XF 1.5 Removing plugins files

[Codeless]

Hello my system admin just informed me he says our server is being attacked bcoz of Xen Foro is vulnerable.

[1941333.822073] __ratelimit: 1709 callbacks suppressed
[1941333.822081] UDP: bad checksum. From 59.54.249.132:4230 to 79.xx.xx.74:27015 ulen 33
[1941333.826044] UDP: bad checksum. From 59.54.249.132:41693 to 79.xx.xx.74:27015 ulen 33
[1941333.827775] UDP: bad checksum. From 59.54.249.132:33759 to 79.xx.xx.74:27015 ulen 33
[1941333.828210] UDP: bad checksum. From 59.54.249.132:22323 to 79.xx.xx.74:27015 ulen 33
[1941333.828283] UDP: bad checksum. From 59.54.249.132:60188 to 79.xx.xx.74:27015 ulen 33
[1941333.828721] UDP: bad checksum. From 59.54.249.132:55757 to 79.xx.xx.74:27015 ulen 33
[1941333.829638] UDP: bad checksum. From 59.54.249.132:1607 to 79.xx.xx.74:27015 ulen 33
[1941333.829672] UDP: bad checksum. From 59.54.249.132:23521 to 79.xx.xx.74:27015 ulen 33
[1941333.829733] UDP: bad checksum. From 59.54.249.132:8767 to 79.xx.xx.74:27015 ulen 33
[1941333.830168] UDP: bad checksum. From 59.54.249.132:5238 to 79.xx.xx.74:27015 ulen 33
[1941339.901260] __ratelimit: 1014 callbacks suppressed
[1941339.901267] UDP: bad checksum. From 59.54.249.132:26049 to 79.xx.xx.74:27015 ulen 33
[1941339.904680] UDP: bad checksum. From 59.54.249.132:46664 to 79.xx.xx.74:27015 ulen 33
[1941339.905445] UDP: bad checksum. From 59.54.249.132:11925 to 79.xx.xx.74:27015 ulen 33
[1941339.906299] UDP: bad checksum. From 59.54.249.132:59360 to 79.xx.xx.74:27015 ulen 33
[1941339.906970] UDP: bad checksum. From 59.54.249.132:46165 to 79.xx.xx.74:27015 ulen 33
[1941339.907201] UDP: bad checksum. From 59.54.249.132:39451 to 79.xx.xx.74:27015 ulen 33
[1941339.907630] UDP: bad checksum. From 59.54.249.132:19925 to 79.xx.xx.74:27015 ulen 33
[1941339.907663] UDP: bad checksum. From 59.54.249.132:22823 to 79.xx.xx.74:27015 ulen 33
[1941339.909356] UDP: bad checksum. From 59.54.249.132:58046 to 79.xx.xx.74:27015 ulen 33
[1941339.909454] UDP: bad checksum. From 59.54.249.132:22064 to 79.xx.xx.74:27015 ulen 33
[1941345.074566] __ratelimit: 1799 callbacks suppressed
[1941345.074574] UDP: bad checksum. From 59.54.249.132:18276 to 79.xx.xx.74:27015 ulen 33
[1941345.075138] UDP: bad checksum. From 59.54.249.132:9403 to 79.xx.xx.74:27015 ulen 33
[1941345.075222] UDP: bad checksum. From 59.54.249.132:47727 to 79.xx.xx.74:27015 ulen 33
[1941345.075583] UDP: bad checksum. From 59.54.249.132:28858 to 79.xx.xx.74:27015 ulen 33
[1941345.076203] UDP: bad checksum. From 59.54.249.132:40701 to 79.xx.xx.74:27015 ulen 33
[1941345.076546] UDP: bad checksum. From 59.54.249.132:10921 to 79.xx.xx.74:27015 ulen 33
[1941345.076578] UDP: bad checksum. From 59.54.249.132:23385 to 79.xx.xx.74:27015 ulen 33
[1941345.076648] UDP: bad checksum. From 59.54.249.132:44402 to 79.xx.xx.74:27015 ulen 33
[1941345.076746] UDP: bad checksum. From 59.54.249.132:25499 to 79.xx.xx.74:27015 ulen 33
[1941345.077100] UDP: bad checksum. From 59.54.249.132:23098 to 79.xx.xx.74:27015 ulen 33

