XF 2.1 Forum hacked?

Ladegro

Ladegro

Active member
Hi there,

Recently we discovered that almost all of our prefixes have been changed to non-related terms (digital satellite receiver models?). We only have three admins who all have a strong password (though we've changed them all), and we have always updated the software and addons regularly.

Unfortunately, I cannot find in the logs which user or command had initiated the added and changed prefixes. Maybe I'm not looking in the right place, but it makes it hard to identify how this could have happened...

1575370262303.png

Some prefixes have been kept intact, but most have changed and a lot have been added. Resulting in meaningless topics:
1575370331342.png

Strange thing is, when editing a prefix the actual value seems to be prevailed:
1575370491063.webp (original value was: ALV)

We're running Xenforo 2.1.5.
1575370129427.png

Any ideas?
 
Sort by date Sort by votes
This doesn't really strike me as a malicious hack attempt, more like a troll or a disguise. Have you verified that this is the only aspect that has been tampered with?

Generally speaking passwords aren't really secure these days anymore (in my opinion). Where possible, I would always use Two-Factor Authentication, especially for admin areas. Even the strongest password may be captured by a 3rd party, or may have been exposed in a different leak if they tend to reuse their passwords, or a party that knows the users passwords / has access to devices he has saved his passwords onto can gain direct access.
 
Upvote 0 Downvote
Thanks for the suggestion, we will discuss enforcing 2 factor auth. We have enforced unique strong passwords for admin's on our forum. It seems that no other changes have been made (but how to know, we're not sure where to look).

In the meantime, I seem to only be able to change this directly in the database, but don't yet know in what table to look...
 
Upvote 0 Downvote
nothing to see there, I'm getting the feeling that our database was confiscated. Changes passes everywhere now. Still searching for the right tablename to fix the prefixes though...
 
Upvote 0 Downvote
It seems that the phrases have changed, look for the phrases that begin with thread_prefix and check if they have been modified.
They were probably included in the translation you installed, I had a similar problem in the past with another translation.
 
Last edited:
Upvote 0 Downvote
awesome, that appeared to be the key! No hack involved, just a wrong language pack... pfew :).

edit: thing is though, I can't seem to remove the wrong translations.... editing it to empty value doesn't inheret its parent value but uses an empty string. And removing the entry with recycle bin, just rolls back to the original version in the language pack.
Appeared to be some inheritance issue.
 
Last edited:
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Silmarillion
  • Question Question
Xenforo database suddenly grows very quickly
Replies
10
Views
2K
Chris D
Chris D
J
  • Question Question
XF 1.5 Forum Hacked
Replies
5
Views
1K
Digital Doctor
Digital Doctor
Netsultants
  • Question Question
XF 1.1 Forum down - When I click any link it says page not found
Replies
5
Views
2K
Netsultants
Netsultants
MistyMeanor
  • Question Question
XF 1.2 Formatting Problem
Replies
1
Views
1K
Neil E.
Neil E.
Anthony Parsons
  • Question Question
Very Happy Customer - Thank You XF
Replies
7
Views
806
gmaister22
gmaister22
Top Bottom