Importing & scrubbing a database

SandyF

Member
Greetings - VB 3.8.6 customer looking to switch here.

My issue is that I've had a nasty sql injection hack and my forum database is compromised. We are looking for the injection code to try and scrub it clean. I have a couple of older backups, but we weren't backing up regularly (insert shame here.) So, the most recent backups are from after the injection attacks started and I don't know what has and hasn't been compromised.

Is there any way in your importer to NOT import certain things that might be code compromised? This hacker has hit me 4 times in the past 40 days, and gone beyond just messing with my forum admin account - the last two times he deleted every last file on the server and uploaded his own page.

Thanks!
 
Well, I am not sure about parts of the DataBase coming through the importer, but you have alot of db to look through to find the inserted code, for the files I would recommend just scanning them with a virus scanner. If you have any other details, that would help thank you.
 
If the files on the server are being deleted then the server itself has been compromised. You should change all FTP logins. It can be difficult to find the exact point of entry though.

Regarding your concerns about the import... in my experience it is rare for hackers to hide malicious code in your database. Most of the time the goal is to deface and disrupt. If there is malicious code then it's usually in an executable area like a template or plugin which is not part of the import. The main concern is if the hacker deleted any content from the database (forums, posts, users, etc).

It is important to note that if your server has been compromised then xenForo is also vulnerable if installed on the same server. You should secure your server first, or get a new server. Follow good security practices like using secure passwords.
 
Thanks!

We had our host move us to a new server and new account on Friday. The first sql injection was some 64 base code that hijacked all the templates. A query removed that code and life was good. Then about 3 weeks later, the main forum index code was jacked, I could still get into my admin account, but the hacker had changed over the email address to his own. The third hack, he deleted all the files in your host account and did another code injection to the database so that he took over my admin account (now I can't change the password or email address on the account, it reverts right back to his.) I created a new admin using the tools, but cannot change the usergroup of anyone on the board, so I think there is something in the templates again. I ran the same query as the first hack but found nothing. I changed every password to every thing that has a password multiple times. I've run virus scans with NOD32 on every system that accesses ftp or the cpanel on that account. Yet, still....

It does not look to me like anything has been deleted from the database, my users could log in and all seemed fine. I don't even have a problem if everyone has to re-register, but there are some legacy posts that I really want to hold onto, even if the accounts that made those posts are no longer usable. I'm happy to make a switch, like most users I was displeased with happened with "that other forum product" and if I can safely import my database in without the templates or any other table that might have a security hole, I'd be a happy camper.
 
It sounds like the users and posts are still there which is good.

Of course you should restore a backup after being hacked like this. But if no backup is available then it's usually possible to repair the damage assuming they didn't delete anything. It sounds like your hacker is just defacing stuff. I have seen that base64 template stuff before.
 
Where to begin...

1.If you have the resources I would consider a VPS or Dedicated server and setup mod_security, as that gets rid of alot of security threats.
2.If you have any plugins I would disable them with
Code:
define('DISABLE_HOOKS', true);
after
Code:
<?php
just to determine if it is a hosting issue or plugin. Also if I recall correctly 3.8.6 had a security flaw in the FAQ, are you running PL1?
3.I think if you switched, you would just need to change your passwords as if you switch hosts your filesystem won't be compromised and XenForo uses a different database structure than vB, I am sorry if I have typos for some reason I can not see my text :(.
 
Greetings - VB 3.8.6 customer looking to switch here.

My issue is that I've had a nasty sql injection hack and my forum database is compromised. We are looking for the injection code to try and scrub it clean. I have a couple of older backups, but we weren't backing up regularly (insert shame here.) So, the most recent backups are from after the injection attacks started and I don't know what has and hasn't been compromised.

Is there any way in your importer to NOT import certain things that might be code compromised? This hacker has hit me 4 times in the past 40 days, and gone beyond just messing with my forum admin account - the last two times he deleted every last file on the server and uploaded his own page.

Thanks!
oh, i think i know you :)
 
Top Bottom