1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Possible abuse of my server...

Discussion in 'Troubleshooting and Problems' started by AT8500, Apr 21, 2016.

  1. AT8500

    AT8500 Member

    Hello,
    I just recived email from cloudflare with this content
    And content of defaul.php file is this

    Now I have few questions:
    1) Is this file real xenforo file or is it created from that ****in* bot?
    2) If this is real xenforo file is there anything suspicious in it?

    Do you have any sugestions what to do if file is OK, how to find that junk and why cloudflare reported that file?

    P.S.
    I masked my address because I am not sure how those bots works and could they use my link for new attacks, but if necessary i can provide real link to admins.
     
  2. Mouth

    Mouth Well-Known Member

    Xenforo does not use a /cgi-bin/ directory. So any such directory, or files within, are going to be outside of XF.
    Your /cgi-bin/default.php code is also clearly an exploit. If you don't have anything other than XF on your site, I'd immediately delete the cgi-bin/ directory and all it's contents. Additionally, be very suspicious of the overall security and state of your server/site.
     
    D.O.A. and AT8500 like this.
  3. Brogan

    Brogan XenForo Moderator Staff Member

    You will also need to identify how the server was compromised.

    Change any and all passwords, starting with any email addresses you use for password resets.
     
    AT8500 likes this.
  4. Tracy Perry

    Tracy Perry Well-Known Member

    And by chance are you running WordPress on any other domains on the same server?

    If on a shared hosting environment, it may have been someone else that allowed the back door and you happened to get hit also (a hazard of a poorly maintained shared hosting server).
    if your server, then you have some issues with the site not being "hardened".
     
    AT8500 likes this.
  5. AT8500

    AT8500 Member

    OK, tnx for suggestions.
    I am on VPS (managed) but CentOS and Kloxo isnt updated a long time, so now I am doing it. I don't have active wordpress, but I have it installed because I tested something (wanted to migrat my portal to WP, but then changed my mind).

    My hosting provider suggested me to update CentOs and Kloxo, which we will do soon, but I will have to backup all files and databse and then restore it after it is complited. I would like if it is possible to somehow scan files before that, so I don't "reinfect" new server again. From Cloudflare mail I see that this bot insert itself in php files, so it could be that some legit files are infected with code generated from bot....

    I guess that it will be relativly easy to scan content of all php files only if I know what to look for?

    And what would you sugest what steps to take now:
    OK, I will change my passwords and also I delited file default.php (renamed it for now and changed premissions to 600).
    What else could be helpful to do now.
     
  6. Brogan

    Brogan XenForo Moderator Staff Member

    The simplest way to deal with the XF files would be by wiping the existing files and directories and re-uploading them again.
    Make a note of the details in the library/config.php file, or download a copy.

    You will also need to re-upload any add-on specific files.

    The only two directories you will need to deal with manually are the data and internal_data directories - those can't be removed as they contain avatars and attachments.
    They will need to be checked for any malicious files/scripts.
     
  7. AT8500

    AT8500 Member

    One more information about this.
    I run this command
    which sould found functions often used in infected scripts, such as base64_encode and base64_decode (according to internet).


    and got this result

    [​IMG]

    OK first two (cgi-bin) will be deleted (I still didn't delete old one just renamed it). First entry is little confusing me but will figure it out....

    But those three files from XenForo. What to do with them? Should it be like this or they were changed somehow?
     
  8. Mike

    Mike XenForo Developer Staff Member

    It sounds like those files have been modified.
     
