1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Hacked forum

Discussion in 'Troubleshooting and Problems' started by Sunka, Oct 8, 2016.

  1. Sunka

    Sunka Well-Known Member

    my forum is hacked 15 minute ago.
    Still have access to ACP. I disabled all addons.
    what to do right now?
     
  2. Sunka

    Sunka Well-Known Member

    Found 2 new files in xenforo directory.
    One is named 4nime0day-XenForoisstillnosecure
    Staff of Xenforo forum, would you like content of that 2 files?
     
  3. ŽivaAkcija

    ŽivaAkcija Well-Known Member

    this girl is so crazy i think shee 16 year old?
     
  4. socialteenz

    socialteenz New Member

    Looks like a deface to me, Were you on the latest security patch?

    Remove the files which looks unfamiliar to you & change your admin, cpanel, ftp, database passwords asap. Then re upload all xenforo files & do the upgrade.

    Do a health check of your board after finishing what i suggested.
     
  5. ManagerJosh

    ManagerJosh Well-Known Member

    It looks to be an insecure server. Who's doing the patching of your Digital Ocean install?
     
  6. Sunka

    Sunka Well-Known Member

    Same peson Samet chan, like in this thread - https://xenforo.com/community/threads/forums-were-hacked-–-samet-chan.120531/

    Yep, all latest (Xenforo, php, nginx...)
    Just in process od reuploading latest xenforo
    By my self
     
  7. Chris D

    Chris D XenForo Developer Staff Member

    There have been a few of these with claims that a 0 day exploit exists but so far there's no evidence of that.

    In more than one of the examples we know about, it has been caused by weak or shared passwords. It's also possible that there has been other software on the server which has been compromised.

    Of course we don't dismiss such claims but so far we've not been able to find anything.

    We recommend getting together any logs to see if you can ascertain any point of entry, or odd activity which may suggest how this has happened.

    Is there anything significant in the 2 files you mentioned? Which directories were they in? Which users would ordinarily have access to those directories? etc.
     
    Sunka likes this.
  8. ManagerJosh

    ManagerJosh Well-Known Member

    Without reviewing logs, this would be guess in where I would start.
     
    Sunka likes this.
  9. Sunka

    Sunka Well-Known Member

    In forum root.
    That 2 files uploaded to forum root, also, index php changed.

    I will send you @Chris D this 3 files on PM
     
  10. ManagerJosh

    ManagerJosh Well-Known Member

    Honestly, that server is probably backdoored to kingdom come with PHP web shells, command shells, and more.
     
  11. ŽivaAkcija

    ŽivaAkcija Well-Known Member

    i suggested him to change hosting
     
  12. Chris D

    Chris D XenForo Developer Staff Member

    One of the three files appears to be unrelated. One of them appears to be an encoded file access/management script. This will be how the defaced index.php file will have been uploaded.
     
    Sunka and ŽivaAkcija like this.
  13. Sunka

    Sunka Well-Known Member

    So, end with this steps:

    Code:
    [root@tvor-ocean addons]# time maldet -a /home/nginx/domains/pijanitvor.com
    Linux Malware Detect v1.5
                (C) 2002-2016, R-fx Networks <proj@rfxn.com>
                (C) 2016, Ryan MacDonald <ryan@rfxn.com>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(7283): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
    maldet(7283): {scan} building file list for /home/nginx/domains/pijanitvor.com, this might take awhile...
    maldet(7283): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    maldet(7283): {scan} file list completed in 0s, found 6097 files...
    maldet(7283): {scan} scan of /home/nginx/domains/pijanitvor.com (6097 files) in progress...
    maldet(7283): {scan} 6097/6097 files scanned: 0 hits 0 cleaned
    maldet(7283): {scan} scan completed on /home/nginx/domains/pijanitvor.com: files 6097, malware hits 0, cleaned hits 0, time 652s
    maldet(7283): {scan} scan report saved, to view run: maldet --report 161009-0317.7283
    
    real    10m52.657s
    user    7m7.639s
    sys     3m32.813s
    Ok, changed server root password, mysql root password, deleted additional mysql users, changed xenforo admin password, changed ftp password
     
    Robru and maszd like this.
  14. ŽivaAkcija

    ŽivaAkcija Well-Known Member

    one friendly advice, dont use digital ocean, change host if possible.
     
    Sunka likes this.
  15. Dakota Storm

    Dakota Storm Well-Known Member

    There is nothing wrong with digital ocean. It's as secure as the person managing it.
     
    maszd and Sunka like this.
  16. ŽivaAkcija

    ŽivaAkcija Well-Known Member

    ok keep using it.
     
  17. RoldanLT

    RoldanLT Well-Known Member

    Can you list all your addons?
     
    king8084 likes this.
  18. Sunka

    Sunka Well-Known Member

    Of course.

    1.png 2.png 3.png 4.png 5.png
     
    maszd likes this.
  19. ManagerJosh

    ManagerJosh Well-Known Member

    Could i get a copy of the script?
     
  20. Chris D

    Chris D XenForo Developer Staff Member

    Not from me, no. I deleted it. Probably best if Sunka shares it with you if they wish to.
     
    Last edited: Oct 10, 2016

Share This Page