It seems my forum has been hacked - bug report

buonchit

Member
I'm using Xenforo version 1.4.3. Today some of my sub-forums have been dropped database. I checked the admin log & found that something was very strange:

The query with "json" letter points to Administrator group.

I restored the backup files. However after 4 hours, my site had been hacked one more time.

I just want to let you know as I'll upgrade to the newest version.
 

Attachments

  • 1.webp
    1.webp
    78.9 KB · Views: 34
  • 2.webp
    2.webp
    68.7 KB · Views: 27
  • 3.webp
    3.webp
    64.3 KB · Views: 27
  • 4.webp
    4.webp
    65.6 KB · Views: 27
  • 5.webp
    5.webp
    76 KB · Views: 27
Last edited:
You will need to determine how and when the hackers gained access.
Upgrading won't resolve the issue if they still have access due to compromised accounts/files, etc.

When you say "some of my sub-forums have been dropped database", do you mean they deleted the content from the database directly, or deleted the nodes from within the ACP?

You will have to restore from a backup to regain the deleted content, as well as confirming that there are no compromised files from XF or any other software running on the server.
 
When I say "some of my sub-forums have been dropped database", I meant they deleted the nodes from within the ACP.

They hacked one of admin accounts. I checked & restored the old database, then set that account to MEMBER GROUP. When the forum had been hacked the second time, I checked & found that account was in ADMIN GROUP. Admin logs show me some strange queries <--- that's a problem.
 
You simply need to make sure that all your admin accounts are secure and the passwords are known by you only. This also applies to any shell accounts at your server.

I would recommend to reduce your admin accounts to only "1" and give it a very secure password. Also I would recommend to change ALL your passwords including your database password immediatelly.

I don't think your problem is related to XenForo. It seems one of your admin accounts has got its password revealed. You may find any clues in comparing the ip addresses of that admin account to your other members.
 
I'm sort of unclear what you're showing with those admin log entries.

Note that changing groups is unrelated to someone being an admin. You can't make someone an admin by putting them in the admin group and you can't demote someone from an admin role like that. It all happens through the "administrators" section.
 
Top Bottom