eggplant_casserole
Member
Our server recently got attacked. Some users noticed ads in random places on the site - they were invisible but you could click them. Someone reported it was obscuring their reply button - sneaky!
We found the issue was a modified xenforo.js. The admin cleaned up the server, but it then went offline. Whether this was a repair install going wrong (we run Plesk, so possible!) or the intruder retaliating for removing their ads, we don't know. It took out a lot. Plesk panel still runs, but it took out apache. I fixed that, but then nginx (reverse proxy server) died! And network.service is down. I fixed php-fpm and auditd, which were also down. This is a Centos 7 server with Plesk (12 I think).
We have found a shell for Wordpress, which we don't use. It looks like it might have been possible to access the database with it, though.
We haven't ascertained how they got in as yet. Everything was up-to-date, except an old MediaWiki install on a subdirectory. The plugins we had were minimal - TaigaChat Pro, Xenforo Media Gallery, a RegEx replacer (forget the name), and I think one more... I'm seeing a WidgetFramework folder in /js so maybe that? Theme-wise, we only had a modified FlatAwesome Dark and I think a modified default theme active. I modified them, so I know they were clean... not to say they are now!
As luck would have it, we had just got another server, which we were preparing before moving the site over.
I've been recommended the following action (on the new server):
We also have Xenforo Media Gallery. How should I deal with that - is there a similar 'hack' to do?
How should I go about scanning the database? Plesk is up on the old server so I can access phpMyAdmin, but I can't access any pages (e.g. Xenforo) hosted on the server. I have a .sql file backup (taken yesterday which is post-hack, not sure whether my friend has a recent uninfected backup) so can scan on my (Windows) laptop.
The Plesk database repair scan found the following:
What should I do about the custom themes? Is that another case of grabbing the clean files again? How do I then get my custom code back in safely? I think I have a backup, but it may be from an old version of Xenforo. Or is it in the database... and will it be safe?
We found the issue was a modified xenforo.js. The admin cleaned up the server, but it then went offline. Whether this was a repair install going wrong (we run Plesk, so possible!) or the intruder retaliating for removing their ads, we don't know. It took out a lot. Plesk panel still runs, but it took out apache. I fixed that, but then nginx (reverse proxy server) died! And network.service is down. I fixed php-fpm and auditd, which were also down. This is a Centos 7 server with Plesk (12 I think).
We have found a shell for Wordpress, which we don't use. It looks like it might have been possible to access the database with it, though.
We haven't ascertained how they got in as yet. Everything was up-to-date, except an old MediaWiki install on a subdirectory. The plugins we had were minimal - TaigaChat Pro, Xenforo Media Gallery, a RegEx replacer (forget the name), and I think one more... I'm seeing a WidgetFramework folder in /js so maybe that? Theme-wise, we only had a modified FlatAwesome Dark and I think a modified default theme active. I modified them, so I know they were clean... not to say they are now!
As luck would have it, we had just got another server, which we were preparing before moving the site over.
I've been recommended the following action (on the new server):
- Set up a new database
- Scan the old database for nasties
- Download a fresh set of Xenforo files
- Upload the files, minus the install directory
- Edit the config to include the new database info
- Import the old database
- Upload the installer lock
We also have Xenforo Media Gallery. How should I deal with that - is there a similar 'hack' to do?
How should I go about scanning the database? Plesk is up on the old server so I can access phpMyAdmin, but I can't access any pages (e.g. Xenforo) hosted on the server. I have a .sql file backup (taken yesterday which is post-hack, not sure whether my friend has a recent uninfected backup) so can scan on my (Windows) laptop.
The Plesk database repair scan found the following:
I haven't repaired them. Should I?
What should I do about the custom themes? Is that another case of grabbing the clean files again? How do I then get my custom code back in safely? I think I have a backup, but it may be from an old version of Xenforo. Or is it in the database... and will it be safe?
) Done this just to be safe.
