XF 1.5 Security Question

L

Louise Williams

Member
Hi

Our volunteer techy help and site admin had a fairly major disagreement about 4 months ago - one of them hacked the site and basically totally buggered it up - we had it rebuilt and it is on a new server. Today one of the old techy people sent me an email telling me he still has an old backup (about 4 months old) and intends to use the "passwords and scripts" in it to destroy the site. We are a not for profit organisation supporting people who are suicidal and have mental health problems - I have 30k members that come to the site for support and, well, in a lot of cases to keep themselves alive.

We have changed all the server passwords, cpanel, root, ftp and the works. All the admin passwords for xenforo have been changed too. I believe that the passwords in the database are (or should be) all encrypted. I have no idea what he means when he refers to "using the scripts".

Any ideas on precautions I can take besides what I have mentioned to protect the site for our members? And what kind of risk I am looking at (we have a full current backup - it is taken daily server side)
 
Sort by date Sort by votes
As long as your passwords are all changed and you have no compromised scripts on your server, then you should have little to worry about.
 
Upvote 0 Downvote
That would depend on what you're running. Just XenForo? XenForo + Wordpress? XenForo + 3 things?

The more you expand out the more chance of something being compromised.

When you got your new server running, was it with fresh files or files from the old server?
 
Upvote 0 Downvote
You can check for any file that is not part of xenforo or any of the other software that you are using. But if that person has gotten only an older database, I do not see how he can heck you. The passwords are encrypted in xenforo, but to make sure change the admin password and ask your other staff members to do the same.
 
Upvote 0 Downvote
DragonFlames said:
Louise,

If someone threatens you the normal thing to do is to report it to the Police isn't it.
Click to expand...

The guy in question isn't in the UK or the US - I don't think the police of his country would actually care, though thank you for the advice.

wang said:
You can check for any file that is not part of xenforo or any of the other software that you are using. But if that person has gotten only an older database, I do not see how he can heck you. The passwords are encrypted in xenforo, but to make sure change the admin password and ask your other staff members to do the same.
Click to expand...

I have changed all the admin passwords and all the server passwords just to be safe (though I don't know how he'd have got those anyway) It's good about the passwords being encrypted. I will see if my colleague knows how to check for files that are not part of our software. Thank you.

Slavik said:
That would depend on what you're running. Just XenForo? XenForo + Wordpress? XenForo + 3 things?

The more you expand out the more chance of something being compromised.

When you got your new server running, was it with fresh files or files from the old server?
Click to expand...

We are running Xenforo, Wordpress and a Chat software. I don't have the skills to do more than a cursory look at the files. Maybe I just need to hire someone to take a proper look at it all from a security point of view. We did transfer files from the old server which is my big concern - I don't know if our old webmaster wrote in back doors and the like, and I haven't the first idea how to find them if he did (let alone close them). I will see if I can find someone to look at the files and stuff. I'd rather fork out some cash than wake up in the middle of the night in a panic!

Thank you all for your help/advice :)
 
Upvote 0 Downvote
Louise Williams said:
We are running Xenforo, Wordpress and a Chat software. I don't have the skills to do more than a cursory look at the files. Maybe I just need to hire someone to take a proper look at it all from a security point of view. We did transfer files from the old server which is my big concern - I don't know if our old webmaster wrote in back doors and the like, and I haven't the first idea how to find them if he did (let alone close them). I will see if I can find someone to look at the files and stuff. I'd rather fork out some cash than wake up in the middle of the night in a panic!

Thank you all for your help/advice :)
Click to expand...

If you transfered the files from a server where that admin had access to, then you must check them as soon as possible.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

pupu
  • Question Question
XF 2.2 Questions About XenForo Permissions and Security
Replies
0
Views
34
pupu
pupu
L3gacy
  • Question Question
XF 2.3 User Group permissions Question
Replies
7
Views
54
philmckrackon
philmckrackon
SeToY
  • Solved
XF 2.2 Properly fix security issue with v2.2.16
Replies
19
Views
320
FTL
FTL
MapleOne
  • Question Question
XF 2.3 Route Filter CASE question
Replies
1
Views
35
briansol
B
pilot823
  • Question Question
XF 2.3 API Registration Question
Replies
0
Views
18
pilot823
pilot823
Back
Top Bottom