XF 1.2 my site keeps getting penetrated...

XxUnkn0wnxX

Active member
u sure xenforo is secure?


Code:
It appears that the attacker performed a "Forgot Password" attack on your forum software and was able to reset the admin password for the forum, allowing the attacker to upload the malicious files to your account. You will need to change the email password that is set as your forum admin email address, as well as scan your local, home computer for any malware.

If you are seeing a warning page in your browser (Firefox, Chrome, Safari), please follow the directions on the following page to get rid of the red warning page: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328 . If these directions are not followed, this page will continue to show up for quite some time.

============TIMESTAMPS=============
File: `testboard/js/xenforo/full/func.php'
Size: 53588 Blocks: 112 IO Block: 4096 regular file
Device: fd01h/64769d    Inode: 4067834 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 502/ unkn0wn) Gid: ( 503/ unkn0wn)
Access: 2014-02-04 22:33:25.883565688 +1100
Modify: 2014-02-04 22:33:25.883565688 +1100
Change: 2014-02-04 22:33:25.883565688 +1100

============ACCESS LOG=============
IP Hidden - - [04/Feb/2014:22:30:40 +1100] "POST /forums/lost-password/lost HTTP/1.1" 200 14598 "http://portalcentric.net/forums/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:03 +1100] "POST /forums/deferred.php HTTP/1.1" 200 22 "http://portalcentric.net/forums/lost-password/7/confirm?c=d5124ba73103501a" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:32:19 +1100] "POST /forums/login/login HTTP/1.1" 303 - "http://portalcentric.net/forums/lost-password/lost" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"
IP Hidden - - [04/Feb/2014:22:33:25 +1100] "POST /forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full HTTP/1.1" 200 31439 "http://portalcentric.net/forums/core/func.php?dir=/home/unkn0wn/public_html/testboard/js/xenforo/full" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36"

i am getting a lot of pressure from every one and they blaming it all that xenforo is sht,

problem could be anything php, server set up, any thing.

i am posting this here so i can get a straight answer and prove them it not xenforo's fault

and its not my computer i have no malware, as i don't run windows and already ran many scans
 
There's no reason to assume the DB hasn't been tampered with. It's possible that compiled templates could have been modified (in the DB or the file system). I have seen that concept attempted before.

This may be a reasonable time to use the XenForo to XenForo import to move only the expected data (and then nuke all of the old data/files). This would bring over permissions, though that's something that would definitely need to be audited.
 
The system checks hashes, so unless the attacker has access to your email or has modified the database to point your email to a different one, you have a near impossible chance of guessing the proper hash within the time limit.

The database saves everything except anything that is uploaded, those are in data/ and internal_data/. Style images are also in the file system. You'll need to restore those manually from a back up, and verify that none have been tampered with.
so not even a add one could mess with this procedure?

like a template mod? foe the lost-password template?
 
The only way an add-on could mess with the system and make it less secure (cause the system to not check hashes) is with modify the code directly. A template modification can't change how the system works.
 
There's no reason to assume the DB hasn't been tampered with. It's possible that compiled templates could have been modified (in the DB or the file system). I have seen that concept attempted before.

This may be a reasonable time to use the XenForo to XenForo import to move only the expected data (and then nuke all of the old data/files). This would bring over permissions, though that's something that would definitely need to be audited.
umm what does this procedure do? settings? i don't really care about themes those can be done easy

what about active vip accounts?

i want to be able to preserve as much as i can. like threads posts accounts users settings permions all the stuff that would take for evea restoring one by on.

and does this mean i need to like create well re creating my testing board fresh then transfer all this to testing board and then exports its db and overwrite the one my main forum uses?
 
No. That is all stored within the database. As Mike said, you will also want a thorough review to make sure no database tampering occurred.
ok thanks

as long only restore files is the only thing, i have them all on my comp just will take hours or few to restore those..

i feel much batter now to know all this thank you.

and yes i will review every thing
 
You should redownload the core package and all add-ons from here and upload them frmo a clean package.
so instead of using upgrade i just use the full one right?

what is the diffrence between upgrade and full thought they all contain same files?

or full = re install xenforo? i don't want to wipe any settings out just restore files thats it

and once i restore all files form clean versions i just go to forums/install and re import all master files or do i do re install xenforo fresh?

i remember there where two settings there
 
Yes. The upgrade package removes several files and directory that contain data found within an existing install, to prevent accidentally removing them.
 
ok just 1 last question.

as long i restore every single file all my add ones

i don't have to re-import them right? or edit all the settings for them?

Why would you want to do that? Chances are one of those add-ons caused all of this mess to begin with.

If you get hacked, simply uploading everything is basically like leaving your house unlocked with the windows open right after you got your house ransacked by a burglar.

