XF 1.2 HELP! site hacked locked out of admin cp, unable to create a new admin or restore one

[XxUnkn0wnxX]

as the title says i am locked out of admin cp i cannot ad new admins in the admin panel so how do i bypass the admin panel? using phpmyadmin to create and add a super super admin without the use of admin cp?

 

[Tracy Perry]

as the title says i am locked out of admin cp i cannot ad new admins in the admin panel so how do i bypass the admin panel? using phpmyadmin to create and add a super super admin without the use of admin cp?

Best bet is to create a ticket... I don't know if they will want to discuss that in an open forum area.

 

[Brogan]

What do you mean the site has been hacked and you are locked out?

What happens when you try to log in directly to the ACP?

 

[XxUnkn0wnxX]

i some how got access back by restoring but what happened it say incorrect password in admincp login "admin.php" i am still having major issue's and my site is not the only one effected some rampaging hacker is killing most of the sites i know that are running xenforo with some kind of new exploit!

 

[XxUnkn0wnxX]

i gain access then i loose it it is constant battle here, atm i am locking down my site blocking all access

 

[Brogan]

some rampaging hacker is killing most of the sites i know that are running xenforo with some kind of new exploit!

There have been no reports of this.

Do you have any proof?

Are you on a shared server?
Has a password been compromised?
Do you have WordPress or anything else installed?

 

[oman]

i some how got access back by restoring but what happened it say incorrect password in admincp login "admin.php" i am still having major issue's and my site is not the only one effected some rampaging hacker is killing most of the sites i know that are running xenforo with some kind of new exploit!

What exploit? Care to explain?

 

[Slavik]

i some how got access back by restoring but what happened it say incorrect password in admincp login "admin.php" i am still having major issue's and my site is not the only one effected some rampaging hacker is killing most of the sites i know that are running xenforo with some kind of new exploit!

Please don't make such absurd claims. This is most likely due to a comprimise at the host server or by using common passwords. Theres no current known XenForo exploits out there.

 

[XxUnkn0wnxX]

There have been no reports of this.

Do you have any proof?
Still gaining information about this since not just my site was effected but others 2

Are you on a shared server?
dedicated server
Has a password been compromised?
yes but i got access back via restore database
Do you have WordPress or anything else installed?
yes but has not been touched or compromised

i have security with cloud flare pro plan with WAF fire wall all settings set to high/max security

as for my passwords they are 32-64 characters long with symbols and random characters

and my hosting is hostgator <-- i have not had any issues with there dedicated service and they have a custom firewall that keeps things in cheack nothing else has been compromised only directly to xenforo forum software that has been effected

and yes i have reset all passwords within server cpanel, data base, ssh, ftp, xenforo admin passwords, wordpress admin passwords, locked every one out, <-- but i still lost access and had to restore again

 

[Brogan]

Has a password been compromised?

yes but i got access back via restore database

So it was a compromised password?

 

[Slavik]

WordPress

This is my bet the source of your problem.

 

[borbole]

i some how got access back by restoring but what happened it say incorrect password in admincp login "admin.php" i am still having major issue's and my site is not the only one effected some rampaging hacker is killing most of the sites i know that are running xenforo with some kind of new exploit!

What damage was done to your forum precisely? Also can you please post the links to those sites that were hacked?

As of this moment there is no known exploit(s) with xenforo. XenForo is the only forum software that there has never been a security issue with during its whole existence. If there was a new exploit that would cause hacking of xenforo forums en mass, trust me, we would have heard by now.

That being said, did you contact your host to check the access logs and see what went down and how?

Also another thing that I would advice you is to make a thorough check up of your server space for suspicious files and such.

 

[Dakis]

So what are these "all other forums" that have been attacked/hacked? Let's see them, I assume they are no secret.

 

[XxUnkn0wnxX]

What damage was done to your forum precisely? Also can you please post the links to those sites that were hacked?

As of this moment there is no known exploit(s) with xenforo. XenForo is the only forum software that there has never been a security issue with during its whole existence. If there was a new exploit that would cause hacking of xenforo forums en mass, trust me, we would have heard by now.