  9. AT8500

    AT8500 Member

    A attached those three files. For me they look normal but I am not sure

    IPBoard.php
    PHP:
    <?php

    /**
    * IP.Board authentication method.
    *
    * @package XenForo_Authentication
    */
    class XenForo_Authentication_IPBoard extends XenForo_Authentication_Abstract
    {
        
    /**
        * Password info for this authentication object
        *
        * @var array
        */
        
    protected $_data = array();

        protected function 
    _createHash($password$salt)
        {
            return 
    md5(md5($salt) . md5($password));
        }

        
    /**
        * Initialize data for the authentication object.
        *
        * @param string   Binary data from the database
        */
        
    public function setData($data)
        {
            
    $this->_data unserialize($data);
        }

        
    /**
        * Generate new authentication data
        * @see XenForo_Authentication_Abstract::generate()
        */
        
    public function generate($password)
        {
            throw new 
    XenForo_Exception('Cannot generate authentication for this type.');
        }

        
    /**
        * Authenticate against the given password
        * @see XenForo_Authentication_Abstract::authenticate()
        */
        
    public function authenticate($userId$password)
        {
            if (!
    is_string($password) || $password === '' || empty($this->_data))
            {
                return 
    false;
            }

            
    $userHash $this->_createHash($password$this->_data['salt']);
            return (
    $userHash === $this->_data['hash']);
        }
    }
    MyBb.php
    PHP:
    <?php

    /**
    * MyBB authentication method.
    *
    * @package XenForo_Authentication
    */
    class XenForo_Authentication_MyBb extends XenForo_Authentication_Abstract
    {
        
    /**
        * Password info for this authentication object
        *
        * @var array
        */
        
    protected $_data = array();

        protected function 
    _createHash($password$salt)
        {
            return 
    md5(md5($salt) . md5($password));
        }

        
    /**
        * Initialize data for the authentication object.
        *
        * @param string   Binary data from the database
        */
        
    public function setData($data)
        {
            
    $this->_data unserialize($data);
        }

        
    /**
        * Generate new authentication data
        * @see XenForo_Authentication_Abstract::generate()
        */
        
    public function generate($password)
        {
            throw new 
    XenForo_Exception('Cannot generate authentication for this type.');
        }

        
    /**
        * Authenticate against the given password
        * @see XenForo_Authentication_Abstract::authenticate()
        */
        
    public function authenticate($userId$password)
        {
            if (!
    is_string($password) || $password === '' || empty($this->_data))
            {
                return 
    false;
            }

            
    $userHash $this->_createHash($password$this->_data['salt']);
            return (
    $userHash === $this->_data['hash']);
        }
    }
    vbulletin.php
    PHP:
    <?php

    /**
    * vBulletin authentication method.
    *
    * @package XenForo_Authentication
    */
    class XenForo_Authentication_vBulletin extends XenForo_Authentication_Abstract
    {
        
    /**
        * Password info for this authentication object
        *
        * @var array
        */
        
    protected $_data = array();

        protected function 
    _createHash($password$salt)
        {
            return 
    md5(md5($password) . $salt);
        }

        
    /**
        * Initialize data for the authentication object.
        *
        * @param string   Binary data from the database
        */
        
    public function setData($data)
        {
            
    $this->_data unserialize($data);
        }

        
    /**
        * Generate new authentication data
        * @see XenForo_Authentication_Abstract::generate()
        */
        
    public function generate($password)
        {
            throw new 
    XenForo_Exception('Cannot generate authentication for this type.');
        }

        
    /**
        * Authenticate against the given password
        * @see XenForo_Authentication_Abstract::authenticate()
        */
        
    public function authenticate($userId$password)
        {
            if (!
    is_string($password) || $password === '' || empty($this->_data))
            {
                return 
    false;
            }

            
    $userHash $this->_createHash($password$this->_data['salt']);
            return (
    $userHash === $this->_data['hash']);
        }
    }
     
  10. Freddie Agricola

    Freddie Agricola Active Member

    Check for injected code on the first line. You may need to nano the file, press down, then left to go to the end of the first line.
     
    AT8500 likes this.
  11. Brogan

    Brogan XenForo Moderator Staff Member

    If in doubt, just replace the files.
     
    AT8500 likes this.
  12. JamesJ

    JamesJ Member

    I'd just recommend backing up your database, and resetting your VPS.
    Just because you have files in /cgi-bin/ doesn't mean there aren't files in other places too, possibly embedded in cron-jobs.

    If you reset your machine, you completely wipe all bots/viruses/stuff you don't want.

    Just make sure you've got a backup of your database, as many as you can make.
     

Share This Page