And don't take any more advice from your scriptkiddie friend ;-)
 
Why would you want to do that? Chances are one of those add-ons caused all of this mess to begin with.

If you get hacked, simply uploading everything is basically like leaving your house unlocked with the windows open right after you got your house ransacked by a burglar.

And don't take any more advice from your scriptkiddie friend ;-)
k, well i will try the clean way 1st with my current db and restore all add ones see how i go. i will back everything up with all clean files. if we start getting issues i just wipe public html, restore back up. and then removed all possible add ones to do with users. and see how that goes. and i have CSF installed i can block every ones ip but not my own. and fix up site with every one out.
 
Time to install this and force ALL persons with Administrator/Moderator levels to use it for access to XenForo.
FTP is a weakness if you are using a VPS/Dedicated server unless restricting access to specific IP's (which is what I do whenever I need to enable it). If on a shared hosting see about only enabling it when you need it (been so long since I've used shared I don't remember if you can disable FTP from cPanel).

If on a VPS/Dedicated ONLY use SFTP/SCP (with keys or two factor authentication enabled for SSH access and ROOT access disabled). Install Fail2Ban or CSF to lock out (via iptables) any systems attempting to access the SSH accounts (with an exclusion in their config for YOUR IP address). If using Fail2Ban assign a LONG ban time for SSH access. CSF will place (if I remember correctly) any failed attempts in a permanent blocked status.

For any accounts that have access to the cPanel/Administrative functions use STRONG passwords (yes, they are a pain in the arse but better than what you are having to go through).
Change the passwords regularly and DO NOT use them anywhere else.
 
Last edited:
Not sure if this has been mentioned however I noticed your running wordpress as well for a home page, I've known a few folks to have things compromised via outdated plugins/wordpress itself, just a thought.
 
Did you ask your host to check the access logs and see if that could shed a little more light on how your site got compromised?

XenForo is not at fault from what I read here. The culprit must lie elsewhere. I would also do a thorough check up of the server space if I were you.
 
ok thx for unlocking it but

i found this:
ZB Block: http://www.spambotsecurity.com

which protects me against every thing i need. but i noticed that some code has to be placed in all my php files, so like each time i update xenforo or update an add one i would have to add it back in and there are like thousands of files so is there a quick way of doing this? like a module or add one or something to make ZB block to place its code in all the php files that are related to xenforo?

but i am having some issues

i placed in

<?php require('/"hidden"public_html/zbblock/zbblock.php'); ?>

i hid my path for security reasons

at the start of the index, config.php and admin.php

at the very start like so:

Code:
<?php require('/"hidden"public_html/zbblock/zbblock.php'); ?><?php

$startTime = microtime(true);
$fileDir = dirname(__FILE__);

require($fileDir . '/library/XenForo/Autoloader.php');
XenForo_Autoloader::getInstance()->setupAutoloader($fileDir . '/library');

XenForo_Application::initialize($fileDir . '/library', $fileDir);
XenForo_Application::set('page_start_time', $startTime);

$fc = new XenForo_FrontController(new XenForo_Dependencies_Public());
$fc->run();

and some of my users are getting errors like this when posting, making threads or even i acceding the admin panel. unless my ip is white listed.

Code:
403 FORBIDDEN!  

Either the address you are accessing this site from has been banned for previous malicious behavior or the action you attempted is considered to be hostile to the proper functioning of this system.

The detected reason(s) you were blocked are:
POST unescaped ) POST-011.

Your IP, Domain Name (if resolvable), the referring page (if any), QUERY, POST, User Agent, time of access, and date have been logged and flagged for admin review. Please either 1. Stop the bad behavior, or 2. Cease accessing this system.

If You Believe This is a mistake please contact us at [email protected] or [email protected]

Your connection details:
Record #: 152
Time: Sun, 09 Feb 2014 10:01:41 -0600
Running: 0.4.10a3 / 75
Host: c-59-101-117-238.syd.connect.net.au
IP:  hidden
Post: login=XxUnkn0wnxX&password=_hiddenadmin.php&_xfNoRedirect=1&_xfResponseType=json
Query: login/login
Stripped Query: login/login
Referer: http://portalcentric.net/forums/admin.php
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Reconstructed URL: http:// portalcentric.net /forums/admin.php?login/login

    Generated by ZB Block 0.4.10a3 / 75

any one know how to fix this?

i prefer to have this security bot running then not have it at all

also in here: http://www.spambotsecurity.com/zbblock_download.php

i am using the normal signatures.

now i am thinking should i use the other ones? or just removed protection from my xenforo php files?

i would prefer to have protection with the signatures that are recommended...
 
Because you can't just insert random php code into XenForo core files and expect it to work.

And rather than rely on some 3rd party product to protect you, you should follow what @Tracy Perry said, common sense and good security practices are better than half-way solutions.
 
Top Bottom