Rebels Team. Hacked

Xantam

Active member
Hey there.

So today while I was out at work, a -very stupid- team of hackers decided to target my forums. Our FTP is VERY secure, they could not have had any way of getting through my FTP. This leads me to believe that they found some leak or loophole in the PHP of xenforo, considering every site they use is PHP based.

Here is some hotlinks:
The index.php they used (Via mediafire)
The index.php in action on my forums
Their facebook where they have a wall of hacked sites
Their photobucket where half their images are kept

I am not 100% sure how they did it, they may have very well got our FTP; However I am sure if they did that, they'd have damaged much more than our index.php. Replacing their hacked index.php with the original was all that needed doing.

You may well already be aware of this, if so I am sorry, I did quick search "rebel" to see if this was a dupe post.

Thanks - And good luck :)
 
Are you on a shared server?

How do you know they didn't compromise the server itself?

Have you checked the server logs to see who accessed what and when?
 
Eyhhh. I am looking into it, done a lot of research on it already. This may very well not be an issue of xenforo, I don't directly have access to the logs at this moment but I will be looking when I can get the access.

The site we use is on a hosting plan, not a dedicated machine if that is what you mean. As I said, I am not 100% sure how they did this, I just wanted to raise this to everyones attention, as it looks like a paid service, it could happen to everyone or anyone.
 
You should contact your host and ask them how they gained access.

My guess is either the server itself was compromised, possibly from another account, or one of your admin passwords was.

In three years there have been no reports of the XenForo software being vulnerable to hacking.
 
Indeed, there are no known security issues with xenforo. What other scripts do you have installed in your server space besides xenforo?

If I were you, I would contact the host as well so they can check the access logs for around of the time of the hack and to see what went down and how it did.
 
Indeed, there are no known security issues with xenforo. What other scripts do you have installed in your server space besides xenforo?

If I were you, I would contact the host as well so they can check the access logs for around of the time of the hack and to see what went down and how it did.
Nothing. Only the forums are on our server. However I trust in the integrity of your words Brogan and Borbole, I will indeed look into this further when I can.

In the mean time, instead of this being a bug report then, take it as a warning. I felt it my duty to try at least get a message about these prats before someone else falls victim. If you check that facebook link, it implies they do it for a hobby/job as their bank balance is over 2k, and means they do it on request.
 
The fact you are on a shared hosting plan and what was done was an index replacement, suggests what @Brogan said about another site on the hosting server being compromised, and gained access to all the other accounts on the box.
 
hello
You just saved my life there.
A little while this post, but : did you find finally how they managed to get in ? Some of websites I managed got hacked.
Thanks for the replies
 
hello
You just saved my life there.
A little while this post, but : did you find finally how they managed to get in ? Some of websites I managed got hacked.
Thanks for the replies

I can't remember the result if I am completely honest. My host said there was no sign of malicious assault and no one else but me reported this happening on the box.

Did you get hacked by the same team?
 
We host some large communities along with our share of controversial forums, all on our shared hosting platform. We have never had a client hacked or defaced. You can be rest assured that xenForo is very safe and secure. It is infact one of the best written PHP application. From the screenshots, it seems your account wasn't compermised, it was defaced by PHP injection from either an application within your account or via another clients account, indicating your hosts server is not very secure. Do you have any other PHP applications on your account like maybe WordPress, webmail or maybe a PHP ad server?
 
hello
thanks for the prompt reply.Yes, same people, they hacked the websites as they were on one shared hosting. I contacted our host, they never replied neither looked into it, we wanted to know how they did it before we deinstall and reinstall , but your post saved us some time
 
Top Bottom