XF 1.5 Forums were Hacked – Samet Chan

[m0n0L1th1c]

As I'm not involved in day-to-day ops of this site, I don't know the full specifics, however a client's Xenforo was hacked.

This is the screenshot of their site:



Just for ****s and giggles, I googled "Samet Chan" and this is what I saw. Note the "Xenforo security Developer | Xenforo Console Exploit Kit.

What exactly is that exploit kit and is this person legit?



M.

 

[TPerry]

Then you have pretty much confined down to an add-on that has an exploit in it.... as if it was a general XF exploit I can almost guarantee you that you would have WAY more than 1 site exploited.
Do they happen to run any add-ons by a certain Vietnam related "author" that results in a masked username here since he's banned?

 

[m0n0L1th1c]

I'll check the add-ons once the site has been restored.

 

[m0n0L1th1c]

Restore is still on-going but these are the add-ons:

 

[Mike]

Unfortunately, without doing forensics, it will be hard to pinpoint (and even with it, still difficult). That really needs the old database (to gather information on the changes) along with the raw web server access logs.

1.5.10 is a security release, though I doubt the fixed issue was the problem here.

 

[TPerry]

And that user resolves to Gintoki, who states they are a 16YOA female (same as Samet Chan on the other sites I've found).... and looks like they are referring to a cPanel exploit in that thread.
I find it amusing they hide behind CloudFlare also.
I've also found a few other XF sites that "show" to be hacked by them but they actually have a non-dismissable popup that shows up that prevents you from closing the tab. The source code also refers to a youtube video that is restricted in the US (appears to be Japan related).

Their source code for the hacked sites also ties back to gamerotaku.com - which does not have valid whois records - unless someone has changed their name to A Anime and they live at Anime 1337 1337 in Anime Japan.

Ironically, team-trojan.com is using XenForo on their forum.

 

[m0n0L1th1c]

I'm not seeing a way to enable two-step authentication via my Account preferences. The option seems to be missing in the sidebar. Am I missing something?

 

[TPerry]

I'm not seeing a way to enable two-step authentication via my Account preferences. The option seems to be missing in the sidebar. Am I missing something?

Are you running a custom style? Have the templates been merged for the latest XenForo updates?

 

[Steve F]

I'm not seeing a way to enable two-step authentication via my Account preferences. The option seems to be missing in the sidebar. Am I missing something?

http://yoursite/account/two-step

Also should be in the account drop down menu.

 

[Fethi.dz]

1.5.10 is a security release, though I doubt the fixed issue was the problem here.

A reminder to update your version to the latest one

 

[Optic]

That is very dodgy indeed. There is also a Samet Chan registered as a member in my community (though inactive).

Could this be the same person @SametxChan ?