XF 1.5 Hacked. Need help.

[Pavle123]

Hi guys,

Yesterday few of my sites, including XF forum got hacked - nothing to do with XF, it is more hosting related or whatever. So its not XF fault or anything.

But I had to clean up manually tons of files. I might have deleted something by accident, I have no idea.

Can you tell me how can I revert all those default files? Should I try to upgrade or what?

Also I have been seeing 529 pages of errors. Probably as a result of that.


Can you help me please?

Just to answer, because someone might ask : I was on HostGator, but moved all my sites to SiteGround due to HostGator not giving a damn about compromised sites.

 

[Paul B]

You should restore your site from a known good backup, prior to the hack.

That includes a recent database dump and the corresponding server files.

 

[Pavle123]

Thanks Brogan, thanks to HostGator, my site is not backed up. (Do not recommend them to anyone) It is my fault as well for not taking care of such important thing, I understand.

Is there something else I can do? Upgrade the files or something? Is this the reason why I am seeing errors?

Thanks for your quick reply and help.

 

[Paul B]

How do you know the database and files you are using now are not compromised?
The hackers may have left a backdoor somewhere.

You can probably replace all the files by wiping what's on the server and uploading the XF and add-on files again, although you would need to keep the /data and /internal_data directories otherwise you would lose avatars and attachments.

 

[Pavle123]

Thanks for reply Brogan.
My new host SiteGround has performed a detailed malware scan on entire root folder in cpanel. I cleaned everything they found. Not sure what more I can do, do you have some suggestions specific for XF?

So I should delete all files, except /data and /internal data

I guess content, posts and users wont be deleted?

Once I manually delete that, should I simply add latest XF files via FTP, is it the same as new installation or an upgrade?

Thanks, I am a bit confused with all these, haven't slept all night because of this.

 

[whynot]

I guess content, posts and users wont be deleted?

They are in the database.

should I simply add latest XF files via FTP, is it the same as new installation or an upgrade?

Upgrade.

 

[Paul B]

Don't simply overwrite what's there unless you are absolutely sure there are no additional files which have been added by the hacker.

 

[Pavle123]

Thanks guys.

I will do screen shoots, just to make sure, do not want to mess anything up, plus it might help someone in future with similar issue.

So step by step

• I go to my cpanel/ftp and download ALL files and folders except /data and /internal_data (Or I overwrite those files?)

• I download XF upgrade pack from my account?

• I upgrade by following instructions here https://xenforo.com/help/upgrades/

Is this the proper way to go?

Sorry once again, just want to be 100% sure.

 

[Mike]

At the least, you need to maintain your library/config.php file. You will probably want to maintain your .htaccess file too. Be sure to check that both of those only contain what you expect.

If you have add-ons as well, they would have very likely added files so you need to make sure you'd restore them.

The "delete everything and only restore what's known to be safe" is a reasonable approach, but you do need to be careful. I highly recommend you do take a backup of everything so you can restore it (or parts of it if needed). (Of course that backup contains "tainted" content so it's not necessarily safe.)

The internal_data and (particularly) the data directories can contain compromised data/scripts as well. You'll want to search the data directory for *.php files at the least, though this isn't exhaustive. By default, aside from empty index.html files, every other file in the data directory should be an image (*.jpg only, I believe).

 

[Pavle123]

Thank you @Mike

So, I should now manually delete ,each and every file, everything except :
-library/config.php
-/data and
-/internal_data
-htaccess

And then, what next, should I manually add all files from clean downloaded XF, right?

 

[borbole]

Thank you @Mike

So, I should now manually delete ,each and every file, everything except :
-library/config.php
-/data and
-/internal_data
-htaccess

And then, what next, should I manually add all files from clean downloaded XF, right?

You do not need to add them manually, but upload them with a Ftp program. Or from the File Manager section in the cpanel, provided you have it.

 

[Paul B]

Yes, from the upgrade .zip of the version you are currently using.

As Mike said, you will also need to go through the /data and /internal_data directories to check for malicious files.

 

[Pavle123]

Thanks a lot guys, juts wanted to let you know I managed to upgrade successfully. Appreciate your help.