XF 1.5 Hacked forum
- Thread starter Sunka
- Start date
wp_arun
Member
Looks like a deface to me, Were you on the latest security patch?
Remove the files which looks unfamiliar to you & change your admin, cpanel, ftp, database passwords asap. Then re upload all xenforo files & do the upgrade.
Do a health check of your board after finishing what i suggested.
Remove the files which looks unfamiliar to you & change your admin, cpanel, ftp, database passwords asap. Then re upload all xenforo files & do the upgrade.
Do a health check of your board after finishing what i suggested.
ManagerJosh
Well-known member
It looks to be an insecure server. Who's doing the patching of your Digital Ocean install?
Sunka
Well-known member
Same peson Samet chan, like in this thread - https://xenforo.com/community/threads/forums-were-hacked-–-samet-chan.120531/
Yep, all latest (Xenforo, php, nginx...)
Just in process od reuploading latest xenforo
By my self
There have been a few of these with claims that a 0 day exploit exists but so far there's no evidence of that.
In more than one of the examples we know about, it has been caused by weak or shared passwords. It's also possible that there has been other software on the server which has been compromised.
Of course we don't dismiss such claims but so far we've not been able to find anything.
We recommend getting together any logs to see if you can ascertain any point of entry, or odd activity which may suggest how this has happened.
Is there anything significant in the 2 files you mentioned? Which directories were they in? Which users would ordinarily have access to those directories? etc.
In more than one of the examples we know about, it has been caused by weak or shared passwords. It's also possible that there has been other software on the server which has been compromised.
Of course we don't dismiss such claims but so far we've not been able to find anything.
We recommend getting together any logs to see if you can ascertain any point of entry, or odd activity which may suggest how this has happened.
Is there anything significant in the 2 files you mentioned? Which directories were they in? Which users would ordinarily have access to those directories? etc.
ManagerJosh
Well-known member
Without reviewing logs, this would be guess in where I would start.
ManagerJosh
Well-known member
Honestly, that server is probably backdoored to kingdom come with PHP web shells, command shells, and more.
Sunka
Well-known member
So, end with this steps:
Ok, changed server root password, mysql root password, deleted additional mysql users, changed xenforo admin password, changed ftp password
Code:
[root@tvor-ocean addons]# time maldet -a /home/nginx/domains/pijanitvor.com
Linux Malware Detect v1.5
(C) 2002-2016, R-fx Networks <proj@rfxn.com>
(C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(7283): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
maldet(7283): {scan} building file list for /home/nginx/domains/pijanitvor.com, this might take awhile...
maldet(7283): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(7283): {scan} file list completed in 0s, found 6097 files...
maldet(7283): {scan} scan of /home/nginx/domains/pijanitvor.com (6097 files) in progress...
maldet(7283): {scan} 6097/6097 files scanned: 0 hits 0 cleaned
maldet(7283): {scan} scan completed on /home/nginx/domains/pijanitvor.com: files 6097, malware hits 0, cleaned hits 0, time 652s
maldet(7283): {scan} scan report saved, to view run: maldet --report 161009-0317.7283
real 10m52.657s
user 7m7.639s
sys 3m32.813sOk, changed server root password, mysql root password, deleted additional mysql users, changed xenforo admin password, changed ftp password
ŽivaAkcija
Well-known member
one friendly advice, dont use digital ocean, change host if possible.
Dakota Storm
Well-known member
There is nothing wrong with digital ocean. It's as secure as the person managing it.
Similar threads
- Question
