XF 2.2 Site Hacked, Users Downgraded, Trying to Fix

[SurferJon]

Hi, my site was hacked on Monday. The person(s) managed to downgrade a few of my Paypal "user upgrades" while trying to figure out how to hijack the system. Here's a sample of what they did:

user-upgrades/downgrade&user_upgrade_record_id=284
user-upgrades/downgrade&user_upgrade_record_id=1219
user-upgrades/downgrade&user_upgrade_record_id=3225
(Quite a few more after this.)

I have a couple of questions:

1. How can I upgrade these users back? I looked at moving their entries from the "xf_user_upgrade_expired" table to the "xf_user_upgrade_active" table. Is that the proper procedure? The "expired" table has one additional date column, so I'm not sure which date column I should be dropping when moving a row from expired to active. I tried both but neither seemed correct, on the forums it looked like there were several with a past-due expiration date that shouldn't be expired yet.

2. I'm confused with how Paypal communicates with the forum software. Will Paypal send "updated" information back to the forums to correct the data? Or are both systems independent?

3. If I do manage to correct what the hacker did, will it still throw the subscriptions out of sync because the forums were down for several days and Paypal wasn't able to communicate with them?

4. My forums are currently offline but I can see them. Will Paypal still communicate with them?

5. The user also edited our three subscription plans to change the prices, but this was instantly fixed. Those payment plans are only used on the forums when talking to Paypal to setup an initial subscription, right? Editing the amount on the forums won't just suddenly change their prices in Paypal, correct?

Thank you for any help you can provide! It's been a very stressful week and I'm trying to fix everything. The hackers also managed to wipe our entire web server and reverse-engineered our backup scripts to wipe out our backups. It's been hell! Luckily they weren't able to touch the databases besides using the forums to make a few changes, like above.

Also not sure if this is worth nothing but we were using XF 1.4.something and today I upgraded the forums to the latest version.

 

[Paul B]

Is that the proper procedure?

Absolutely not.

Just manually upgrade them in the ACP.

PayPal and any existing subscriptions won't be affected.

 

[SurferJon]

Thank you! So I would look up their Paypal subscriptions on Paypal to set the end date?

Also can you briefly tell me how the Paypal and Xenforo software work together?

 

[Paul B]

You should be able to see the subscription dates in the XF ACP - either in the upgrade section, or the payment provider log.

I don't really know what you want to know about XF and PP.
Everything is handled via code and callbacks.

 

[SurferJon]

After a payment profile is setup via XF, does Xenforo have any influence on a person's Paypal subscription in Paypal? The hacker modified the prices of our subscriptions. They also downgraded some users. I was wondering if this might have affected their subscriptions on Paypal.

And how does Paypal influence XF's subscriptions and upgrades?

 

[Paul B]

Neither one influences the other.

Once a subscription is set up, it remains as is until the member cancels it in PP.

 

[SurferJon]

What? They don't influence each other? I don't understand. Wouldn't Paypal have to tell the forums to stop a subscription if they cancel reoccurring payments via Paypal? And to continue the subscription too?

It's been a long week so I might not be thinking straight.

 

[Paul B]

Wouldn't Paypal have to tell the forums to stop a subscription if they cancel reoccurring payments via Paypal?

That's what I posted above.

 

[SurferJon]

I had to do a couple of test upgrades. Would Paypal only send the "cancel" command once, or does it update everyone's cancellation instructions every time it talks to the forums?

EDIT: Is my understanding below correct?

When a Xenforo user first subscribes to a payment plan on Xenforo (like a weekly plan or monthly plan), Xenforo sends this initial payment plan to Paypal. The user agrees to this on Paypal and their subscription is created there. On Xenforo, the forum sets the end date for the user based on the initial payment plan's end date (so after one week or one month). The user will be downgraded when this date is reached. However, this end date is extended when Paypal tells Xenforo the user has continued to subscribe (a "renewal" message). Otherwise if Xenforo doesn't hear from Paypal, it downgrades the user according to its own date.

Assuming my understanding is correct, I now have two questions:

1. If your forums are offline for several days and you bring them back online, will some users be downgraded by Xenforo because the forums were dead when Paypal sent its "renewal" messages? As in, the forums didn't hear Paypal?

2. If the hacker downgraded some users (or you do), and those users continue to subscribe via Paypal, will Paypal eventually tell Xenforo to start-up their subscriptions again upon the next "renewal" message? Will it "revive" their subscriptions?

 

[Mike]

1. If your forums are offline for several days and you bring them back online, will some users be downgraded by Xenforo because the forums were dead when Paypal sent its "renewal" messages? As in, the forums didn't hear Paypal?

Yes this will be true to a degree, though if the site was properly inaccessible, then PayPal will retry their callbacks for a period of time (until it gets a successful response).

2. If the hacker downgraded some users (or you do), and those users continue to subscribe via Paypal, will Paypal eventually tell Xenforo to start-up their subscriptions again upon the next "renewal" message? Will it "revive" their subscriptions?

Yes, they should be reupgraded when their next payment goes through (and we're notified of that).