XF 1.2 my site keeps getting penetrated...

[XxUnkn0wnxX]

u sure xenforo is secure?

It appears that the attacker performed a "Forgot Password" attack on your forum software and was able to reset the admin password for the forum, allowing the attacker to upload the malicious files to your account. You will need to change the email password that is set as your forum admin email address, as well as scan your local, home computer for any malware.

If you are seeing a warning page in your browser (Firefox, Chrome, Safari), please follow the directions on the following page to get rid of the red warning page: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328 . If these directions are not followed, this page will continue to show up for quite some time.

============TIMESTAMPS=============
File: `testboard/js/xenforo/full/func.php'
Size: 53588 Blocks: 112 IO Block: 4096 regular file
Device: fd01h/64769d    Inode: 4067834 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 502/ unkn0wn) Gid: ( 503/ unkn0wn)
Access: 2014-02-04 22:33:25.883565688 +1100
Modify: 2014-02-04 22:33:25.883565688 +1100
Change: 2014-02-04 22:33:25.883565688 +1100

============ACCESS LOG=============
IP Hidden - - [04/Feb/2014:22:30:40 +1100] "POST /forums/lost-password/lost HTTP/1.1" 200 14598 "http://portalcentric.net/forums/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:03 +1100] "POST /forums/deferred.php HTTP/1.1" 200 22 "http://portalcentric.net/forums/lost-password/7/confirm?c=d5124ba73103501a" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:19 +1100] "POST /forums/login/login HTTP/1.1" 303 - "http://portalcentric.net/forums/lost-password/lost" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:33:25 +1100] "POST /forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full HTTP/1.1" 200 31439 "http://portalcentric.net/forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"

i am getting a lot of pressure from every one and they blaming it all that xenforo is sht,

problem could be anything php, server set up, any thing.

i am posting this here so i can get a straight answer and prove them it not xenforo's fault

and its not my computer i have no malware, as i don't run windows and already ran many scans

 

[Slavik]

/forums/core/func.php

This is not a XenForo file. Your problem lies with whatever you had before.

You need to ensure everything is completely clean, make a backup and remove everything from your directories and re-upload XenForo from a clean package (from the members area).

If you leave any old files, then your just asking for trouble as you don't know what else may have been comprimised.

 

[XxUnkn0wnxX]

my buddy says this is how they got in:

"
[6/02/2014 10:15:31 pm] in the confirm for password there is no hash to check if its real
[6/02/2014 10:15:55 pm] that how they change the pass from admin or founder get into CP
"

so can some 1 tell me this password reset/confirm this isn't secure?

 

[XxUnkn0wnxX]

/forums/core/func.php

This is not a XenForo file. Your problem lies with whatever you had before.

i deleted that that was a shell and i fixed that up tester day i cleaned them all, and ic hacked to day that wasn't there i also checked all the files again nothing changed

 

[Slavik]

You need to ensure everything is completely clean, make a backup and remove everything from your directories and re-upload XenForo from a clean package (from the members area).

If you leave any old files, then your just asking for trouble as you don't know what else may have been comprimised.

If this still happens from a clean slate, then the issue would most likely be down to your host or any other scripts you may be running under your hosting account (or potentially even your web-host if their security is bad).

 

[Chris D]

If you were hacked today, then you'd need to post the access logs from today. Those logs are from two days ago. And if you have deleted that suspicious looking file then presumably the access logs will show something different today.

 

[Chris D]

It's worth noting that this file is mentioned also:

File: `testboard/js/xenforo/full/func.php'

If that hasn't been cleaned, that's probably the way in. That file shouldn't be there.

 

[XxUnkn0wnxX]

this what my friend said.


"normal if a user ask for pass the system must set a random hash someting like 347ytrhfiu7gh45thg5t to confirm the hash must set in db till its confirmed if not acc is locked. it looks like xenforo does not check the hash it confirms every hash they type. So if they want to set a pass like test123 they use confirm=test123 and done pass set"

 

[Mike]

The fact that they had a shell means absolutely nothing on your site can be trusted any more. All of the files are potentially tainted. You deleted one, but it's clear that they put another one into a different directly from those logs alone -- who knows what else has been tampered with. This includes the data/ directory.

my buddy says this is how they got in:

"
[6/02/2014 10:15:31 pm] in the confirm for password there is no hash to check if its real
[6/02/2014 10:15:55 pm] that how they change the pass from admin or founder get into CP
"

so can some 1 tell me this password reset/confirm this isn't secure?

