XF 1.1 File health check failures - lots of weird errors

[mcadx]

Hello - over the weekend my forum appears to have been hacked in some form or another. At first, browsers were throwing errors that the page is trying to redirect the user to some random website(in Russia) that was potentially malicious.

All sites hosted under the same account were experiencing the same, we opened a ticket with the host and they seemingly cleared it up for some people but not everyone. I personally am no longer getting the redirect error but some of the users are.

Some other symptoms include thread moderation rendered ineffective - attempting to do any content moderation results in blank pages, along with viewing images that are attached to a post but not inserted in-line.

I've checked the .htaccess and I don't see anything out of order in it.

I ran a file health check under the admin control panel and it shows a list of 141 files that do not contain the expected contents. They all appear to be javascript files located in "js" directory.

I just updated to 1.1.3 from 1.1.1 earlier this evening so this is particularly bothersome.

Any suggestions/thoughts?

 

[mcadx]

Looks like re-uploading the "js" folder resolved most of the issues. I guess I should've tried that before starting the thread but had way too many weird things happening to ignore it.

 

[mcadx]

I spoke too soon, the problem is re-occurring today. Same 141 files in the "js" folder are showing as inconsistent when running the File Verification. Any suggestions?

 

[CTXMedia]

I spoke too soon, the problem is re-occurring today. Same 141 files in the "js" folder are showing as inconsistent when running the File Verification. Any suggestions?

Just double-check you haven't accidentally uploaded the 1.1.1 js files ...

Just check with your host to make sure they haven't restored any files to the server and not told you about it ...

 

[Brandon Sheley]

Also did you change your passwords, if you were compromised then the same thing will happen again.

 

[mcadx]

I've re-uploaded the files again today, they were from 1.1.3 both times.

 

[mcadx]

This looks to be very close to what is happening: http://www.2-viruses.com/remove-trojan-maljavagen24

One user showed this IP as the destination that his IE is trying to redirect him to: 212.7.194.235

 

[CTXMedia]

Hope you (your host) manage to get it sorted.

 

[mcadx]

Another tidbit - I just checked the "js" directory on the server, it only has 95 files and weighs in at roughly 800kb. The default 1.1.3 "js" folder is around 2mb with 219 files.

 

[mcadx]

I take it there's really no official XenForo support available?

 

[Jake Bunce]

Files don't change themselves. Either some one has changed the files (you or your host) or your server is compromised.

 

[CTXMedia]

I take it there's really no official XenForo support available?

Have you submitted a ticket via the customer area?

If not, that would be the best way to get "official" support. These forums are for "community" support!

 

[mcadx]

Finally have some concrete information. To make a long story short, the web server our forum is on was compromised. The vulnerability has since been fixed and they are working on restoring everything back to full working order.

 

[CTXMedia]

Sounds good - it's always a relief to get back to normal after something like this. Good luck and hope you get back on an even keel v. soon.

 

[mcadx]

Thanks. Me too. Appreciate the input from everyone.