Hacked? Healthcheck Gone Screwy? Somethings not right this morning & I could really use a little helpful feedback...

Chernabog

Active member
Hi everyone, I hope this is the right forum, because it looks as though I need a little help. Everything has been fine with our XF and yesterday I went ahead and ran some standard upgrades on add-ons we've been using for a long time from well known vendors and then I did the XF fix to get user upgrades accessible again from the ACP. All went along with no problems.

It seems yesterday at 12:40AM our health check was fine, however at 3:05AM it was totally out of whack. Scrolling through it, I am seeing stuff that I am not even sure belongs to a vendor or add-on, such as: js/vendor/froala/plugins/code_beautifier.min.js , src/vendor/christian-riesen/otp/src/Otp.php and src/vendor/guzzlehttp/guzzle/CHANGELOG.md. If we were somehow 'hacked' I have backups thankfully, but I've no idea how or where the injections may have come from? Any help is GREATLY appreciated. Thank you!

js/vendor/autosize/autosize.js Unexpected contents js/vendor/autosize/autosize.min.js Unexpected contents js/vendor/codemirror/addon/dialog/dialog.min.js Unexpected contents js/vendor/codemirror/addon/edit/closebrackets.min.js Unexpected contents js/vendor/codemirror/addon/fold/xml-fold.min.js Unexpected contents js/vendor/codemirror/addon/search/jump-to-line.min.js Unexpected contents js/vendor/codemirror/addon/search/search.min.js Unexpected contents js/vendor/codemirror/codemirror.min.js Unexpected contents js/vendor/codemirror/mode/clike/clike.min.js Unexpected contents js/vendor/codemirror/mode/javascript/javascript.min.js Unexpected contents js/vendor/codemirror/mode/markdown/markdown.min.js Unexpected contents js/vendor/codemirror/mode/python/python.min.js Unexpected contents js/vendor/codemirror/mode/shell/shell.min.js Unexpected contents js/vendor/codemirror/mode/sql/sql.min.js Unexpected contents js/vendor/froala/froala-compiled.js Unexpected contents js/vendor/froala/froala_editor.min.js Unexpected contents js/vendor/froala/plugins/align.min.js Unexpected contents js/vendor/froala/plugins/char_counter.min.js Unexpected contents js/vendor/froala/plugins/code_beautifier.min.js Unexpected contents js/vendor/froala/plugins/code_view.min.js Unexpected contents js/vendor/froala/plugins/colors.min.js Unexpected contents js/vendor/froala/plugins/draggable.min.js Unexpected contents js/vendor/froala/plugins/emoticons.min.js Unexpected contents js/vendor/froala/plugins/entities.min.js Unexpected contents js/vendor/froala/plugins/file.min.js Unexpected contents js/vendor/froala/plugins/font_family.min.js Unexpected contents js/vendor/froala/plugins/font_size.min.js Unexpected contents js/vendor/froala/plugins/forms.min.js Unexpected contents js/vendor/froala/plugins/fullscreen.min.js Unexpected contents js/vendor/froala/plugins/help.min.js Unexpected contents js/vendor/froala/plugins/image.min.js Unexpected contents js/vendor/froala/plugins/image_manager.min.js Unexpected contents js/vendor/froala/plugins/inline_style.min.js Unexpected contents js/vendor/froala/plugins/line_breaker.min.js Unexpected contents js/vendor/froala/plugins/link.min.js Unexpected contents js/vendor/froala/plugins/lists.min.js Unexpected contents js/vendor/froala/plugins/paragraph_format.min.js Unexpected contents js/vendor/froala/plugins/paragraph_style.min.js Unexpected contents
 

Brogan

XenForo moderator
Staff member
If the file health checks are failing with no action being taken, then you will need to contact your host and ask them to investigate.

Uploading new files again should resolve any issues but if someone did manage to gain access to the server, that will need to be investigated and resolved.
 

Chernabog

Active member
Thank you @Brogan -- I am not too tech savvy on all that, but am working with my web host so we can see where any exploit or vulnerability may have arisen. Question, it seems job.php was accessed a lot right before things went bad. I see it in my public directory do I >need< to have job.php.. is it required by XF?
 

Chernabog

Active member
Ok my host said its required for cron jobs and automation lol tells ya what I know (sheesh) -- but then it would be odd that some outside IP address is posting to it? ...okay let me stop fishing for aid. lol
 

Brogan

XenForo moderator
Staff member
Anyone can attempt to load job.php in their browser - it doesn't necessarily indicate an exploit.

Your host will hopefully be able to provide some answers in due course.
 
Top