1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.2 my site keeps getting penetrated...

Discussion in 'XenForo Questions and Support' started by XxUnkn0wnxX, Feb 6, 2014.

  1. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    u sure xenforo is secure?


    Code:
    It appears that the attacker performed a "Forgot Password" attack on your forum software and was able to reset the admin password for the forum, allowing the attacker to upload the malicious files to your account. You will need to change the email password that is set as your forum admin email address, as well as scan your local, home computer for any malware.
    
    If you are seeing a warning page in your browser (Firefox, Chrome, Safari), please follow the directions on the following page to get rid of the red warning page: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328 . If these directions are not followed, this page will continue to show up for quite some time.
    
    ============TIMESTAMPS=============
    File: `testboard/js/xenforo/full/func.php'
    Size: 53588 Blocks: 112 IO Block: 4096 regular file
    Device: fd01h/64769d    Inode: 4067834 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 502/ unkn0wn) Gid: ( 503/ unkn0wn)
    Access: 2014-02-04 22:33:25.883565688 +1100
    Modify: 2014-02-04 22:33:25.883565688 +1100
    Change: 2014-02-04 22:33:25.883565688 +1100
    
    ============ACCESS LOG=============
    IP Hidden - - [04/Feb/2014:22:30:40 +1100] "POST /forums/lost-password/lost HTTP/1.1" 200 14598 "http://portalcentric.net/forums/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
    IP Hidden - - [04/Feb/2014:22:32:03 +1100] "POST /forums/deferred.php HTTP/1.1" 200 22 "http://portalcentric.net/forums/lost-password/7/confirm?c=d5124ba73103501a" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
    IP Hidden - - [04/Feb/2014:22:32:19 +1100] "POST /forums/login/login HTTP/1.1" 303 - "http://portalcentric.net/forums/lost-password/lost" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
    IP Hidden - - [04/Feb/2014:22:33:25 +1100] "POST /forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full HTTP/1.1" 200 31439 "http://portalcentric.net/forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
    i am getting a lot of pressure from every one and they blaming it all that xenforo is sht,

    problem could be anything php, server set up, any thing.

    i am posting this here so i can get a straight answer and prove them it not xenforo's fault

    and its not my computer i have no malware, as i don't run windows and already ran many scans
     
  2. Slavik

    Slavik XenForo Moderator Staff Member

    /forums/core/func.php

    This is not a XenForo file. Your problem lies with whatever you had before.

    You need to ensure everything is completely clean, make a backup and remove everything from your directories and re-upload XenForo from a clean package (from the members area).

    If you leave any old files, then your just asking for trouble as you don't know what else may have been comprimised.
     
    Donny and Amaury like this.
  3. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    my buddy says this is how they got in:

    "
    [6/02/2014 10:15:31 pm] in the confirm for password there is no hash to check if its real
    [6/02/2014 10:15:55 pm] that how they change the pass from admin or founder get into CP
    "

    so can some 1 tell me this password reset/confirm this isn't secure?
     
  4. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    i deleted that that was a shell and i fixed that up tester day i cleaned them all, and ic hacked to day that wasn't there i also checked all the files again nothing changed
     
  5. Slavik

    Slavik XenForo Moderator Staff Member

    You need to ensure everything is completely clean, make a backup and remove everything from your directories and re-upload XenForo from a clean package (from the members area).

    If you leave any old files, then your just asking for trouble as you don't know what else may have been comprimised.

    If this still happens from a clean slate, then the issue would most likely be down to your host or any other scripts you may be running under your hosting account (or potentially even your web-host if their security is bad).
     
    Amaury likes this.
  6. Chris D

    Chris D XenForo Developer Staff Member

    If you were hacked today, then you'd need to post the access logs from today. Those logs are from two days ago. And if you have deleted that suspicious looking file then presumably the access logs will show something different today.
     
    Amaury likes this.
  7. Chris D

    Chris D XenForo Developer Staff Member

    It's worth noting that this file is mentioned also:

    File: `testboard/js/xenforo/full/func.php'

    If that hasn't been cleaned, that's probably the way in. That file shouldn't be there.
     
    Amaury likes this.
  8. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    this what my friend said.