Now i just removed all plugins i installed and upgraded it to Xenforo 1.5.10 most latest version + i upgraded my style version now i dont have any plugins installed in system

i have an idea if i remove all xenforo files and upload new files with style files it will work for me bcoz i dont know which file is doing bad and i cant check them is this possible to do it i have written blew my steps i am taking


1- Uninstall all plugins from ACP
2- Uninstall all styles ACP
3- Copy Config file from library/config.php
4- Copy Data folder (included attachments + images)
5- Copy sitemaps
6- upload new xenforo file and upgrade board
7- after upgrade done Delete files from forum root
8- upload fresh files to forum root
9- then upload only ad-server module (Latest version)
10- Then upload style files (Latest version)
11- then check all things if working fine


this just my idea i need experts suggestions if it will work

 

[Snog]

On the surface, those have nothing to do with XenForo.

Either there is a problem with a gameserver (if you have one installed), or your server is experiencing a network layer DDOS attack.

 

[Codeless]

i didn't installed any game server

 

[Codeless]

also i have Strong DDOS protection
Cloudflare + Hardware Firewall + Software Firewall
System Kernal + Cpanel repositories are updated

 

[Codeless]

i also found this in error log

[07-Oct-2016 19:06:07 UTC] PHP Fatal error:  Class 'XenForo_Model' not found in /home/XXX/public_html/library/XenForo/Model/DataRegistry.php on line 14

 

[Robru]

...and block China

 

[Snog]

UDP ports aren't used by XenForo. I suppose you could have an add-on that uses them.

 

[Snog]

i also found this in error log

[07-Oct-2016 19:06:07 UTC] PHP Fatal error:  Class 'XenForo_Model' not found in /home/XXX/public_html/library/XenForo/Model/DataRegistry.php on line 14

That's saying a file is missing from your system. More specifically library/Xenforo/Model.php.

Unless there is some pressing reason for your firewall to be allowing UDP traffic, UDP ports should be blocked. If you're running your own DNS nameserver, then only UDP port 53 needs to be open.

UDP is a common DoS attack route because UDP will continue sending packets without acknowledgement.

 

[Robust]

Very rare you will find a malicious add-on on the XF RM by the way. The community and XenForo staff are very proactive. Generally, a lot of the add-ons there are safe from intentional malicious activity, at least.

But yes, as @Snog said, I doubt that has anything to do with XenForo.

You are getting lots of UDP packets sent to a port 27015. This kind of port range is typically use for game servers. The Steam client also operates using UDP packets to this port, for game traffic and HLTV [src].

This seems like a targeted UDP attack, based on the location of the from IP and the specific port (related to game servers) of the to IP. There is likely a game server or, at least, the steamcmd utility installed on your server which you may not be aware about. But there isn't enough information for a concrete answer. It could also be a legitimate error, but that's less likely from the pattern in your log.

But there is a 95% chance this has nothing to do with XenForo, especially if you can still reproduce this by uninstalling all XenForo add-ons.

Edit: Reiterating what @Snog said, also. If you don't need UDP, just block the protocol using iptables limiting or network firewall (if your provider does that).

 

[Codeless]

thank you allz for reply. we are using Maxmind Fraud detection to block countries i have blocked china russia india and other similare countries. our web open for UK / USA and some others

 

[Robust]

thank you allz for reply. we are using Maxmind Fraud detection to block countries i have blocked china russia india and other similare countries. our web open for UK / USA and some others

Have you tried doing it via CloudFlare or your provider instead? If you're doing this server-side, I believe there is quite a high overload. I've seen someone use a different tool before, it checked IPs on every request to match them up and the overhead was massive, it wasn't a good idea.