XF 1.5 Forums were Hacked – Samet Chan

m0n0L1th1c

Member
As I'm not involved in day-to-day ops of this site, I don't know the full specifics, however a client's Xenforo was hacked.

This is the screenshot of their site:

Screen Shot 2016-09-07 at 1.27.42 PM.webp

Just for ****s and giggles, I googled "Samet Chan" and this is what I saw. Note the "Xenforo security Developer | Xenforo Console Exploit Kit.

What exactly is that exploit kit and is this person legit?

Screen Shot 2016-09-07 at 1.28.35 PM.webp

M.
 
Restore from a known good backup.

Change all passwords.

If it's not possible to confirm the server is clean, it may require a wipe and rebuild.
 
My thoughts exactly. Already in the process of the above recommendations. Just wanted to know what this Xenforo Console Exploit Kit was and if it was legit and who this person who calls them self a "XenForo-Security Developer", really is.
 
It was a legitimate Xenforo (I oversaw the purchase of the software) install from scratch on a new MySQL database with never-before-used username/password on a Hostgator Linux hosting account.

This client does things by-the-book and would not mess around with pirated software.
 
Anyone can add anything to that field, either by registering with that name or by manually editing the database - that doesn't mean that it's true.

There are no known security issues with the latest version of XF, although I take the point that a zero-day vulnerability by very definition would not be known about.

If there was such an issue however, I suspect far more forums (higher profile ones at that) than that would have been hacked.
 
I am absolutely not trying to insinuate anything. I'm just trying to figure out how the client's site got hacked and prevent the same exploit from being used again. I'm hoping that this might help Xenforo and anyone else as well, in the event there is an undisclosed SQL Injection vulnerability.

M.
 
I would note that we have certainly seem misdirection when it comes to hackings. When we've had the ability to investigate, it has usually come down to (what appears to be) password reuse. I will said there is a publicized SQL injection in a third-party add-on (XenAPI), so third-party add-ons are a definite vector.

If you submit a ticket, we can look into getting logs and database access to do analysis/forensics.
 
I believe my site was subject to that person, I lost everything as at the point of the hack I had restored my computer to factory settings at that point. I made the BIG mistake in not making a backup and found someone had managed to gain access to my site and change my pws. Not only that they got access to my xenforo account on here.

I have started another site and a user has signed up using that name samet chan.
I also had a partner on my site that told me about that person above. Funny enough when he left my site was hacked.... Just a coincidence, I don't think
 
I would note that we have certainly seem misdirection when it comes to hackings. When we've had the ability to investigate, it has usually come down to (what appears to be) password reuse. I will said there is a publicized SQL injection in a third-party add-on (XenAPI), so third-party add-ons are a definite vector.

If you submit a ticket, we can look into getting logs and database access to do analysis/forensics.

Site is getting restored via the web host as we speak so can't do forensics analysis. But I completely agree with you that it could be misdirection. Absolutely could be that.

Again, I'm just trying to find out what happened and make sure it doesn't happen again. Definitely going to use two-factor authentication from here on out, as well. If it gets hacked again with that turned on, then I won't know what to think.

Edit: Will let you know what 3rd-party add-ons were used, as soon as restore is finished.
 
Two factor authentication will only secure the forum log in - it won't prevent anyone from accessing the server/database/cpanel if they have the credentials or are exploiting a server or other software vulnerability.
 
Two factor authentication will only secure the forum log in - it won't prevent anyone from accessing the server/database/cpanel if they have the credentials or are exploiting a server or other software vulnerability.

cPanel wasn't compromised. Database for this xenforo install also used brand-new login credentials. Only one user for this database was created and it was a unique never-before-used username and never-before-used password.
 
Most likely an issue with an add-on. If you did a search on "Samet Chan" then you should have seen that they are a user on numerous XenForo sites (a lot of anime ones since it apparently is an anime name).
By chance do they also happen to host a WordPress website under the same Hostgator account?
 
Most likely an issue with an add-on. If you did a search on "Samet Chan" then you should have seen that they are a user on numerous XenForo sites (a lot of anime ones since it apparently is an anime name).
By chance do they also happen to host a WordPress website under the same Hostgator account?

They do host a WordPress site (I did not install it) under the same hosting account, but different domain name. The WordPress site is in a sub-directory and the Xenforo forums are in a different sub-directory. Both have unique domain names and are not pointing to one another due to them being different aspects of the organization.

Right now I am wondering if it is indeed an add-on.
 
If they gain access via a WordPress SQL injection, they can possibly also gain access to other DB's on that account (the forum). Almost every incidence I've observed has been a WordPress hack that granted access to the other DB's on that user account.
 
There are about 5-6 other DBs on that account and there is another, separate Xenforo install in a different subdirectory for a completely different aspect of the organization. None of those were touched. That other Xenforo install is less than a month old, has 3 members total, is a new project and is only running 2-3 third-party add-ons. Also, the WordPress site was not defaced nor does it seem to be hacked.
 
Top Bottom