That being said, did you contact your host to check the access logs and see what went down and how?

well i have asked my hosting provider for the logs still no reply as they take there time

sites that where effected that i know of:
http://consolecrunch.org - they had to start for scratch as all there nodes where deleted and users, they back online now
http://playmodz.fr/ - doesn't even load killed but was working b4 my site was attacked
http://portalcentric.net - my site forum's have been locked down at the moment! -- my doing

damages done to my site:
forum_list trolled random images every where
all registered users added to all groups such as super admin, vip, moderator ect...
my admin account locked out password changed even though i locked every one out and i changed my pass b4 this happened (its like they can sniff who changes there passwords and intercept them)
only i have access to admin cp now but still loosing it time to time and i checked ip address list and only mine is in there and i know it not my problem cozz i using mac osx operating system with extensive motetring so i would know if some 1 had access to my computer + this happend even if i wasn't on my computer and it was shut down

@Slavik and how is wordpress the problem? it wasn't even effected and it is no where linked with xenforo, my word press is only for front page only i have access wp-admin and normal users cannot login cozz i took that out

 

[borbole]

well i have asked my hosting provider for the logs still no reply as they take there time

sites that where effected that i know of:
http://consolecrunch.org - they had to start for scratch as all there nodes where deleted and users, they back online now
http://playmodz.fr/ - doesn't even load killed but was working b4 my site was attacked
http://portalcentric.net - my site forum's have been locked down at the moment! -- my doing

damages done to my site:
forum_list trolled random images every where
all registered users added to all groups such as super admin, vip, moderator ect...
my admin account locked out password changed even though i locked every one out and i changed my pass b4 this happened (its like they can sniff who changes there passwords and intercept them)
only i have access to admin cp now but still loosing it time to time and i checked ip address list and only mine is in there and i know it not my problem cozz i using mac osx operating system with extensive motetring so i would know if some 1 had access to my computer + this happend even if i wasn't on my computer and it was shut down

@Slavik and how is wordpress the problem? it wasn't even effected and it is no where linked with xenforo, my word press is only for front page only i have access wp-admin and normal users cannot login cozz i took that out

Thanks for the links. Were those other forums hacked the same way like yours was?

Till you hear from your host, it would be best imho to make a thorough check up of your server space for any suspicious file(s) and the likes.

If I were you I would fill in a support ticket as well to your customer area here at xenforo so one of the staff can check/investigate this further/deeper.

 

[XxUnkn0wnxX]

yes those other sites where hacked same/similar way not sure as i am still not sure how it was done but they lost more then i did

i have not found any files changed or new files + i have sitelock - https://www.sitelock.com/ scanning my site every day no suspicious files detected.

disk usage is still the same as i last saw it

 

[Slavik]

@Slavik and how is wordpress the problem? it wasn't even effected and it is no where linked with xenforo, my word press is only for front page only i have access wp-admin and normal users cannot login cozz i took that out

I bet they used a wordpress exploit to gain shell access to your server, and did the damage from there.

Just because "wordpress wasn't effected" doesn't mean its not the cause.

If you want to send a ticket in with the root login details of your server, we can take a look and see if we can spot anything.

However, in every single case weve ever investigated, the cause has never been XenForo.

 

[Dakis]

In one of those forums, it says that one of the admins deleted all the nodes.

None of the "hacking" bull we've been seeing in this thread.

 

[XxUnkn0wnxX]

I bet they used a wordpress exploit to gain shell access to your server, and did the damage from there.

Just because "wordpress wasn't effected" doesn't mean its not the cause.

If you want to send a ticket in with the root login details of your server, we can take a look and see if we can spot anything.

However, in every single case weve ever investigated, the cause has never been XenForo.

i have went through my logs no one got access via ssh only my ip is in the list and i can confirm i was on via ssh during the times i shows in the logs. though there have been many attempts but all failed

 

[borbole]

Do you have other forums/scripts installed in your server? Even for testing purposes or left over from before etc?