Hacked, then massively spammed!


New member
Please note that I was mistaken in my original post: I was not hacked after all. I thought that because the spam cleaning links were gone, that someone altered my site before hitting me. I now know better. (Thanks again, Peter).

I am a new xenforo owner (forums.basketballogy.com).

Tonight is a NIGHTMARE and I need to know what happened, how to fix it, and how to prevent it from happening again.

In a span of just a few minutes we got hit by hundreds of spam messages in what looks to be a coordinated attack of several users or a bot logged in as several users.

More troubling though, is they must have hacked my site first because all tools to stop spam have been removed. We (my moderators and I) cannot ban them or remove the spam.

All I could think of to do was quickly log in to the admin panel and mark all the categories as private, so now they should not appear to the spammers for them to hit.

Next I went through the users currently logged in and manually typed the user names of spammers logged in into the admin panel and banned them that way. But even though they are banned, they are still logged in.

Now I don't know what to do. They have effectively closed down my site.
If you have backup of your files and DB:

1. Remove every files from your FTP.
2. Change your SSH password.
3. Secure your VPS if it is if not ask your host to look at security issues.
4. Change all your passwords.
5. Scan your PC with good antivirus and malaware scans.
6. Re-upload back up files and database.

If not, I would suggest to create a ticket so XF staff can help you out directly. Slavik is Ace in helping :)
Thanks for the tips; I'll see what I can do but I hired someone to set up my forums for me, so I cannot do most of what you suggest. Yet.

I've been spending time reading here of others who have been hacked and trying to learn from what I am reading.

Meanwhile, here is some of what I've learned for the benefit of others:
  • Beware the unnamed visitors -- particularly with IP addresses in the Ukraine and Beijing. They have been lurking, waiting for all moderators and admins to not be logged in, THEN they hit.
  • The spammers create accounts LONG before they use them. These "sleeper agents" lie dormant, then all at once they come on together and hit you.
  • Given that there has been absolutely no content on my forums site for nearly 4 hours now (because I marked all the forum categories "Private" to make them quickly disappear from spammers' view), there is no reason for "guests" with IPs from the Ukraine and China to be lurking on the site for 18+ minutes -- especially since the spammers who hit me posted from Ukraine and Chinese IP addresses, so since the attack I have been banning the IP addresses of those guests who come to my empty site and lurk. Sure, they could be legit, but with IPs like: " baiduspider-180-76-5-100.crawl.baidu.com" I'll take my chances.
It was us who helped Tom set up his site :)

I just logged in and disabled the Spam Manegment registrations by setting them to 0. This probably is why the spam tools were unavailable, as the spammers simply waited until the default period configured expired. By disabling the options, the spam tool will always be there, ready for Tom and his moderators to slam-dunk them.

I also installed XenUtiles to set up a Kobe and Michael Jordan block at the gates, hopefully preventing most spammers from successfully registering to begin with.

The baiduspider is a spider for a search-engine (Baidu, the Chinese version of Google), by the way. You probably don't want to block those.
And to correct myself in my first, thread starting post...

I was NOT hacked!

I was naive.

I didn't realize that my spammer settings was the reason the ban links were missing.


Once again Peter, THANK YOU for all you've done to help me. You are the best!
Top Bottom