1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Forums were Hacked – Samet Chan

Discussion in 'Troubleshooting and Problems' started by m0n0L1th1c, Sep 7, 2016.

  1. m0n0L1th1c

    m0n0L1th1c New Member

    As I'm not involved in day-to-day ops of this site, I don't know the full specifics, however a client's Xenforo was hacked.

    This is the screenshot of their site:

    Screen Shot 2016-09-07 at 1.27.42 PM.png

    Just for ****s and giggles, I googled "Samet Chan" and this is what I saw. Note the "Xenforo security Developer | Xenforo Console Exploit Kit.

    What exactly is that exploit kit and is this person legit?

    Screen Shot 2016-09-07 at 1.28.35 PM.png

    M.
     
  2. Brogan

    Brogan XenForo Moderator Staff Member

    Restore from a known good backup.

    Change all passwords.

    If it's not possible to confirm the server is clean, it may require a wipe and rebuild.
     
  3. m0n0L1th1c

    m0n0L1th1c New Member

    My thoughts exactly. Already in the process of the above recommendations. Just wanted to know what this Xenforo Console Exploit Kit was and if it was legit and who this person who calls them self a "XenForo-Security Developer", really is.
     
  4. ŽivaAkcija

    ŽivaAkcija Well-Known Member

    if they use nulled xenforo that happened, or bad server setup and bad hosting
     
  5. m0n0L1th1c

    m0n0L1th1c New Member

    It was a legitimate Xenforo (I oversaw the purchase of the software) install from scratch on a new MySQL database with never-before-used username/password on a Hostgator Linux hosting account.

    This client does things by-the-book and would not mess around with pirated software.
     
  6. Brogan

    Brogan XenForo Moderator Staff Member

    My guess would be an insecure server, compromised software on the same server, or password insecurity and reuse.
     
  7. m0n0L1th1c

    m0n0L1th1c New Member

    This is a screenshot from the xf_user table stating it was hacked via sql injection - 0day.

    Screen Shot 2016-09-07 at 3.08.53 PM.png
     
  8. Brogan

    Brogan XenForo Moderator Staff Member

    Anyone can add anything to that field, either by registering with that name or by manually editing the database - that doesn't mean that it's true.

    There are no known security issues with the latest version of XF, although I take the point that a zero-day vulnerability by very definition would not be known about.

    If there was such an issue however, I suspect far more than forums (higher profile ones at that) than that would have been hacked.
     
    thedude likes this.
  9. Digital Doctor

    Digital Doctor Well-Known Member

    Agreed.
     
  10. m0n0L1th1c

    m0n0L1th1c New Member

    I am absolutely not trying to insinuate anything. I'm just trying to figure out how the client's site got hacked and prevent the same exploit from being used again. I'm hoping that this might help Xenforo and anyone else as well, in the event there is an undisclosed SQL Injection vulnerability.

    M.
     
  11. Mike

    Mike XenForo Developer Staff Member

    I would note that we have certainly seem misdirection when it comes to hackings. When we've had the ability to investigate, it has usually come down to (what appears to be) password reuse. I will said there is a publicized SQL injection in a third-party add-on (XenAPI), so third-party add-ons are a definite vector.

    If you submit a ticket, we can look into getting logs and database access to do analysis/forensics.
     
    Steve F likes this.
  12. Brad P

    Brad P Active Member

    I believe my site was subject to that person, I lost everything as at the point of the hack I had restored my computer to factory settings at that point. I made the BIG mistake in not making a backup and found someone had managed to gain access to my site and change my pws. Not only that they got access to my xenforo account on here.

    I have started another site and a user has signed up using that name samet chan.
    I also had a partner on my site that told me about that person above. Funny enough when he left my site was hacked.... Just a coincidence, I don't think
     
  13. m0n0L1th1c

    m0n0L1th1c New Member

    Site is getting restored via the web host as we speak so can't do forensics analysis. But I completely agree with you that it could be misdirection. Absolutely could be that.

    Again, I'm just trying to find out what happened and make sure it doesn't happen again. Definitely going to use two-factor authentication from here on out, as well. If it gets hacked again with that turned on, then I won't know what to think.

    Edit: Will let you know what 3rd-party add-ons were used, as soon as restore is finished.
     
  14. Brogan

    Brogan XenForo Moderator Staff Member

    Two factor authentication will only secure the forum log in - it won't prevent anyone from accessing the server/database/cpanel if they have the credentials or are exploiting a server or other software vulnerability.
     
  15. m0n0L1th1c

    m0n0L1th1c New Member

    cPanel wasn't compromised. Database for this xenforo install also used brand-new login credentials. Only one user for this database was created and it was a unique never-before-used username and never-before-used password.
     
  16. Tracy Perry

    Tracy Perry Well-Known Member

    Most likely an issue with an add-on. If you did a search on "Samet Chan" then you should have seen that they are a user on numerous XenForo sites (a lot of anime ones since it apparently is an anime name).
    By chance do they also happen to host a WordPress website under the same Hostgator account?
     
  17. ŽivaAkcija

    ŽivaAkcija Well-Known Member

  18. m0n0L1th1c

    m0n0L1th1c New Member

    They do host a WordPress site (I did not install it) under the same hosting account, but different domain name. The WordPress site is in a sub-directory and the Xenforo forums are in a different sub-directory. Both have unique domain names and are not pointing to one another due to them being different aspects of the organization.

    Right now I am wondering if it is indeed an add-on.
     
  19. Tracy Perry

    Tracy Perry Well-Known Member

    If they gain access via a WordPress SQL injection, they can possibly also gain access to other DB's on that account (the forum). Almost every incidence I've observed has been a WordPress hack that granted access to the other DB's on that user account.
     
  20. m0n0L1th1c

    m0n0L1th1c New Member

    There are about 5-6 other DBs on that account and there is another, separate Xenforo install in a different subdirectory for a completely different aspect of the organization. None of those were touched. That other Xenforo install is less than a month old, has 3 members total, is a new project and is only running 2-3 third-party add-ons. Also, the WordPress site was not defaced nor does it seem to be hacked.
     

Share This Page