Hacked? Healthcheck Gone Screwy? Somethings not right this morning & I could really use a little helpful feedback...

[Chernabog]

Hi everyone, I hope this is the right forum, because it looks as though I need a little help. Everything has been fine with our XF and yesterday I went ahead and ran some standard upgrades on add-ons we've been using for a long time from well known vendors and then I did the XF fix to get user upgrades accessible again from the ACP. All went along with no problems.

It seems yesterday at 12:40AM our health check was fine, however at 3:05AM it was totally out of whack. Scrolling through it, I am seeing stuff that I am not even sure belongs to a vendor or add-on, such as: js/vendor/froala/plugins/code_beautifier.min.js , src/vendor/christian-riesen/otp/src/Otp.php and src/vendor/guzzlehttp/guzzle/CHANGELOG.md. If we were somehow 'hacked' I have backups thankfully, but I've no idea how or where the injections may have come from? Any help is GREATLY appreciated. Thank you!

Spoiler: Summary List of HealthCheck

js/vendor/autosize/autosize.js Unexpected contents js/vendor/autosize/autosize.min.js Unexpected contents js/vendor/codemirror/addon/dialog/dialog.min.js Unexpected contents js/vendor/codemirror/addon/edit/closebrackets.min.js Unexpected contents js/vendor/codemirror/addon/fold/xml-fold.min.js Unexpected contents js/vendor/codemirror/addon/search/jump-to-line.min.js Unexpected contents js/vendor/codemirror/addon/search/search.min.js Unexpected contents js/vendor/codemirror/codemirror.min.js Unexpected contents js/vendor/codemirror/mode/clike/clike.min.js Unexpected contents js/vendor/codemirror/mode/javascript/javascript.min.js Unexpected contents js/vendor/codemirror/mode/markdown/markdown.min.js Unexpected contents js/vendor/codemirror/mode/python/python.min.js Unexpected contents js/vendor/codemirror/mode/shell/shell.min.js Unexpected contents js/vendor/codemirror/mode/sql/sql.min.js Unexpected contents js/vendor/froala/froala-compiled.js Unexpected contents js/vendor/froala/froala_editor.min.js Unexpected contents js/vendor/froala/plugins/align.min.js Unexpected contents js/vendor/froala/plugins/char_counter.min.js Unexpected contents js/vendor/froala/plugins/code_beautifier.min.js Unexpected contents js/vendor/froala/plugins/code_view.min.js Unexpected contents js/vendor/froala/plugins/colors.min.js Unexpected contents js/vendor/froala/plugins/draggable.min.js Unexpected contents js/vendor/froala/plugins/emoticons.min.js Unexpected contents js/vendor/froala/plugins/entities.min.js Unexpected contents js/vendor/froala/plugins/file.min.js Unexpected contents js/vendor/froala/plugins/font_family.min.js Unexpected contents js/vendor/froala/plugins/font_size.min.js Unexpected contents js/vendor/froala/plugins/forms.min.js Unexpected contents js/vendor/froala/plugins/fullscreen.min.js Unexpected contents js/vendor/froala/plugins/help.min.js Unexpected contents js/vendor/froala/plugins/image.min.js Unexpected contents js/vendor/froala/plugins/image_manager.min.js Unexpected contents js/vendor/froala/plugins/inline_style.min.js Unexpected contents js/vendor/froala/plugins/line_breaker.min.js Unexpected contents js/vendor/froala/plugins/link.min.js Unexpected contents js/vendor/froala/plugins/lists.min.js Unexpected contents js/vendor/froala/plugins/paragraph_format.min.js Unexpected contents js/vendor/froala/plugins/paragraph_style.min.js Unexpected contents

 

[Paul B]

If the file health checks are failing with no action being taken, then you will need to contact your host and ask them to investigate.

Uploading new files again should resolve any issues but if someone did manage to gain access to the server, that will need to be investigated and resolved.

 

[Chernabog]

Thank you @Brogan -- I am not too tech savvy on all that, but am working with my web host so we can see where any exploit or vulnerability may have arisen. Question, it seems job.php was accessed a lot right before things went bad. I see it in my public directory do I >need< to have job.php.. is it required by XF?

