Getting Hacked

[daudet]

So first off....bad of me, but I have been running a very old version of Xenforo. (1.4) I realize that this probably is related to the numerous times my site has been hacked. I remember in the past, wrestling with file permissions. It seems that if you made things restricted then users could not upload images. I believe that relaxing things even slightly is what translated into the hacks.

My question is with the newest version of Webuzo 2.0 are hacks down?

Also I am looking for any tips to harder the server and still allow it to receive images AND of course, send email.

 

[ŽivaAkcija]

99% blame your host

 

[daudet]

Yes, I identified that (first thing I said) and I am taking tons of measures besides upgrading. I was looking for additional tips to harden the server. I do't see your post as being very constructive.

 

[RandallC]

I am not familiar with webuzo besides its made by softaculous. But Make sure your settings do now allow uploading of php or javascript or php files except via ftp of the admin account. I would check over your settings again as well as turn off anything in myconfig you do not need to maintain your forum.
who is the host?

 

[daudet]

I have a linode, so yeah...Im am responsible for all that. What I was digging for are some of the common exploits that some of you have seen. Are the new versions more secure than the previous? I had joomla websites on the same server and joomla always had challenges were you would lock something down and other things would stop working. I have since gone to Wordpress for most things and will be abandoning Joomla with what I have left.

 

[RandallC]

there are no known exploits in xenforo as far as I am aware.

Linode and Webuzo should be fine if you look under the settings inside the control panel you should check them to make sure no one can upload via IP. Joomla use to be pretty rough as far as I can remember for exploits, I was not a follower of that software.

 

[daudet]

Thanks! That is truly helpful. (certainly makes sense) I am assuming that if people upload a picture from the app. it is just using the server ip? Again though, I imagine that a malicious upload could be done if you have a forum account.

So I am on Version 1.4. Is it worth going to 2.0?
I think that probably is time, that I do something, as it has been about 5 years.

 

[Alpha1]

Better ask a server engineer to take care of your server security and updates and hammer it all down.
Do upgrade to the latest version of xenforo 1.5.21 and all addons you may use. If you use addons then scrutinize those.
Consider to install dragonbytetech security and put IP/password blocks on anything on the server that is not public.

 

[RandallC]

Thanks! That is truly helpful. (certainly makes sense) I am assuming that if people upload a picture from the app. it is just using the server ip? Again though, I imagine that a malicious upload could be done if you have a forum account.

So I am on Version 1.4. Is it worth going to 2.0?
I think that probably is time, that I do something, as it has been about 5 years.

I was looking at the webzo demo online and I saw the setting aloowing someone to upload via IP such as http://IP/user thats what I was refering to.

 

[daudet]

1.5.21 or 2.0 ...that is the question though?

 

[BoostN]

1.5.21 or 2.0 ...that is the question though?

Depends if you have add-ons that you need that aren't available yet for XF2. If that's not an issue, then why not? Remember styles, add-ons, etc are all different now for XF2.

 

[HD-Sam]

There are some known vulnerabilities for older versions of XF. As a provider, another we have seen in action is the XenForo CSS DOS Loader exploit. Ensuring your up to date on your core XF install and addons is obviously important. Almost equally as important would be solid DDOS protection. I say almost because protecting your data IMO is more important than a DDOS attack.