• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Hacked forum

Sunka

Well-known member
#1
my forum is hacked 15 minute ago.
Still have access to ACP. I disabled all addons.
what to do right now?
 

Sunka

Well-known member
#2
Found 2 new files in xenforo directory.
One is named 4nime0day-XenForoisstillnosecure
Staff of Xenforo forum, would you like content of that 2 files?
 
#4
Looks like a deface to me, Were you on the latest security patch?

Remove the files which looks unfamiliar to you & change your admin, cpanel, ftp, database passwords asap. Then re upload all xenforo files & do the upgrade.

Do a health check of your board after finishing what i suggested.
 

Sunka

Well-known member
#6
Same peson Samet chan, like in this thread - https://xenforo.com/community/threads/forums-were-hacked-–-samet-chan.120531/

Were you on the latest security patch?
Yep, all latest (Xenforo, php, nginx...)
Remove the files which looks unfamiliar to you & change your admin, cpanel, ftp, database passwords asap. Then re upload all xenforo files & do the upgrade.
Just in process od reuploading latest xenforo
Who's doing the patching of your Digital Ocean install?
By my self
 

Chris D

XenForo developer
Staff member
#7
There have been a few of these with claims that a 0 day exploit exists but so far there's no evidence of that.

In more than one of the examples we know about, it has been caused by weak or shared passwords. It's also possible that there has been other software on the server which has been compromised.

Of course we don't dismiss such claims but so far we've not been able to find anything.

We recommend getting together any logs to see if you can ascertain any point of entry, or odd activity which may suggest how this has happened.

Is there anything significant in the 2 files you mentioned? Which directories were they in? Which users would ordinarily have access to those directories? etc.
 

Chris D

XenForo developer
Staff member
#12
One of the three files appears to be unrelated. One of them appears to be an encoded file access/management script. This will be how the defaced index.php file will have been uploaded.
 

Sunka

Well-known member
#13
So, end with this steps:

I changed server root password
I can login to server via ssh, but webpage can not be loaded.
I think I have to restart nginx, mysql and php.
Sucessfuly restarted all but nginx.
Something connected with csf firewall
I will try to csf -df
Lol.
Now there is missing my complete public folder with all files
I revert public directory just now (rsync from yesterday backup), but problem is that public directory gone half hour ago, but 1 hour ago I changed server root passord
Code:
[root@tvor-ocean addons]# time maldet -a /home/nginx/domains/pijanitvor.com
Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7283): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
maldet(7283): {scan} building file list for /home/nginx/domains/pijanitvor.com, this might take awhile...
maldet(7283): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(7283): {scan} file list completed in 0s, found 6097 files...
maldet(7283): {scan} scan of /home/nginx/domains/pijanitvor.com (6097 files) in progress...
maldet(7283): {scan} 6097/6097 files scanned: 0 hits 0 cleaned
maldet(7283): {scan} scan completed on /home/nginx/domains/pijanitvor.com: files 6097, malware hits 0, cleaned hits 0, time 652s
maldet(7283): {scan} scan report saved, to view run: maldet --report 161009-0317.7283

real    10m52.657s
user    7m7.639s
sys     3m32.813s
Ok, changed server root password, mysql root password, deleted additional mysql users, changed xenforo admin password, changed ftp password
 

Chris D

XenForo developer
Staff member
#20
Not from me, no. I deleted it. Probably best if Sunka shares it with you if they wish to.
 
Last edited: