XF 1.2 my site keeps getting penetrated...

XxUnkn0wnxX

XxUnkn0wnxX

Active member
u sure xenforo is secure?


Code: 
It appears that the attacker performed a "Forgot Password" attack on your forum software and was able to reset the admin password for the forum, allowing the attacker to upload the malicious files to your account. You will need to change the email password that is set as your forum admin email address, as well as scan your local, home computer for any malware.

If you are seeing a warning page in your browser (Firefox, Chrome, Safari), please follow the directions on the following page to get rid of the red warning page: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328 . If these directions are not followed, this page will continue to show up for quite some time.

============TIMESTAMPS=============
File: `testboard/js/xenforo/full/func.php'
Size: 53588 Blocks: 112 IO Block: 4096 regular file
Device: fd01h/64769d    Inode: 4067834 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 502/ unkn0wn) Gid: ( 503/ unkn0wn)
Access: 2014-02-04 22:33:25.883565688 +1100
Modify: 2014-02-04 22:33:25.883565688 +1100
Change: 2014-02-04 22:33:25.883565688 +1100

============ACCESS LOG=============
IP Hidden - - [04/Feb/2014:22:30:40 +1100] "POST /forums/lost-password/lost HTTP/1.1" 200 14598 "http://portalcentric.net/forums/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:03 +1100] "POST /forums/deferred.php HTTP/1.1" 200 22 "http://portalcentric.net/forums/lost-password/7/confirm?c=d5124ba73103501a" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:19 +1100] "POST /forums/login/login HTTP/1.1" 303 - "http://portalcentric.net/forums/lost-password/lost" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:33:25 +1100] "POST /forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full HTTP/1.1" 200 31439 "http://portalcentric.net/forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"

i am getting a lot of pressure from every one and they blaming it all that xenforo is sht,

problem could be anything php, server set up, any thing.

i am posting this here so i can get a straight answer and prove them it not xenforo's fault

and its not my computer i have no malware, as i don't run windows and already ran many scans
 
Sort by date Sort by votes
/forums/core/func.php

This is not a XenForo file. Your problem lies with whatever you had before.

You need to ensure everything is completely clean, make a backup and remove everything from your directories and re-upload XenForo from a clean package (from the members area).

If you leave any old files, then your just asking for trouble as you don't know what else may have been comprimised.
 
Upvote 0 Downvote
my buddy says this is how they got in:

"
[6/02/2014 10:15:31 pm] in the confirm for password there is no hash to check if its real
[6/02/2014 10:15:55 pm] that how they change the pass from admin or founder get into CP
"

so can some 1 tell me this password reset/confirm this isn't secure?
 
Upvote 0 Downvote
You need to ensure everything is completely clean, make a backup and remove everything from your directories and re-upload XenForo from a clean package (from the members area).

If you leave any old files, then your just asking for trouble as you don't know what else may have been comprimised.

If this still happens from a clean slate, then the issue would most likely be down to your host or any other scripts you may be running under your hosting account (or potentially even your web-host if their security is bad).
 
Upvote 0 Downvote
If you were hacked today, then you'd need to post the access logs from today. Those logs are from two days ago. And if you have deleted that suspicious looking file then presumably the access logs will show something different today.
 
Upvote 0 Downvote
It's worth noting that this file is mentioned also:

File: `testboard/js/xenforo/full/func.php'

If that hasn't been cleaned, that's probably the way in. That file shouldn't be there.
 
Upvote 0 Downvote
this what my friend said.


"normal if a user ask for pass the system must set a random hash someting like 347ytrhfiu7gh45thg5t to confirm the hash must set in db till its confirmed if not acc is locked. it looks like xenforo does not check the hash it confirms every hash they type. So if they want to set a pass like test123 they use confirm=test123 and done pass set"
 
Upvote 0 Downvote
The fact that they had a shell means absolutely nothing on your site can be trusted any more. All of the files are potentially tainted. You deleted one, but it's clear that they put another one into a different directly from those logs alone -- who knows what else has been tampered with. This includes the data/ directory.

XxUnkn0wnxX said:
my buddy says this is how they got in:

"
[6/02/2014 10:15:31 pm] in the confirm for password there is no hash to check if its real
[6/02/2014 10:15:55 pm] that how they change the pass from admin or founder get into CP
"

so can some 1 tell me this password reset/confirm this isn't secure?
Click to expand...
I'm not sure who's telling you that, but it's simply incorrect. A cursory glance at the source would show that.

Further, the lost password system doesn't display the password back -- it emails it to you (and it emails you the confirmation code in the first place). Either the email has been modified via the DB (and given that they had a shell, that's probably what happened) or your email is compromised.
 
Upvote 0 Downvote
XxUnkn0wnxX said:
this what my friend said.


"normal if a user ask for pass the system must set a random hash someting like 347ytrhfiu7gh45thg5t to confirm the hash must set in db till its confirmed if not acc is locked. it looks like xenforo does not check the hash it confirms every hash they type. So if they want to set a pass like test123 they use confirm=test123 and done pass set"
Click to expand...

so how do u explain this?
 
Upvote 0 Downvote
Slavik said:
Your friend doesn't know what hes talking about.
Click to expand...
Its clearly noticeable by the language used that its the kind of person who "acts" like they know but actually don't know.

XxUnkn0wnxX said:
so how do u explain this?
Click to expand...
Do what the staff here have told you, you would have to delete all files from your server, re-download the version from XenForo customer area, and upload the clean files since access to your server was compromised, this isn't a XenForo issue, this is mostly a security leak elsewhere and likely that the webhost also failed with security.

Did anyone apart from you have access to FTP? What hosting plan are you under (shared, vps etc) who is your host? I'd doubt your host rather than XenForo which has had no major security issues in the years it has been publicly released.
 
Upvote 0 Downvote
Divvens said:
Its clearly noticeable by the language used that its the kind of person who "acts" like they know but actually don't know.


Do what the staff here have told you, you would have to delete all files from your server, re-download the version from XenForo customer area, and upload the clean files since access to your server was compromised, this isn't a XenForo issue, this is mostly a security leak elsewhere and likely that the webhost also failed with security.

Did anyone apart from you have access to FTP? What hosting plan are you under (shared, vps etc) who is your host? I'd doubt your host rather than XenForo which has had no major security issues in the years it has been publicly released.
Click to expand...
well yes there was an ftp breach i had a testing baord few people had acccess to that.

wont make same mistake twice.

well my partner wotking on site now cozz i off

if he stufs something up i have access to full server and i mean no one has this including ssh no one will ever have this

i can just restore the whole cpanel account with every thing

and when i get up i delete and wipe public_html.

my one last question remains.

can i use my current data base i have many users and i mean many.

and am i correct
that the data base saves all of these
all options related to xenforo and add ones?
all users
all permissions
all threads and posts
theme styling not the files but the code like colours theme names etc
cozz i dont want to start from full scratch
also saves all VIP users and current active subscriptions?


only exploit is within files on site right not the db?

only other exploit would be the templates but thats all in the db also any add ones right?

as for settings like the db info and admin yes that in config.php i can restore that safely
 
Last edited:
Upvote 0 Downvote
and well i know it not possible well as u all say but.

kinda makes sence

say you want access to admin account u just need there user id and user name.

do reset password on there user name and quickly

http://portalcentric.net/forums/lost-password/1/confirm?c=mynewpasshaha

as for a fact these links do expire well the requests but if all done fast could be a hole...

or caused by a broken add one that modifies the lost password template
 
Upvote 0 Downvote
The system checks hashes, so unless the attacker has access to your email or has modified the database to point your email to a different one, you have a near impossible chance of guessing the proper hash within the time limit.

The database saves everything except anything that is uploaded, those are in data/ and internal_data/. Style images are also in the file system. You'll need to restore those manually from a back up, and verify that none have been tampered with.
 
Upvote 0 Downvote
Where you have put mynewpasshaha in your URL is just not how it works. A password can't be set just by putting it in a URL.

That is a unique key that is generated and stored in the database.

That exact key needs to be known, verified with the database and then access to the email account where the reset is sent to.

Any breach of that is absolutely nothing that can be mitigated by XenForo.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

imanoob2000
  • Question Question
XF 2.2 Constant Refreshing with Steam Built-in Browser
Replies
1
Views
22K
Chris D
Chris D
B
Duplicate Xenforo 2 constantly refreshing page on the Steam browser (CEF chromium embedded framework)
Replies
3
Views
801
Chris D
Chris D
Jawsh
  • Suggestion Suggestion
Lack of interest Throttle reactions for registered members
Replies
1
Views
812
Chris D
Chris D
S
  • Question Question
XF 2.0 company closed because my site is attacking
Replies
10
Views
897
Joe Kuhn
Joe Kuhn
B
  • Question Question
XF 2.0 Possible NGINX config issue?
Replies
3
Views
4K
bostoneo
B
Top Bottom