1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

It seems my forum has been hacked - bug report

Discussion in 'Troubleshooting and Problems' started by buonchit, Apr 9, 2015.

  1. buonchit

    buonchit Member

    I'm using Xenforo version 1.4.3. Today some of my sub-forums have been dropped database. I checked the admin log & found that something was very strange:

    The query with "json" letter points to Administrator group.

    I restored the backup files. However after 4 hours, my site had been hacked one more time.

    I just want to let you know as I'll upgrade to the newest version.

    Attached Files:

    • 1.png
      File size:
      672.3 KB
    • 2.png
      File size:
      638.8 KB
    • 3.png
      File size:
      615 KB
    • 4.png
      File size:
      624.2 KB
    • 5.png
      File size:
      657.6 KB
    Last edited: Apr 9, 2015
  2. Brogan

    Brogan XenForo Moderator Staff Member

    You will need to determine how and when the hackers gained access.
    Upgrading won't resolve the issue if they still have access due to compromised accounts/files, etc.

    When you say "some of my sub-forums have been dropped database", do you mean they deleted the content from the database directly, or deleted the nodes from within the ACP?

    You will have to restore from a backup to regain the deleted content, as well as confirming that there are no compromised files from XF or any other software running on the server.
  3. buonchit

    buonchit Member

    When I say "some of my sub-forums have been dropped database", I meant they deleted the nodes from within the ACP.

    They hacked one of admin accounts. I checked & restored the old database, then set that account to MEMBER GROUP. When the forum had been hacked the second time, I checked & found that account was in ADMIN GROUP. Admin logs show me some strange queries <--- that's a problem.
  4. HWS

    HWS Well-Known Member

    You simply need to make sure that all your admin accounts are secure and the passwords are known by you only. This also applies to any shell accounts at your server.

    I would recommend to reduce your admin accounts to only "1" and give it a very secure password. Also I would recommend to change ALL your passwords including your database password immediatelly.

    I don't think your problem is related to XenForo. It seems one of your admin accounts has got its password revealed. You may find any clues in comparing the ip addresses of that admin account to your other members.
  5. Mike

    Mike XenForo Developer Staff Member

    I'm sort of unclear what you're showing with those admin log entries.

    Note that changing groups is unrelated to someone being an admin. You can't make someone an admin by putting them in the admin group and you can't demote someone from an admin role like that. It all happens through the "administrators" section.

Share This Page