XF 1.2 my site keeps getting penetrated...

[XxUnkn0wnxX]

u sure xenforo is secure?

It appears that the attacker performed a "Forgot Password" attack on your forum software and was able to reset the admin password for the forum, allowing the attacker to upload the malicious files to your account. You will need to change the email password that is set as your forum admin email address, as well as scan your local, home computer for any malware.

If you are seeing a warning page in your browser (Firefox, Chrome, Safari), please follow the directions on the following page to get rid of the red warning page: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328 . If these directions are not followed, this page will continue to show up for quite some time.

============TIMESTAMPS=============
File: `testboard/js/xenforo/full/func.php'
Size: 53588 Blocks: 112 IO Block: 4096 regular file
Device: fd01h/64769d    Inode: 4067834 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 502/ unkn0wn) Gid: ( 503/ unkn0wn)
Access: 2014-02-04 22:33:25.883565688 +1100
Modify: 2014-02-04 22:33:25.883565688 +1100
Change: 2014-02-04 22:33:25.883565688 +1100

============ACCESS LOG=============
IP Hidden - - [04/Feb/2014:22:30:40 +1100] "POST /forums/lost-password/lost HTTP/1.1" 200 14598 "http://portalcentric.net/forums/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:03 +1100] "POST /forums/deferred.php HTTP/1.1" 200 22 "http://portalcentric.net/forums/lost-password/7/confirm?c=d5124ba73103501a" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:19 +1100] "POST /forums/login/login HTTP/1.1" 303 - "http://portalcentric.net/forums/lost-password/lost" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:33:25 +1100] "POST /forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full HTTP/1.1" 200 31439 "http://portalcentric.net/forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"

i am getting a lot of pressure from every one and they blaming it all that xenforo is sht,

problem could be anything php, server set up, any thing.

i am posting this here so i can get a straight answer and prove them it not xenforo's fault

and its not my computer i have no malware, as i don't run windows and already ran many scans

 

[TPerry]

ok thx for unlocking it but

i found this:
ZB Block: http://www.spambotsecurity.com

i am using the normal signatures.

now i am thinking should i use the other ones? or just removed protection from my xenforo php files?

i would prefer to have protection with the signatures that are recommended...

When I first started using XenForo I used ZBBlock myself (it was easy to integrate into XF directly if you knew what you were doing). Problem is it DOES give some false positives when done correctly because it uses a LARGE amount of data to block by. And I am willing to bet your password has a a closing parenthesis in it (remove it or create a password without one). That is sometimes an error with ZBBlock.
You also need to add your IP to whitelist that is in the configuration for ZB. Also in the ZB config you probably should disable the AJAX option (set it to no) since XF uses Ajax.

 

[XxUnkn0wnxX]

When I first started using XenForo I used ZBBlock myself (it was easy to integrate into XF directly if you knew what you were doing). Problem is it DOES give some false positives when done correctly because it uses a LARGE amount of data to block by. And I am willing to bet your password has a a closing parenthesis in it (remove it or create a password without one). That is sometimes an error with ZBBlock.
You also need to add your IP to whitelist that is in the configuration for ZB. Also in the ZB config you probably should disable the AJAX option (set it to no) since XF uses Ajax.

yea i had issues logging in to admin and people had issues posting and creating threads... but the password thing i cannot help because i know for a fact many people using passwords with random symbols in it especially those who have user names with those weird characters and circle things.

yes if my ip is white listed i am all good doesn't help those who try to post threads or login to forums like my members

 

[Mouth]

Time to install this and force ALL persons with Administrator/Moderator levels to use it for access to XenForo.

That's achievable? I didn't think it had functionality to force for specified usergroups? I recently asked in that thread but have received no response.

 

[XxUnkn0wnxX]

That's achievable? I didn't think it had functionality to force for specified usergroups? I recently asked in that thread but have received no response.

? i not sure how to force them to use it i only can give them the option to use them

 

[TPerry]

That's achievable? I didn't think it had functionality to force for specified usergroups? I recently asked in that thread but have received no response.

Yeah... it's achievable for moderators/administrators. You tell them they use it or they no longer are.

 

[TPerry]

yes if my ip is white listed i am all good doesn't help those who try to post threads or login to forums like my members

Did you follow the Ajax config settings as outlined?

 

[XxUnkn0wnxX]

Did you follow the Ajax config settings as outlined?

yes it working fine now