XF 1.5 Forum Hacked

J

jim83

Member
Please someone help me!

This is the second time my forum has been hacked. The first time this happened, I had my developer take a look at a restore file to make sure everything was secure. I had wiped my entire sever and re-installed. From that point on, I had everything locked down via firewall and 2-factor auth.

My firewall disallowed cPanel, WHM, SSH, and FTP.

The first time they hacked my site, they just changed my home page.

Today, all my threads have been changed to say I've been hacked.

Can someone please help? I don't even know what to do right now.
 
Sort by date Sort by votes
The first step will be identifying how they gained access to the server and/or XF installation.
You will need the assistance of an experienced sysadmin for that.

Once that has been identified, it will need to be locked down so they can no longer gain access.
That could mean a complete server rebuild in the worst case scenario.

Then you will likely need to restore your XF installation from a recent known good backup.
 
Upvote 0 Downvote
Thank you.

i don't want to post my site's URL here but PM me and I can show you what my site looks like today.

All the thread titles and messages have been replaced by a message saying "you've been hacked"

I am using a number of add-ons that I bought and some that I paid custom work for.

Just yesterday, I enabled Facebook and Twitter integration for the first time ever.

As I mentioned, I'm locked down through a firewall. Even my host this morning couldn't get SSH without first disabling the firewall.

However, earlier this week I posted here that a column had been deleted from my database and I couldn't login to the adminCP. I restored a backup to get things working again. This makes more sense now. I'm thinking someone was probably inside last week. My feeling right now is they only have access to the database through mySQL somehow. That's the only service I have enabled through the firewall (which obviously needs to work for the forum to work.)
 
Upvote 0 Downvote
The fact that all threads and posts contain the same content definitely points to it being done by running queries against the database.

It should be possible to inspect the logs to see that.

Identifying the access point is going to require some level of investigation - it could be an add-on, someone using the actual credentials, an exploit on the server (particularly if on shared hosting).
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

interforo
  • Question Question
XF 2.2 Accounts hacked?
Replies
4
Views
172
Sadiq6210
S
KhanTastic
  • Question Question
XF 2.2 My new forum got hacked, what I should do please?
2
Replies
25
Views
1K
Suzanne O
Suzanne O
Zardoz43
  • Question Question
XF 2.2 A couple users on my forum have had recent TOOLBAR problems...
Replies
8
Views
372
Zardoz43
Zardoz43
KhanTastic
  • Question Question
XF 2.3 My forum stops loading time to time for some users
Replies
9
Views
107
MentaL
MentaL
D
  • Question Question
XF 2.2 How to check the forum is malware free?
Replies
4
Views
69
Kirby
K
Back
Top Bottom