1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Security Question

Discussion in 'XenForo Questions and Support' started by Louise Williams, May 8, 2016.

  1. Hi

    Our volunteer techy help and site admin had a fairly major disagreement about 4 months ago - one of them hacked the site and basically totally buggered it up - we had it rebuilt and it is on a new server. Today one of the old techy people sent me an email telling me he still has an old backup (about 4 months old) and intends to use the "passwords and scripts" in it to destroy the site. We are a not for profit organisation supporting people who are suicidal and have mental health problems - I have 30k members that come to the site for support and, well, in a lot of cases to keep themselves alive.

    We have changed all the server passwords, cpanel, root, ftp and the works. All the admin passwords for xenforo have been changed too. I believe that the passwords in the database are (or should be) all encrypted. I have no idea what he means when he refers to "using the scripts".

    Any ideas on precautions I can take besides what I have mentioned to protect the site for our members? And what kind of risk I am looking at (we have a full current backup - it is taken daily server side)
  2. Slavik

    Slavik XenForo Moderator Staff Member

    As long as your passwords are all changed and you have no compromised scripts on your server, then you should have little to worry about.
  3. I have no idea what a compromised script is or might look like - is there any way I can check?
  4. Slavik

    Slavik XenForo Moderator Staff Member

    That would depend on what you're running. Just XenForo? XenForo + Wordpress? XenForo + 3 things?

    The more you expand out the more chance of something being compromised.

    When you got your new server running, was it with fresh files or files from the old server?
  5. wang

    wang Well-Known Member

    You can check for any file that is not part of xenforo or any of the other software that you are using. But if that person has gotten only an older database, I do not see how he can heck you. The passwords are encrypted in xenforo, but to make sure change the admin password and ask your other staff members to do the same.
  6. DragonFlames

    DragonFlames Active Member


    If someone threatens you the normal thing to do is to report it to the Police isn't it.
  7. The guy in question isn't in the UK or the US - I don't think the police of his country would actually care, though thank you for the advice.

    I have changed all the admin passwords and all the server passwords just to be safe (though I don't know how he'd have got those anyway) It's good about the passwords being encrypted. I will see if my colleague knows how to check for files that are not part of our software. Thank you.

    We are running Xenforo, Wordpress and a Chat software. I don't have the skills to do more than a cursory look at the files. Maybe I just need to hire someone to take a proper look at it all from a security point of view. We did transfer files from the old server which is my big concern - I don't know if our old webmaster wrote in back doors and the like, and I haven't the first idea how to find them if he did (let alone close them). I will see if I can find someone to look at the files and stuff. I'd rather fork out some cash than wake up in the middle of the night in a panic!

    Thank you all for your help/advice :)
  8. wang

    wang Well-Known Member

    If you transfered the files from a server where that admin had access to, then you must check them as soon as possible.
  9. Joeychgo

    Joeychgo Well-Known Member

    That should be all the police need to act.
  10. Dakota Storm

    Dakota Storm Well-Known Member

    If the culprit is based in a non western country though, I'm not sure there is much the can do.

    OP, I'd also advice a forced reset of all your members passwords as well.
  11. Thank you - I will look into how to do that :)
  12. Dakota Storm

    Dakota Storm Well-Known Member

    Also, I know you're non profit but you want want to try and hire someone to do a security audit on your setup, especially as you have Wordpress installed.
  13. Yes, I agree that this is a really good idea. I will look at what we can do about this.
  14. Dakota Storm

    Dakota Storm Well-Known Member

    Given what your site is for, you may even be able to find someone to do it for free.
  15. Tracy Perry

    Tracy Perry Well-Known Member

    If not, I think Sucuri has a service to perform those functions for malware, etc.

Share This Page