XF 1.5 Site Hacked with Popup

[hopeful]

Hi, our site, hipforums.com was hacked showing a popup. I assume this was due to the old version 1.5 having bugs.
If anyone knows how to get rid of it, let me know.
Otherwise we will have to pay for the upgrade and have Xen do it.
Thanks!

 

[Paul B]

To clarify, the upgrade service would not include any investigation or work to identify and remove any breach or hack.

 

[hopeful]

Any idea how long this might take to do the upgrade? We have 9 million posts and around 300,000 members. I don't know if those tables are affected, but I presume they are. We are on a dedicated server.

 

[philmckrackon]

Hi, our site, hipforums.com was hacked showing a popup. I assume this was due to the old version 1.5 having bugs.
If anyone knows how to get rid of it, let me know.
Otherwise we will have to pay for the upgrade and have Xen do it.
Thanks!

Have you checked .htaccess for any changes?

 

[hopeful]

Yes, I did, but didn't see anything.... It doesn't popup in admin section. I think the hacker is whitehat. I've emailed him.

 

[philmckrackon]

Yes, I did, but didn't see anything....

A db search for "aesle" Probably not there as text so be sure to search the db for html encoded. Could be WAF encoded or even double encoded. It's well explained below.

Obfuscating attacks using encodings | Web Security Academy

In this section, we'll show you how you can take advantage of the standard decoding performed by websites to evade input filters and inject harmful payloads ...

portswigger.net

 

[MentaL]

You should upgrade, regardless. Where is the popup? Your site shows me as "banned".

 

[hopeful]

You should upgrade, regardless. Where is the popup? Your site shows me as "banned".

We will do the upgrade once we deal with the hack. You might be banned by IP# if you're using a proxy.

 

[MentaL]

We will do the upgrade once we deal with the hack. You might be banned by IP# if you're using a proxy.

No proxy

 

[hopeful]

Well if you were once a member there could other reasons...lol.

 

[MentaL]

Nope, never heard of you, never been a member. Totally dedicated static ip for work purposes used, 100% legit optic network.

Anyways, your site is pushing a popup from: https://static.puffnetwork.com/pufftag.min.js

 

[hopeful]

Thanks for the info! Where did you find that and how do I stop it?

 

[MentaL]

search your templates and remove it. But the question is how it got there. Maybe your serving an ad network that got hacked?

<script type="text/javascript">(function(p,u,f,d){p.puffObj=d;p[d]=p[d]||function(){(p[d].q=p[d].q||[]).push(arguments)};e=u.createElement('script');x=document.getElementsByTagName('script')[0];e.async=1;e.src=f;x.parentNode.insertBefore(e,x)})(window,document,'https://static.puffnetwork.com/pufftag.min.js','puffads');puffads('init','535');</script>

 

[hopeful]

Got it! Thanks a bunch, owe you one. Can't believe I didn't check the header template. Was looking in files and db. I checked logs too but nothing showed up. Although we get hackers trying everyday. Guess time to upgrade!

 

[hopeful]

Turns out site is secure. Problem was from an old ad network with legacy code. Guess they played a trick on us, popping up that ad to let us know their code was still active.

 

[Alpha1]

If you want to increase your security and avoid confusion about template and file changes:
This addon tracks template changes, file changes and adds a load of security features:

[DBTech] DragonByte Security

Jun 7, 2016

Improve your forum's security

• DragonByte Tech
• bot detection dbtech ip ban security tor blocking vbsecurity
• New applications [1.x]

 

[MentaL]

Turns out site is secure. Problem was from an old ad network with legacy code. Guess they played a trick on us, popping up that ad to let us know their code was still active.

called it.

 

[Suzanne O]

Well if you were once a member there could other reasons...lol.

Lol. Just saw your message on your site just now.
Glad it's sorted. Another rival site was having a laugh at your expense.

 

[Sim]

FWIW - I've had some difficulty lately with malicious adverts occasionally taking over and redirecting to other pages.

It's obviously coming from our ad network - I've complained about it and they insist that they are trying to get things blocked, but it does seem like some bad actors are creeping into the ad networks and they aren't doing enough to block them.

 

[rdn]

What ad networks are those? Is it Adsterra?