1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 How To Clean Up After Compromise

Discussion in 'Troubleshooting and Problems' started by Glenn Kilpatrick, May 11, 2016.

  1. Hi Guys,

    Unfortunately my website was hacked. I actually think the cause of the problem was Wordpress which Im going to totally clean out and reinstall fresh.

    However xenforo is on the same domain and showing as containing malware in Google who have added a warning to my listing.

    So I would like to totally clean out Xenforo.

    What files go and what files stay ??

    Is there a guide on cleaning up after a compromise ?? I still dont think its xenforo although best I clean out everything.
     
  2. whynot

    whynot Well-Known Member

    Is XF in a folder?
    Just an opinion what should be done:

    Make a full backup of XF.
    Keep the database.
    Delete the folder.
    Reinstall XF and the addons.
    Provided that not some of the addons are causing the problem your forum should be free of malware.

    Wait for the staff to answer officially.
     
  3. ManagerJosh

    ManagerJosh Well-Known Member

    You'll need to identify the root cause of how they got in. Plus you need to identify if they have setup backdoors to return.

    There's a lot of different considerations here, but I strongly recommend retaining the services of someone who deals with incident response and handling.

    Not to mention too regulatory issues as well :)
     
  4. Im pretty certain there is nothing hacked in the xenforo folder. Having dealt with hundreds of hacks Im certain its wordpress (It always is). Plus I was running a very old version of wordpress and plugins for a long time, so its my own fault, I should no better. That said I want to clean everything.

    Im very familiar with cleaning a wordpress hack, I can do that with my eyes shut.

    My question is xenforo is in a separate folder called forum. Do I delete everything in forum folder and reinstall clean, or are there a few files I need to keep, such as a config file which connects to database etc ?
     
  5. Brogan

    Brogan XenForo Moderator Staff Member

    Yes, take a copy/backup of the library/config.php file.

    You will also need to keep the files in the data and internal_data directories, as that is where attachments and avatars are stored.
    They will all need to be checked for compromised or malicious files.

    As will the database, templates, etc.
     
  6. Thanks Brogan, Spot on advice yet again.
     
  7. ManagerJosh

    ManagerJosh Well-Known Member

    Please also take a moment to change all pepper keys, as well as all usernames and passwords associated with services accounts (like the config.php username/passwords)
     
  8. Brogan

    Brogan XenForo Moderator Staff Member

    Starting with your email account, to which any password resets may be sent.
     
  9. ManagerJosh

    ManagerJosh Well-Known Member

    And if you're in the EU or US, you have potential data breach laws you need to observe. Failure to do so results in fines.
     
  10. Just an update guys. Ive had a friend with server knowledge do some checks. This is an email I recieved from him. I dont think sftp was breached and I would doubt that Xenforo could have been compromised.

    I have a wordpress in installation in the root of this domain. is it possible that they got in there ??


    Hi Glen

    It looks like the following files are sending spam out.

    ./holder/public_html/forum/library/Zend/Validate/File/xml21.php
    ./holder/public_html/forum/internal_data/info.php
    ./holder/public_html/forum/internal_data/dirs34.php

    I have now renamed those files with a .suspect on the end.

    I'm guessing the files got in there with a bad sftp password , if not it could be some other exploit that we don't know about. If the holder password is weak you/we should change it asap. Let me know if you want me to do that.

    I am also going to change the sendmail config so it cannot send emails from accounts that don't exist on the server, such as ann_jones@holderness-coasts-fishing.co.uk. That way if there is a php spam script it wont be able to send out from random users.

    I have installed fail2ban and setup ssh and email checks.

    I have ran a YUM update and rebooted the server so it has the latest updates.

    I notice a few spam posts for flooring etc on the boards , not sure what you usually do with those , I' guessing they need to be removed by admin and the user removed too.

    I think the next step is :
    I'll need to you to order the SSL cert so it has your contact , C/Ccard detals etc. To do this we need to get together for 30 mins and I'll take you through the ordering .

    I'll look around to see if I can find any other exploits.

    Cheers
     
  11. Mike

    Mike XenForo Developer Staff Member

    Very definitely possible. WordPress is an extremely popular target.
     
  12. Cheer Mike. yes my Old Version of Wordpress was well out of date as were some of the plugins.

    I cleared out wp thinking that would solve the iddues but it seems they put something in Xenforo folder.

    Im cleaning now ready to resubmit to Google.

    Fingers crossed this time round.
     
  13. Inside

    Internal data/attachments/0

    There are lots of files ending .Dat, is this normal, as I cant understand what should be in an attachment folder other than .jpeg ?
     
  14. Mike

    Mike XenForo Developer Staff Member

    All attachments are stored in that directory as .data files. That's expected.
     
  15. Thankyou, Ill put them back then. Just looked a bit odd :)
     
  16. Ok Im struggling just a little bit.
    I deleted everything except essentials as mentioned above.

    Im now at a screen that says the lines below. Obviosuly i dont want to delete the existing database. So what to do ?? :

    Verify Configuration
    Your configuration has been verified.

    XenForo is already installed in your database. Continuing will remove all XenForo-related data from your database!
     
  17. Brogan

    Brogan XenForo Moderator Staff Member

    You have likely removed the internal_data/install-lock.php file.

    You can restore it from a backup.
     
  18. Ohhhh, what a doil. Is there a work around. Sorry i must have misread what you said above.
     
  19. Brogan

    Brogan XenForo Moderator Staff Member

    If you have a backup of the file, restore it to the server.

    Otherwise just create a new file with the contents:
    PHP:
    <?php header('Location: ../index.php');
     
  20. Thanks Ill make a new File. i do have a back up, but its of the whole server content so it would be a hassle for one thing.
     

Share This Page