    "normal if a user ask for pass the system must set a random hash someting like 347ytrhfiu7gh45thg5t to confirm the hash must set in db till its confirmed if not acc is locked. it looks like xenforo does not check the hash it confirms every hash they type. So if they want to set a pass like test123 they use confirm=test123 and done pass set"
     
  9. Mike

    Mike XenForo Developer Staff Member

    The fact that they had a shell means absolutely nothing on your site can be trusted any more. All of the files are potentially tainted. You deleted one, but it's clear that they put another one into a different directly from those logs alone -- who knows what else has been tampered with. This includes the data/ directory.

    I'm not sure who's telling you that, but it's simply incorrect. A cursory glance at the source would show that.

    Further, the lost password system doesn't display the password back -- it emails it to you (and it emails you the confirmation code in the first place). Either the email has been modified via the DB (and given that they had a shell, that's probably what happened) or your email is compromised.
     
    Divvens, Ryan_, Amaury and 1 other person like this.
  10. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    so how do u explain this?
     
  11. Chris D

    Chris D XenForo Developer Staff Member

    It doesn't require an explanation. It is simply incorrect.
     
    Amaury likes this.
  12. Chris D

    Chris D XenForo Developer Staff Member

    Amaury likes this.
  13. Slavik

    Slavik XenForo Moderator Staff Member

    Your friend doesn't know what hes talking about.
     
    SchmitzIT and Amaury like this.
  14. Sheldon

    Sheldon Well-Known Member

    Ryan_, Amaury and Dakis like this.
  15. Divvens

    Divvens Well-Known Member

    Its clearly noticeable by the language used that its the kind of person who "acts" like they know but actually don't know.

    Do what the staff here have told you, you would have to delete all files from your server, re-download the version from XenForo customer area, and upload the clean files since access to your server was compromised, this isn't a XenForo issue, this is mostly a security leak elsewhere and likely that the webhost also failed with security.

    Did anyone apart from you have access to FTP? What hosting plan are you under (shared, vps etc) who is your host? I'd doubt your host rather than XenForo which has had no major security issues in the years it has been publicly released.
     
    Amaury likes this.
  16. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    well yes there was an ftp breach i had a testing baord few people had acccess to that.

    wont make same mistake twice.

    well my partner wotking on site now cozz i off

    if he stufs something up i have access to full server and i mean no one has this including ssh no one will ever have this

    i can just restore the whole cpanel account with every thing

    and when i get up i delete and wipe public_html.

    my one last question remains.

    can i use my current data base i have many users and i mean many.

    and am i correct
    that the data base saves all of these
    all options related to xenforo and add ones?
    all users
    all permissions
    all threads and posts
    theme styling not the files but the code like colours theme names etc
    cozz i dont want to start from full scratch
    also saves all VIP users and current active subscriptions?


    only exploit is within files on site right not the db?

    only other exploit would be the templates but thats all in the db also any add ones right?

    as for settings like the db info and admin yes that in config.php i can restore that safely
     
    Last edited: Feb 6, 2014
  17. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    and well i know it not possible well as u all say but.

    kinda makes sence

    say you want access to admin account u just need there user id and user name.

    do reset password on there user name and quickly

    http://portalcentric.net/forums/lost-password/1/confirm?c=mynewpasshaha

    as for a fact these links do expire well the requests but if all done fast could be a hole...

    or caused by a broken add one that modifies the lost password template
     
  18. Jeremy

    Jeremy XenForo Moderator Staff Member

    The system checks hashes, so unless the attacker has access to your email or has modified the database to point your email to a different one, you have a near impossible chance of guessing the proper hash within the time limit.

    The database saves everything except anything that is uploaded, those are in data/ and internal_data/. Style images are also in the file system. You'll need to restore those manually from a back up, and verify that none have been tampered with.
     
    Amaury likes this.
  19. Chris D

    Chris D XenForo Developer Staff Member

    Where you have put mynewpasshaha in your URL is just not how it works. A password can't be set just by putting it in a URL.

    That is a unique key that is generated and stored in the database.

    That exact key needs to be known, verified with the database and then access to the email account where the reset is sent to.

    Any breach of that is absolutely nothing that can be mitigated by XenForo.
     
    Amaury likes this.
  20. Chris D

    Chris D XenForo Developer Staff Member

    Someone just requested a new password on my account.

    Presumably someone will be logging on as me soon.
     
    Divvens, Sheldon and Amaury like this.

Share This Page