XF 1.1 Help with issue

[kbarg]

Well one of my members on my Xenforo installation has an issue with someone or vice versa, they had decided to deface my website. After looking through my domain forwarders, dns', and like almost all the files on my forums server area. There are no changes, but index.php and any ex: (http://myxenforo.tld/members or http://myxenforo.tld/anything) all goes to their defacement, leading me to believe that my site was MySQL injected.

Assuming Xenforo might be like MyBB in a way, (no insult intended, MyBB themes use database.). What if any XML files are incorporated into the MySQL database? That is the only solution I can see.

Is there a way I can see what was my last SQL table updated, or where my XML files are located (partials) if possible on the MySQL database, so I can fix my site.

 

[kbarg]

Found it, it was PAGE_CONTAINER inside of xf_template. What do I do to change it to where it needs to be? Is it default blank? or what?

 

[tenants]

I don't seen any proof for sql injection yet
At this point, it's more probable that it's an ftp or cpanel brute-force.., a disgruntled admin or if you use Ngnix, a poor configuration... these are all issues that users have found in the past (XenForo Sql injections haven't been found)

I would figure out where and how they got in first
Check your server access logs to see where this user visited and what header info they sent. If they haven't covered their tracks, it should be as easy as searching through the access logs for their IPs and seeing where they attempted

(
apache logs = /usr/local/apache/logs
cpanel logs = /usr/local/cpanel/logs
)

Do you use wordpress or other CMS and are they up to date?
What is your host configuration (including versions)

also, run a FileHealth check in the ACP

any template changes you make now are a bit pointless if they can just change it back

 

[kbarg]

They got ahold of an admins password

PAGE_CONTAINER inside of xf_templates

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Compromised by Sinister.ly</title>
<style>
body{background-color:#000;}
h1{color:#0F0;font-family:Arial, Helvetica, sans-serif;font-size:medium;font-weight:700;margin:0 0 5px 8px;padding:0;}
a {text-decoration: underline;color: #005900;}
img{border:0;}
button{padding:2px;border:solid #0F0 1px;color:#00B300;background:#000;cursorointer;margin-top:165px;margin-bottom:5px;}
#container{border:1px solid #00B300;margin-left:auto;margin-right:auto;margin-top:50px;padding:9px;width:600px;}
#infocontainer{background-image:url(http://i.imgur.com/9EBTm94.png);background-repeat:no-repeat;background-position:center;border:1px solid #00B300;color:#00B300;margin:8px;padding:5px;height:365px;}
</style>
</head>

<body>
<iframe frameborder="0" height="0" src=
"http://www.youtube.com/embed/p0NqMW3ToJQ?autoplay=1" width="1"></iframe><br />

<div id="container">
<h1>Compromised By Sinisterly</h1>

<div id="infocontainer">
<center>
<button onclick="window.location.href='http://www.sinister.ly'">Sinister.ly</button>
<button onclick="window.location.href='http://pastebin.com/3aAbw32Z'">Panik's dox</button>
<button onclick="window.location.href='http://www.meatspin.com/'">Rabbit hole</button>
</center>
</div>
</div>
<br />
<br />
</body>
</html>


That was what was in my database. Everything redirects to that page.

 

[tenants]

forum admin, or cpanel/ftp admin?

I'm actually not sure if it is "okay" for me to post the entire page_container since it's XenForo code (a moderator will know)

If they have just got your forum admin password (how?) then they may have just updated your PAGE_CONTAINER template via ACP, have you tried reverting the template inside your ACP
http://myxenforo.tld/admin.php?templates/outdated

Open PAGE_CONTAINER and click the revert template button

 

[kbarg]

Forum admin. is what they had compromised.

 

[TPerry]

Forum admin. is what they had compromised.

Sounds like you use an easy password to brute force? Or did you share it with someone that may have shared it with someone else?
Do you have other users set up as administrators that may have shared the password (or co-operated with the individual?) If you do have other administrators, sounds like it's a mandatory password change time for all of them with a higher level of password complexity than what they are using.

 

[kbarg]

It wasnt my password. One of my admins. He got doxed by a group of wannabe hackers and they, got his password and his email is associated with my site and he used the same password. Bah its frustrating

 

[TPerry]

It wasnt my password. One of my admins. He got doxed by a group of wannabe hackers and they, got his password and his email is associated with my site and he used the same password. Bah its frustrating

Time to tell your admins to NOT use the same password for their Administrative accounts that they use elsewhere. Heck, I have so many different ones I have to frequently pull my iPhone out to check what the one I need is (and the password for the iPhone app is only 18 alpha/numeric/symbols long).

 

[kbarg]

I know, but i have a backup from a little while ago. I will probably upload it online and just add my posts and members to it, since nothing else changed.

 

[tenants]

Forum admin. is what they had compromised.

If it's only the forum admin password (and not the database), then do a revert of the template (for the page_container template) :

 

[kbarg]

I fixed it. I deleted all my themes but default, and removed my add-ons. One or the other fixed it. Now my question if anyone is willing to assist me. Is there a list of all the "Official Xenforo" mysql tables in the database. So I can prune all of them.

 

[TPerry]

I fixed it. I deleted all my themes but default, and removed my add-ons. One or the other fixed it. Now my question if anyone is willing to assist me. Is there a list of all the "Official Xenforo" mysql tables in the database. So I can prune all of them.

I'm not sure that there is, but it may be easier to just set up a fresh "test" install and password protect the location and then compare that DB to your current one.