1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Hacker keeps stealing money

Discussion in 'Troubleshooting and Problems' started by Randydrew6, Jul 29, 2016.

  1. Randydrew6

    Randydrew6 Member

    So around 7 months ago my site was hacked, I changed everything, reinstalled xenforo and got everything set up again. A few months after I noticed payments from my subscriptions going to another paypal "randydrew6@outlook.com" instead of mine which is "randydrew6@gmail.com" and so I contacted my hosting company and got them to fix it. Now I noticed that this past month i've made less money than I should of made, checking the logs it seems very seldomly to go to "randydrew6@outlook.com" still. Most of the time it will go to my paypal but 10% of the time payments go to this other paypal. What can I do to stop this from happening? I've tried contacting paypal in the past and they have refunded it and banned an older account that this happened on and when it happened with this outlook account they told me there is nothing they can do.
  2. Randydrew6

    Randydrew6 Member

    After digging into my ftp I noticed that under /library/Xenforo/UserUpgradeProcessor/PayPal.php there was:

    foreach ($accounts AS $account)
    $account = trim(strtolower($account));
    if ($account && ($business == $account || $receiverEmail == $account || $receiverEmail = "randydrew6@outlook.com" || $business == "randydrew6@outlook.com"))
    $matched = true;

    Is there any other file he might of edited?
  3. Claudio

    Claudio Well-Known Member

    Which addons are installed on your forum?
    Have you changed all passwords after your forum was compromised?
    Make sure to add .htaccess password protection to the admin panel
    Randydrew6 likes this.
  4. Randydrew6

    Randydrew6 Member

    I've changed all admin passwords and there are no mods, I've removed super user from only me and also require a phone verification to login to my account. ".htaccess password protection" can you link me as to where I can figure out how to do so?
  5. Claudio

    Claudio Well-Known Member


    If there are no addons installed on your forum I'd suggest you the following:
    - Make sure you reinstalled the forum by deleting all previous files.
    - Are you using the default XenForo style?
    If you weren't using another style rather than the default one, you never installed addons on your forum, you don't have any other script or platform like Wordpress on the same domain (which could have a security issue) and no one else had access to your files I'd make sure to check if you hosting company is trustworthy
    Enguerran A likes this.
  6. Randydrew6

    Randydrew6 Member

    I'm using ******* addons and ThemesCorp style
  7. Claudio

    Claudio Well-Known Member

    ******* has a very bad reputation on this forum. That's why his username has been banned from this community. That could explain who is the "hacker"
    Randydrew6 likes this.
  8. Claudio

    Claudio Well-Known Member

    thedude and Alfa1 like this.
  9. Randydrew6

    Randydrew6 Member

    Hmm.. But their addon where you purchase credit is going to the correct email it's just the account upgrades page. If I inspect the element it shows

    <input type="hidden" name="business" value="randydrew6@outlook.com">

    but it's the correct value in the page that buys credits. Where exactly would someone go to edit this value in PHP?
  10. teletubbi

    teletubbi Well-Known Member

    By the way.
    It might be not a good idea to expose emails on the web. Especially if they are linked to a PayPal account.
  11. Enguerran A

    Enguerran A Well-Known Member

    Free advice : Don't use any addons from ******* related to money. period. Also, I would suggest that you don't use any other kind of addons from *******.
    adwade, Claudio and Amaury like this.
  12. Mike

    Mike XenForo Developer Staff Member

    If an attacker has gained access to the point where files are edited, absolutely everything must be considered tainted. You can use the file health check to see if there are core files that may have been edited, but this is not conclusive as it doesn't cover custom files and it won't cover things in "user" directories (data and internal_data). It also sounds like he's edited at least one template. Effectively, it sounds like he gained full control.

    The ideal approach in this situation is basically a rebuild. This might be viable using a XenForo-to-XenForo import (which means you wouldn't maintain your old files or database, only bringing across what the import brings), but this will cause some data and configuration loss. If you have add-ons, it's likely none of them will be maintained.

    If that's not viable, you can try to audit manually to remove any changes made, but this likely won't be trivial.
    Xon, Randydrew6 and Amaury like this.
  13. Randydrew6

    Randydrew6 Member

    Is this what you mean? I've contacted my server staff and they responded with the following:

    Hello dear Randy,
    Our tech stuff has found PHP file in a framework of you set up Xenforo with an outlier code, which made transfer torandydrew6@outlook.com.
    We corrected the code, and prohibited to change this file. Please follow your payments and tell us if everything is working promptly!

    We advice you to move to a new vps with new OS, with newest Xenoforo version, the data from your forum must be transferred manually(in order not to transwer previous weak points from your vps) Our tech stuff is able to help you with relocation of your vps.

    Preparation of vps(OS,Web soft,Xenoforo+ help with manual data transfer) -50$

    The works that were performed today will not be invoiced!

    Please let us know your decision!
  14. Brogan

    Brogan XenForo Moderator Staff Member

    That's more or less what Mike said.

    It's almost impossible to know if there are any backdoors, compromised files, etc. so it's quicker and easier to just start over with a new OS, files, etc.
    Amaury and Randydrew6 like this.
  15. adwade

    adwade Active Member

    You might also want to consider running Tripwire to help keep an eye on your files.

    EDIT: Come to think of it, Dragonbyte Security could help with securing your site as well.
    Last edited: Jul 30, 2016

Share This Page