Hacking index.php

[nailxx]

Hello!

I have some problems with our XenForo installation for few last weeks. Looks like it became a target of hackers/spammers. I've installed few addons to fight spam but I have no idea how change of root `index.php` script could be done.

For 2 times already it was prefixed with some malicious code to redirect a visitor who visits the forum for the first time to a 3rd-party fishing site.

I've done auth log analysis on server and see that noone except me on my laptop from well-known IP was logged in. So the question is how could one change contents of `index.php` without SSH server access ever?

Admin log found in XenForo control panel is fine too: no traces of any suspicious actions.

For now I changed file-based permissions to disallow write from any user, including web-server user. But it's a kind of work around which breaks upgrade process, shut ups the problem instead of solving it, etc.

Does anybody have an idea?

 

[Chris D]

What version of XenForo do you currently have installed?

Also, are you a licensed customer?

Please log in to the Customer Area here: http://xenforo.com/customers/forum-users

And insert your forum name.

Alternatively, you can verify your license by posting in this thread: http://xenforo.com/community/threads/manual-customer-verification.34054/page-2#post-400165

 

[nailxx]

Hello, I'm using latest (1.1.3) version and I'm licensed customer, aaand I've already associated my license number with this forum account on http://xenforo.com/customers/forum-users

 

[Chris D]

I can't verify that because you posted in a public forum instead of the support forum.

Say hello in this thread: http://xenforo.com/community/threads/manual-customer-verification.34054/page-2#post-400165

And I'll be able to help you.

 

[Robbo]

This doesn't sound like a XenForo issue at all but your system compromised elsewhere. Change all passwords.

 

[Chris D]

If all this began to happen a while ago, then a possible cause is that there was a severe vulnerability in swfupload (the multi-file uploader you see in posts) which when exploited potentially gave people the ability to take control of your forum. To be clear: This was a bug specifically with swfupload and not caused by any vulnerability in XenForo itself.

This was fixed in 1.1.3, but if the problems started a while ago, there's nothing to say that they used that as a way in, but they were able to unlock a few other doors to allow them continued access.

But, as Robbo says, whatever is happening, fundamentally the problem is not a XenForo problem. There is going to be some weakness in your configuration somewhere. This could be:

• Rogue staff member
• Insecure admin password
• Insecure SSH access
• Insecure FTP access
• Insecure cPanel
• Insecure PC. Has your PC been hacked? Keyloggers installed?
• About 8 years ago at one of my sites, a similar thing was being done by the actual hosting company...
• Some other exploit in the server either being too open or some other software providing a backdoor in.

So, first step, as Robbo rightly says is change all of your passwords. But there's the possibility that your own computer has been compromised so I would do everything you can to first of all ensure that is as secure as it can be. After the passwords have been changed if the problem still persists then you might want to contact your hosts. They may be able to provide evidence as to who is accessing what and when.
It might also, just for good measure, to deploy this fix: http://xenforo.com/community/threads/xenforo-security-fix-for-1-0-0-1-1-2.32890/
This was included in 1.1.3 - but just replace the file again and double/triple check it does overwrite the one that's there.

 

[nailxx]

@Chris, done

@Robbo. Maybe, but…

I have no passwords, they're disabled and prohibited: all authentication is done with SSL keys.
I have no traces of logins other than mine.
I've changed admin accounts passwords, but are they able to change php-files a all?!
I've done recursive directory diff with fresh XenForo distro. No diffs except user uploads and cache.
The server where forum installed have other services as well. They're left untouched.
Is XenForo protected from the kind of attack when some user uploads a file (say, avatar) with forged filename like `../../../index.php`?

 

[nailxx]

Thank you for the hints. Will inverstigate the issue further.
Uploader SWF check sum matches latest, fixed version of the file.