XF 1.5 Is this standard xenforo code or malicious?

[Chris Radford]

We're constantly having our site injected with malicious ads despite cleaning up old files, updating plugins, changing pw's and more.
We're working with a security company who have highlighted some of the malicious code has been injected into the database and cannot be removed via template edits. They've attempted to remove the foreign code from the database directly but this breaks the forum.

Firstly, is the below part of standard xenforo code- and, if not, what is it?

<iframe id="rufous-sandbox" scrolling="no" allowtransparency="true" allowfullscreen="true" style="position: absolute; visibility: hidden; display: none; width: 0px; height: 0px; padding: 0px; border: medium none;" frameborder="0">

Secondly, can anybody offer help (paid if required) to clean up our database? I do have some info from the security company we work with.

Thanks for your responses.

 

[Paul B]

Without knowing the nature of the corruption, an XF to XF import may work.

Only core XF content would be imported so any add-on content would be lost.

The first step though would be to identify how they are gaining access, close that off, and ensure the server is clean.

 

[Chris Radford]

Without knowing the nature of the corruption, an XF to XF import may work.

Only core XF content would be imported so any add-on content would be lost.

The first step though would be to identify how they are gaining access, close that off, and ensure the server is clean.

Thank you for such a prompt reply.

We've ensured the site is clean and changed all access & database users/passwords etc.
Sucuri is the company we use to sit behind their firewall and a scan currently shows our site has clean.

Despite this, I've had to remove malicious code once more from the template files. They also seem to be stopping some javascript running on-site in place of their own.

The code I entered into the first post, does that look legitimate?

Many thanks for the response.

 

[Chris Radford]

Sucuri did attempt to remove the malcious entries from the database but it broke the site; please see the response below:

Hello,

I was able to get a dump of the database and inspect further and I can see the flogin code in some entries in the database which are encoded as binary code which would indicate that the forum is not rebuilding the templates, the binary code would have to be replaced by the software as I suspect that this is how it caches the templates.

I can try to edit the code and upload it back on to the database but I cannot be certain that this will not cause any damage, I recommend taking a backup of the database before we proceed and let us know once we can do so.


Here is your table structure:
http://pastepic.sucuri.us/10080/YbbPW9rr2M6P3smul8b1YbCiKxI3ByzY.png

Here is what was matched to contain flogin:
http://pastepic.sucuri.us/10080/dy99PwbOGBXZWkAZm3jDMk062NDmSqtf.png


template_compiled mediumblob Executable PHP code built by template compiler

You can see that there is still flogin code in the "template_compiled" fields which are "mediumblob" which corresponds with a binary code and this code is built by the template compiler on your software.

This would further indicate that the software is not rebuilding this correctly.

Unfortunately it looks like any modifications to the binary files causes the website to experience errors, we have cleaned the malware from the template but the already compiled version inside the database is still infected and it appears that your software is unable to rebuild the template and replace those binaries on its own.

 

[Steve F]

Pretty certain that <iframe> is from a Twitter widget.

 

[Chris Radford]

Thanks Steve, that makes sense. As have a plugin for social buttons etc.

If I can get any feedback from anyone on the reply Sucuri sent us reference the database infection, please.

 

[Paul B]

If the malicious code is in the templates then it should be possible to remove it by rebuilding the master data but it depends on the nature of the hack.

 

[Chris Radford]

If the malicious code is in the templates then it should be possible to remove it by rebuilding the master data but it depends on the nature of the hack.

Thanks Brogan, I just went ahead and rebuilt the master data successfully.
Sucuri stated the malicious code was in the templates but also in the binary code of the database - thoughts?
How would I know establish whether or not the database is now clean? Should I pass this back to Sucuri or is there a way I can check?

To confirm I have now;

Cleaned All Templates
Rebuilt Master Data
Changed all Admin Passwords
Changed Database Credentials
Removed FTP Accounts
Had Sucuri Verify the website files are clean (to their knowledge)
Updated Xenforo software & applicable plugins
Remove outdated plugins which don't have updates

 

[Mike]

The links in what Sucuri said don't appear to work, but rebuilding the master data should recompile all templates, so if the data isn't in the uncompiled version, it should be removed when recompiling. Whoever analyzed the database should be able to confirm that now that the master data has been rebuilt.

 

[Chris Radford]

Thanks for all your responses, heading back to Sucuri.

Regards,

 

[adwade]

Despite this, I've had to remove malicious code once more from the template files.

You might want to consider using these add-ons: Template Security -and/or- DragonByte Security to keep a better eye on your templates.