 

[Chernabog]

Ok my host said its required for cron jobs and automation lol tells ya what I know (sheesh) -- but then it would be odd that some outside IP address is posting to it? ...okay let me stop fishing for aid. lol

 

[Paul B]

Anyone can attempt to load job.php in their browser - it doesn't necessarily indicate an exploit.

Your host will hopefully be able to provide some answers in due course.

 

[Laura65]

Hi everyone, I hope this is the right forum, because it looks as though I need a little help. Everything has been fine with our XF and yesterday I went ahead and ran some standard upgrades on add-ons we've been using for a long time from well known vendors and then I did the XF fix to get user upgrades accessible again from the ACP. All went along with no problems.

It seems yesterday at 12:40AM our health check was fine, however at 3:05AM it was totally out of whack. Scrolling through it, I am seeing stuff that I am not even sure belongs to a vendor or add-on, such as: js/vendor/froala/plugins/code_beautifier.min.js , src/vendor/christian-riesen/otp/src/Otp.php and src/vendor/guzzlehttp/guzzle/CHANGELOG.md. If we were somehow 'hacked' I have backups thankfully, but I've no idea how or where the injections may have come from? Any help is GREATLY appreciated. Thank you!

Spoiler: Summary List of HealthCheck

js/vendor/autosize/autosize.js Unexpected contents js/vendor/autosize/autosize.min.js Unexpected contents js/vendor/codemirror/addon/dialog/dialog.min.js Unexpected contents js/vendor/codemirror/addon/edit/closebrackets.min.js Unexpected contents js/vendor/codemirror/addon/fold/xml-fold.min.js Unexpected contents js/vendor/codemirror/addon/search/jump-to-line.min.js Unexpected contents js/vendor/codemirror/addon/search/search.min.js Unexpected contents js/vendor/codemirror/codemirror.min.js Unexpected contents js/vendor/codemirror/mode/clike/clike.min.js Unexpected contents js/vendor/codemirror/mode/javascript/javascript.min.js Unexpected contents js/vendor/codemirror/mode/markdown/markdown.min.js Unexpected contents js/vendor/codemirror/mode/python/python.min.js Unexpected contents js/vendor/codemirror/mode/shell/shell.min.js Unexpected contents js/vendor/codemirror/mode/sql/sql.min.js Unexpected contents js/vendor/froala/froala-compiled.js Unexpected contents js/vendor/froala/froala_editor.min.js Unexpected contents js/vendor/froala/plugins/align.min.js Unexpected contents js/vendor/froala/plugins/char_counter.min.js Unexpected contents js/vendor/froala/plugins/code_beautifier.min.js Unexpected contents js/vendor/froala/plugins/code_view.min.js Unexpected contents js/vendor/froala/plugins/colors.min.js Unexpected contents js/vendor/froala/plugins/draggable.min.js Unexpected contents js/vendor/froala/plugins/emoticons.min.js Unexpected contents js/vendor/froala/plugins/entities.min.js Unexpected contents js/vendor/froala/plugins/file.min.js Unexpected contents js/vendor/froala/plugins/font_family.min.js Unexpected contents js/vendor/froala/plugins/font_size.min.js Unexpected contents js/vendor/froala/plugins/forms.min.js Unexpected contents js/vendor/froala/plugins/fullscreen.min.js Unexpected contents js/vendor/froala/plugins/help.min.js Unexpected contents js/vendor/froala/plugins/image.min.js Unexpected contents js/vendor/froala/plugins/image_manager.min.js Unexpected contents js/vendor/froala/plugins/inline_style.min.js Unexpected contents js/vendor/froala/plugins/line_breaker.min.js Unexpected contents js/vendor/froala/plugins/link.min.js Unexpected contents js/vendor/froala/plugins/lists.min.js Unexpected contents js/vendor/froala/plugins/paragraph_format.min.js Unexpected contents js/vendor/froala/plugins/paragraph_style.min.js Unexpected contents

I seem to have got the same thing.... and oddly i could not get to my site at all today none can however i can get everywhere else but, lucky my hosting provider was able to get me in my site and right now i am doing some adjustments.. I'm not all that swavy when it comes to job cons or the likes... and I may need to optimize some of my images which I am unsure how to do that with xenforo...