XF 1.5 Forum Hacked

Please someone help me!

This is the second time my forum has been hacked. The first time this happened, I had my developer take a look at a restore file to make sure everything was secure. I had wiped my entire sever and re-installed. From that point on, I had everything locked down via firewall and 2-factor auth.

My firewall disallowed cPanel, WHM, SSH, and FTP.

The first time they hacked my site, they just changed my home page.

Today, all my threads have been changed to say I've been hacked.

Can someone please help? I don't even know what to do right now.


XenForo moderator
Staff member
The first step will be identifying how they gained access to the server and/or XF installation.
You will need the assistance of an experienced sysadmin for that.

Once that has been identified, it will need to be locked down so they can no longer gain access.
That could mean a complete server rebuild in the worst case scenario.

Then you will likely need to restore your XF installation from a recent known good backup.
Thank you.

i don't want to post my site's URL here but PM me and I can show you what my site looks like today.

All the thread titles and messages have been replaced by a message saying "you've been hacked"

I am using a number of add-ons that I bought and some that I paid custom work for.

Just yesterday, I enabled Facebook and Twitter integration for the first time ever.

As I mentioned, I'm locked down through a firewall. Even my host this morning couldn't get SSH without first disabling the firewall.

However, earlier this week I posted here that a column had been deleted from my database and I couldn't login to the adminCP. I restored a backup to get things working again. This makes more sense now. I'm thinking someone was probably inside last week. My feeling right now is they only have access to the database through mySQL somehow. That's the only service I have enabled through the firewall (which obviously needs to work for the forum to work.)


XenForo moderator
Staff member
The fact that all threads and posts contain the same content definitely points to it being done by running queries against the database.

It should be possible to inspect the logs to see that.

Identifying the access point is going to require some level of investigation - it could be an add-on, someone using the actual credentials, an exploit on the server (particularly if on shared hosting).