1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Hacked. Need help.

Discussion in 'XenForo Questions and Support' started by Pavle123, Oct 20, 2015.

  1. Pavle123

    Pavle123 Active Member

    Hi guys,

    Yesterday few of my sites, including XF forum got hacked - nothing to do with XF, it is more hosting related or whatever. So its not XF fault or anything.

    But I had to clean up manually tons of files. I might have deleted something by accident, I have no idea.

    Can you tell me how can I revert all those default files? Should I try to upgrade or what?

    Also I have been seeing 529 pages of errors. Probably as a result of that.

    Can you help me please?

    Just to answer, because someone might ask : I was on HostGator, but moved all my sites to SiteGround due to HostGator not giving a damn about compromised sites.
  2. Brogan

    Brogan XenForo Moderator Staff Member

    You should restore your site from a known good backup, prior to the hack.

    That includes a recent database dump and the corresponding server files.
  3. Pavle123

    Pavle123 Active Member

    Thanks Brogan, thanks to HostGator, my site is not backed up. (Do not recommend them to anyone) It is my fault as well for not taking care of such important thing, I understand.

    Is there something else I can do? Upgrade the files or something? Is this the reason why I am seeing errors?

    Thanks for your quick reply and help.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    How do you know the database and files you are using now are not compromised?
    The hackers may have left a backdoor somewhere.

    You can probably replace all the files by wiping what's on the server and uploading the XF and add-on files again, although you would need to keep the /data and /internal_data directories otherwise you would lose avatars and attachments.
  5. Pavle123

    Pavle123 Active Member

    Thanks for reply Brogan.
    My new host SiteGround has performed a detailed malware scan on entire root folder in cpanel. I cleaned everything they found. Not sure what more I can do, do you have some suggestions specific for XF?

    So I should delete all files, except /data and /internal data

    I guess content, posts and users wont be deleted?

    Once I manually delete that, should I simply add latest XF files via FTP, is it the same as new installation or an upgrade?

    Thanks, I am a bit confused with all these, haven't slept all night because of this.
  6. whynot

    whynot Well-Known Member

    They are in the database.

  7. Brogan

    Brogan XenForo Moderator Staff Member

    Don't simply overwrite what's there unless you are absolutely sure there are no additional files which have been added by the hacker.
  8. Pavle123

    Pavle123 Active Member

    Thanks guys.

    I will do screen shoots, just to make sure, do not want to mess anything up, plus it might help someone in future with similar issue.

    So step by step
    • I go to my cpanel/ftp and download ALL files and folders except /data and /internal_data (Or I overwrite those files?)
    do not delete.jpg
    • I download XF upgrade pack from my account?

    Is this the proper way to go?

    Sorry once again, just want to be 100% sure.
  9. Mike

    Mike XenForo Developer Staff Member

    At the least, you need to maintain your library/config.php file. You will probably want to maintain your .htaccess file too. Be sure to check that both of those only contain what you expect.

    If you have add-ons as well, they would have very likely added files so you need to make sure you'd restore them.

    The "delete everything and only restore what's known to be safe" is a reasonable approach, but you do need to be careful. I highly recommend you do take a backup of everything so you can restore it (or parts of it if needed). (Of course that backup contains "tainted" content so it's not necessarily safe.)

    The internal_data and (particularly) the data directories can contain compromised data/scripts as well. You'll want to search the data directory for *.php files at the least, though this isn't exhaustive. By default, aside from empty index.html files, every other file in the data directory should be an image (*.jpg only, I believe).
  10. Pavle123

    Pavle123 Active Member

    Thank you @Mike

    So, I should now manually delete ,each and every file, everything except :
    -/data and

    And then, what next, should I manually add all files from clean downloaded XF, right?
  11. borbole

    borbole Well-Known Member

    You do not need to add them manually, but upload them with a Ftp program. Or from the File Manager section in the cpanel, provided you have it.
  12. Brogan

    Brogan XenForo Moderator Staff Member

    Yes, from the upgrade .zip of the version you are currently using.

    As Mike said, you will also need to go through the /data and /internal_data directories to check for malicious files.
  13. Pavle123

    Pavle123 Active Member

    Thanks a lot guys, juts wanted to let you know I managed to upgrade successfully. Appreciate your help.
    IPF likes this.

Share This Page