but then nginx (reverse proxy server) died! And network.service is down. I fixed php-fpm and auditd, which were also down. This is a Centos 7 server with Plesk (12 I think).

We have found a shell for Wordpress, which we don't use. It looks like it might have been possible to access the database with it, though.

We haven't ascertained how they got in as yet. Everything was up-to-date, except an old MediaWiki install on a subdirectory. The plugins we had were minimal - TaigaChat Pro, Xenforo Media Gallery, a RegEx replacer (forget the name), and I think one more... I'm seeing a WidgetFramework folder in /js so maybe that? Theme-wise, we only had a modified FlatAwesome Dark and I think a modified default theme active. I modified them, so I know they were clean... not to say they are now!

As luck would have it, we had just got another server, which we were preparing before moving the site over.

I've been recommended the following action (on the new server):

• Set up a new database
• Scan the old database for nasties
• Download a fresh set of Xenforo files
• Upload the files, minus the install directory
• Edit the config to include the new database info
• Import the old database
• Upload the installer lock

Apparently, this will negate the need to reinstall from scratch. Does this sound like a good plan?

We also have Xenforo Media Gallery. How should I deal with that - is there a similar 'hack' to do?

How should I go about scanning the database? Plesk is up on the old server so I can access phpMyAdmin, but I can't access any pages (e.g. Xenforo) hosted on the server. I have a .sql file backup (taken yesterday which is post-hack, not sure whether my friend has a recent uninfected backup) so can scan on my (Windows) laptop.

The Plesk database repair scan found the following:

dark_taigachat_activity The storage engine for the table doesn't support check
xengallery_album_view The storage engine for the table doesn't support check
xengallery_media_view The storage engine for the table doesn't support check
xf_attachment_view The storage engine for the table doesn't support check
xf_session_activity The storage engine for the table doesn't support check
xf_thread_view The storage engine for the table doesn't support check

I haven't repaired them. Should I?

What should I do about the custom themes? Is that another case of grabbing the clean files again? How do I then get my custom code back in safely? I think I have a backup, but it may be from an old version of Xenforo. Or is it in the database... and will it be safe?

 

[W.D]

I've been recommended the following action (on the new server):

• Set up a new database
• Scan the old database for nasties
• Download a fresh set of Xenforo files
• Upload the files, minus the install directory
• Edit the config to include the new database info
• Import the old database
• Upload the installer lock

Apparently, this will negate the need to reinstall from scratch. Does this sound like a good plan?

This is pretty much what I done with my site when I changed domains. I had neglected the site minus XF updates for around a year. (I know you'll tell me off on Skype. ) Done this just to be safe.

1. Setup a new database < By this I mean a fresh database and user on the new server. (New password for the database too!)
2. Scan the old DB for nasties < Never actually seen a database backdoor in XenForo but it's best bet to be safer then sorry. Also check the login templates just to be safe.
   
3. Download a fresh set of XenForo files < The full package just delete the install folder. (You're not doing a proper reinstall only making sure nothing is left from the old files.)
4. Edit the new database user/pass etc into the new config. Make sure to set yourself and Kev as superadmin or whoever's going to be superadmin.
   
5. Upload the installer lock file I sent (or the original after comparing with mine. the date will be different but this is fine. don't want any compromised files being reuploaded.)
   
6. Reupload any plugins/addons.
   
7. Scan the avatars/attachements with an antivirus/anti-malware script. Make sure no .php files are uploaded.
   
8. Import the database.
9. Fingers crossed nothing was missed and the site loads.
10. Make sure all addons/themes are updated to the latest versions.
    
11. Reset all users passwords to be safe. (Don't just ask force it.)
12. Force all staff to use 2-step if they're not already.
13. Demote inactive staff.

It's best to ditch any old files just to be safe. As you saw with that PHP file there's likely more then one backdoor. Any logo's etc check with an older backup to make sure nothings injected. I've seen images with hidden JS before.

Hopefully that'll help you & Kev to get AG up.