I'm not sure who's telling you that, but it's simply incorrect. A cursory glance at the source would show that.

Further, the lost password system doesn't display the password back -- it emails it to you (and it emails you the confirmation code in the first place). Either the email has been modified via the DB (and given that they had a shell, that's probably what happened) or your email is compromised.

 

[XxUnkn0wnxX]

this what my friend said.


"normal if a user ask for pass the system must set a random hash someting like 347ytrhfiu7gh45thg5t to confirm the hash must set in db till its confirmed if not acc is locked. it looks like xenforo does not check the hash it confirms every hash they type. So if they want to set a pass like test123 they use confirm=test123 and done pass set"

so how do u explain this?

 

[Chris D]

It doesn't require an explanation. It is simply incorrect.

 

[Chris D]

I have an outstanding password reset request.

Knock yourself out:

http://xenforo.com/community/lost-password/11388/confirm

 

[Slavik]

so how do u explain this?

Your friend doesn't know what hes talking about.

 

[Sheldon]

I have an outstanding password reset request.

Knock yourself out:

http://xenforo.com/community/lost-password/11388/confirm

/hacks

/script-kiddie

 

[Divvens]

Your friend doesn't know what hes talking about.

Its clearly noticeable by the language used that its the kind of person who "acts" like they know but actually don't know.

so how do u explain this?

Do what the staff here have told you, you would have to delete all files from your server, re-download the version from XenForo customer area, and upload the clean files since access to your server was compromised, this isn't a XenForo issue, this is mostly a security leak elsewhere and likely that the webhost also failed with security.

Did anyone apart from you have access to FTP? What hosting plan are you under (shared, vps etc) who is your host? I'd doubt your host rather than XenForo which has had no major security issues in the years it has been publicly released.

 

[XxUnkn0wnxX]

Its clearly noticeable by the language used that its the kind of person who "acts" like they know but actually don't know.


Do what the staff here have told you, you would have to delete all files from your server, re-download the version from XenForo customer area, and upload the clean files since access to your server was compromised, this isn't a XenForo issue, this is mostly a security leak elsewhere and likely that the webhost also failed with security.

Did anyone apart from you have access to FTP? What hosting plan are you under (shared, vps etc) who is your host? I'd doubt your host rather than XenForo which has had no major security issues in the years it has been publicly released.

well yes there was an ftp breach i had a testing baord few people had acccess to that.

wont make same mistake twice.

well my partner wotking on site now cozz i off

if he stufs something up i have access to full server and i mean no one has this including ssh no one will ever have this

i can just restore the whole cpanel account with every thing

and when i get up i delete and wipe public_html.

my one last question remains.

can i use my current data base i have many users and i mean many.

and am i correct
that the data base saves all of these
all options related to xenforo and add ones?
all users
all permissions
all threads and posts
theme styling not the files but the code like colours theme names etc
cozz i dont want to start from full scratch
also saves all VIP users and current active subscriptions?


only exploit is within files on site right not the db?

only other exploit would be the templates but thats all in the db also any add ones right?

as for settings like the db info and admin yes that in config.php i can restore that safely

 

[XxUnkn0wnxX]

and well i know it not possible well as u all say but.

kinda makes sence

say you want access to admin account u just need there user id and user name.

do reset password on there user name and quickly

http://portalcentric.net/forums/lost-password/1/confirm?c=mynewpasshaha

as for a fact these links do expire well the requests but if all done fast could be a hole...

or caused by a broken add one that modifies the lost password template

 

[Jeremy]

The system checks hashes, so unless the attacker has access to your email or has modified the database to point your email to a different one, you have a near impossible chance of guessing the proper hash within the time limit.

The database saves everything except anything that is uploaded, those are in data/ and internal_data/. Style images are also in the file system. You'll need to restore those manually from a back up, and verify that none have been tampered with.

 

[Chris D]

Where you have put mynewpasshaha in your URL is just not how it works. A password can't be set just by putting it in a URL.

That is a unique key that is generated and stored in the database.

That exact key needs to be known, verified with the database and then access to the email account where the reset is sent to.

Any breach of that is absolutely nothing that can be mitigated by XenForo.

 

[Chris D]

Someone just requested a new password on my account.

Presumably someone will be logging on as me soon.