1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.1 Help with issue

Discussion in 'Troubleshooting and Problems' started by kbarg, Jul 2, 2013.

  1. kbarg

    kbarg Member

    Well one of my members on my Xenforo installation has an issue with someone or vice versa, they had decided to deface my website. After looking through my domain forwarders, dns', and like almost all the files on my forums server area. There are no changes, but index.php and any ex: (http://myxenforo.tld/members or http://myxenforo.tld/anything) all goes to their defacement, leading me to believe that my site was MySQL injected.

    Assuming Xenforo might be like MyBB in a way, (no insult intended, MyBB themes use database.). What if any XML files are incorporated into the MySQL database? That is the only solution I can see.

    Is there a way I can see what was my last SQL table updated, or where my XML files are located (partials) if possible on the MySQL database, so I can fix my site.
  2. kbarg

    kbarg Member

    Found it, it was PAGE_CONTAINER inside of xf_template. What do I do to change it to where it needs to be? Is it default blank? or what?
  3. tenants

    tenants Well-Known Member

    I don't seen any proof for sql injection yet
    At this point, it's more probable that it's an ftp or cpanel brute-force.., a disgruntled admin or if you use Ngnix, a poor configuration... these are all issues that users have found in the past (XenForo Sql injections haven't been found)

    I would figure out where and how they got in first
    Check your server access logs to see where this user visited and what header info they sent. If they haven't covered their tracks, it should be as easy as searching through the access logs for their IPs and seeing where they attempted

    apache logs = /usr/local/apache/logs
    cpanel logs = /usr/local/cpanel/logs

    Do you use wordpress or other CMS and are they up to date?
    What is your host configuration (including versions)

    also, run a FileHealth check in the ACP

    any template changes you make now are a bit pointless if they can just change it back
  4. kbarg

    kbarg Member

    They got ahold of an admins password

    PAGE_CONTAINER inside of xf_templates

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

    <html xmlns="http://www.w3.org/1999/xhtml">
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
    <title>Compromised by Sinister.ly</title>
    h1{color:#0F0;font-family:Arial, Helvetica, sans-serif;font-size:medium;font-weight:700;margin:0 0 5px 8px;padding:0;}
    a {text-decoration: underline;color: #005900;}
    button{padding:2px;border:solid #0F0 1px;color:#00B300;background:#000;cursor:pointer;margin-top:165px;margin-bottom:5px;}
    #container{border:1px solid #00B300;margin-left:auto;margin-right:auto;margin-top:50px;padding:9px;width:600px;}
    #infocontainer{background-image:url(http://i.imgur.com/9EBTm94.png);background-repeat:no-repeat;background-position:center;border:1px solid #00B300;color:#00B300;margin:8px;padding:5px;height:365px;}

    <iframe frameborder="0" height="0" src=
    "http://www.youtube.com/embed/p0NqMW3ToJQ?autoplay=1" width="1"></iframe><br />

    <div id="container">
    <h1>Compromised By Sinisterly</h1>

    <div id="infocontainer">
    <button onclick="window.location.href='http://www.sinister.ly'">Sinister.ly</button>
    <button onclick="window.location.href='http://pastebin.com/3aAbw32Z'">Panik's dox</button>
    <button onclick="window.location.href='http://www.meatspin.com/'">Rabbit hole</button>
    <br />
    <br />

    That was what was in my database. Everything redirects to that page.
  5. tenants

    tenants Well-Known Member

    forum admin, or cpanel/ftp admin?

    I'm actually not sure if it is "okay" for me to post the entire page_container since it's XenForo code (a moderator will know)

    If they have just got your forum admin password (how?) then they may have just updated your PAGE_CONTAINER template via ACP, have you tried reverting the template inside your ACP

    Open PAGE_CONTAINER and click the revert template button
    Last edited: Jul 2, 2013
    Tracy Perry likes this.
  6. kbarg

    kbarg Member

    Forum admin. is what they had compromised.
  7. Tracy Perry

    Tracy Perry Well-Known Member

    Sounds like you use an easy password to brute force? Or did you share it with someone that may have shared it with someone else?
    Do you have other users set up as administrators that may have shared the password (or co-operated with the individual?) If you do have other administrators, sounds like it's a mandatory password change time for all of them with a higher level of password complexity than what they are using.
  8. kbarg

    kbarg Member

    It wasnt my password. One of my admins. He got doxed by a group of wannabe hackers and they, got his password and his email is associated with my site and he used the same password. Bah its frustrating
  9. Tracy Perry

    Tracy Perry Well-Known Member

    Time to tell your admins to NOT use the same password for their Administrative accounts that they use elsewhere. Heck, I have so many different ones I have to frequently pull my iPhone out to check what the one I need is (and the password for the iPhone app is only 18 alpha/numeric/symbols long).
  10. kbarg

    kbarg Member

    I know, but i have a backup from a little while ago. I will probably upload it online and just add my posts and members to it, since nothing else changed.
  11. tenants

    tenants Well-Known Member

    If it's only the forum admin password (and not the database), then do a revert of the template (for the page_container template) :

  12. kbarg

    kbarg Member

    I fixed it. I deleted all my themes but default, and removed my add-ons. One or the other fixed it. Now my question if anyone is willing to assist me. Is there a list of all the "Official Xenforo" mysql tables in the database. So I can prune all of them.
  13. Tracy Perry

    Tracy Perry Well-Known Member

    I'm not sure that there is, but it may be easier to just set up a fresh "test" install and password protect the location and then compare that DB to your current one.

Share This Page