XF 1.5 Is there any way to undelete a user?

[Wildcat Media]

We had one of our staff member's accounts compromised a few hours ago. They basically logged in as the forum owner and used it to send nonsensical messages. But they also deleted another staff member's account, which goes back to 2002. I've already found which staff account was compromised--thank you, admin logs!!

Is there a way to run a query to tie the member's content back to a new user account? Would the threads and posts still include the original account ID of the member? Or, could I go into the database and change that member's new database ID back to their old one?

 

[Paul B]

The short answer is no - you would have to restore from a backup.

If the content is still present then it is possible but it would require various queries.

 

[Wildcat Media]

We're open to a handful of queries. Restoring a backup also means all the evidence I'm trying to gather would be wiped, not to mention several other things going on that I was doing to mitigate it. Inconvenient, but I could probably work from the compromised database offline somewhere if I had to. The damage was minimal.

Our staff member seems to think his account is still there. The compromise was more like an "annoying little pest" incident than anything else. The host still has our forum's directory locked up so I can't get to it, but I was about to go looking through logs to see if maybe the intruder created another account and moved the content there via an account merge.

I'll report back with what I find next.

 

[Wildcat Media]

The short answer is no - you would have to restore from a backup.

We do have that option, but...

I'm wondering if there is a mail queue in XenForo. I noticed that our host cut us off from sendmail due to the large number of private conversations that were being generated. That is something I would want to flush before re-enabling the forum, if it even exists.

 

[Wildcat Media]

I found it. I truncated the mail queue table.

 

[duderuud]

Backup the compromised database, restore a backup from before.

Restore the compromised database to a second instance to do your investigation.

 

[Wildcat Media]

11 queries for XenForo, plus three for an add-on. I think that covers most of it. I'm having our guy check his account to see what's still missing. Prior to his inspection, though, I've restored his user ID to posts and threads, poll votes, private conversations, and trader feedback for the add-on. Because user was also on staff, I was able to tie reports and report comments back to the new user ID, as well as the moderator logs. (I am not touching the admin log--I need some of that information intact.)

The only thing I can't fully restore are profile posts, namely due to how the tables are set up. What made this job easier was having the member's username in some of the database columns in addition to user_id, so by searching on user ID 0 and the username, I could positively reassign many of these items. Because this user had deleted all of his profile posts a month ago (when we removed the feature), I had nothing to test it on.

For the xf_profile_post table, there are both profile_user_id and user_id columns, and I can only positively identify user_id with the username column. All I could do is restore the user ID where the profile_user_id and user_id columns are the same value, meaning, someone posted either a profile post, or a comment to a profile post, under their own account's profile posts.

I rebuilt counters and caches where needed, and I'm reindexing the search engine (which I haven't done in a few months). If all goes well, I think we'll have this user restored. He wasn't overly concerned about losing all the posts (even though there were over 21,000 posts from 18 years!) or conversations, but it was a nice surprise to get them back, as well as a challenge for me to figure all of this out.

I'm reluctant to post queries only because I won't be responsible for anyone damaging their database by using them. We all have a backup (right?), but it's still an inconvenience.