XF 1.5 How To Clean Up After Compromise

[Glenn Kilpatrick]

Hi Guys,

Unfortunately my website was hacked. I actually think the cause of the problem was Wordpress which Im going to totally clean out and reinstall fresh.

However xenforo is on the same domain and showing as containing malware in Google who have added a warning to my listing.

So I would like to totally clean out Xenforo.

What files go and what files stay ??

Is there a guide on cleaning up after a compromise ?? I still dont think its xenforo although best I clean out everything.

 

[whynot]

Is XF in a folder?
Just an opinion what should be done:

Make a full backup of XF.
Keep the database.
Delete the folder.
Reinstall XF and the addons.
Provided that not some of the addons are causing the problem your forum should be free of malware.

Wait for the staff to answer officially.

 

[ManagerJosh]

You'll need to identify the root cause of how they got in. Plus you need to identify if they have setup backdoors to return.

There's a lot of different considerations here, but I strongly recommend retaining the services of someone who deals with incident response and handling.

Not to mention too regulatory issues as well

 

[Glenn Kilpatrick]

Im pretty certain there is nothing hacked in the xenforo folder. Having dealt with hundreds of hacks Im certain its wordpress (It always is). Plus I was running a very old version of wordpress and plugins for a long time, so its my own fault, I should no better. That said I want to clean everything.

Im very familiar with cleaning a wordpress hack, I can do that with my eyes shut.

My question is xenforo is in a separate folder called forum. Do I delete everything in forum folder and reinstall clean, or are there a few files I need to keep, such as a config file which connects to database etc ?

 

[Paul B]

Yes, take a copy/backup of the library/config.php file.

You will also need to keep the files in the data and internal_data directories, as that is where attachments and avatars are stored.
They will all need to be checked for compromised or malicious files.

As will the database, templates, etc.

 

[Glenn Kilpatrick]

Thanks Brogan, Spot on advice yet again.

 

[ManagerJosh]

Please also take a moment to change all pepper keys, as well as all usernames and passwords associated with services accounts (like the config.php username/passwords)

 

[Paul B]

Starting with your email account, to which any password resets may be sent.

 

[ManagerJosh]

And if you're in the EU or US, you have potential data breach laws you need to observe. Failure to do so results in fines.

 

[Glenn Kilpatrick]

Just an update guys. Ive had a friend with server knowledge do some checks. This is an email I recieved from him. I dont think sftp was breached and I would doubt that Xenforo could have been compromised.

I have a wordpress in installation in the root of this domain. is it possible that they got in there ??

Hi Glen

It looks like the following files are sending spam out.

./holder/public_html/forum/library/Zend/Validate/File/xml21.php
./holder/public_html/forum/internal_data/info.php
./holder/public_html/forum/internal_data/dirs34.php

I have now renamed those files with a .suspect on the end.

I'm guessing the files got in there with a bad sftp password , if not it could be some other exploit that we don't know about. If the holder password is weak you/we should change it asap. Let me know if you want me to do that.

I am also going to change the sendmail config so it cannot send emails from accounts that don't exist on the server, such as ann_jones@holderness-coasts-fishing.co.uk. That way if there is a php spam script it wont be able to send out from random users.

I have installed fail2ban and setup ssh and email checks.

I have ran a YUM update and rebooted the server so it has the latest updates.

I notice a few spam posts for flooring etc on the boards , not sure what you usually do with those , I' guessing they need to be removed by admin and the user removed too.

I think the next step is :
I'll need to you to order the SSL cert so it has your contact , C/Ccard detals etc. To do this we need to get together for 30 mins and I'll take you through the ordering .

I'll look around to see if I can find any other exploits.

Cheers ​

 

[Mike]

I have a wordpress in installation in the root of this domain. is it possible that they got in there ??

Very definitely possible. WordPress is an extremely popular target.

 

[Glenn Kilpatrick]

Cheer Mike. yes my Old Version of Wordpress was well out of date as were some of the plugins.

I cleared out wp thinking that would solve the iddues but it seems they put something in Xenforo folder.

Im cleaning now ready to resubmit to Google.

Fingers crossed this time round.

 

[Glenn Kilpatrick]

Inside

Internal data/attachments/0

There are lots of files ending .Dat, is this normal, as I cant understand what should be in an attachment folder other than .jpeg ?

 

[Mike]

All attachments are stored in that directory as .data files. That's expected.

 

[Glenn Kilpatrick]

Thankyou, Ill put them back then. Just looked a bit odd

 

[Glenn Kilpatrick]

Ok Im struggling just a little bit.
I deleted everything except essentials as mentioned above.

Im now at a screen that says the lines below. Obviosuly i dont want to delete the existing database. So what to do ?? :

Verify Configuration
Your configuration has been verified.

XenForo is already installed in your database. Continuing will remove all XenForo-related data from your database!

 

[Paul B]

You have likely removed the internal_data/install-lock.php file.

You can restore it from a backup.

 

[Glenn Kilpatrick]

Ohhhh, what a doil. Is there a work around. Sorry i must have misread what you said above.

 

[Paul B]

If you have a backup of the file, restore it to the server.

Otherwise just create a new file with the contents:

<?php header('Location: ../index.php');

 

[Glenn Kilpatrick]

Thanks Ill make a new File. i do have a back up, but its of the whole server content so it would be a hassle for one thing.