XF 1.2 Unknown column 'forum.node_id' in 'where clause'

NeilEccles

Member
Thank you Mike,

You are obviously more experienced at this kind of thing than me. If I may make some observations:

1) Is it assumed that my installation has been hacked? Nobody has said this at the moment. People have just asked which add ins I have and what unusual activity was going on.
2) Just because you have never heard of an ISP doesn't mean it isn't respectable or well though of. The point of my remark was to mention that it was not a "Mickey Mouse" outfit. Of course anything can be hacked if the person has more skill than me! It is not fair to brush off a UK firm like that. Sorry if this sounds harsh, I am just making a point.
3) If I went through the logs (which I have tried to do for those which are accessible) I don't have the background to spot the problems. I have to rely on the expertise and will of my ISP to do so.
4) I don't accept your statement "If this was caused by xF, it would be happening far more then the few incidents reported." although I agree it is likely to be the case. There is just a faint possibility that it could be small error in XF not hitherto discovered, however unlikely.

So where do I go from here?

I think my options are:
a) Change all the passwords on the host and db
b) Do frequent backups (like 3 times a day)
c) Wait and see if it happens again
d) Attempt to use another bb system (I am very reluctant to do this having invested time and money in Xenforo, and because I like it)

I am tempted to do b and c for a few days until I can get a reliable wifi connection, then do a)

Any thoughts or alternative would be most gratefully received.

Thanks to everyone who has commented and attempted to help thus far.

Kind regards

Neil
 

Mike Edge

Well-known member
2) Just because you have never heard of an ISP doesn't mean it isn't respectable or well though of. The point of my remark was to mention that it was not a "Mickey Mouse" outfit. Of course anything can be hacked if the person has more skill than me! It is not fair to brush off a UK firm like that. Sorry if this sounds harsh, I am just making a point.

3) If I went through the logs (which I have tried to do for those which are accessible) I don't have the background to spot the problems. I have to rely on the expertise and will of my ISP to do so.

a) Change all the passwords on the host and db
Hi Neil,

I wasn't saying they were or weren't. My never hearing of them before, I just simply could not state if they were or not. There are some great unknown companies out there along with some who think go daddy is a great host just because they are well known.

If you don't have access, give your host about the time this happened so they can look though the logs for drops to determine what or who dropped it.

changing passwords isn't going to matter. If this is a add-on doing it (which I highly doubt), password changing won't matter as it uses the info in for config file. If this is being exploited, same, password changing won't matter as they have gained direct access to the database though root.

What version of PHP are you using? What version is the MySQL server? Is it stock or a drop in like Percona or MariaDB?
 

Jeremy

Well-known member
We cannot assume your installation was hacked, so far there hasn't been any real indication of that. In Misty's case, such an issue was obvious after looking around the system.

Changing passwords regularly is always a good security practice, it probably couldn't hurt. Removing a column in a table is a very, very specific command, one that doesn't exist anywhere near prefixes and the code that functions them.
 

NeilEccles

Member
Hi Mike and King

Thank you so much for your interest. I had not realised that you could access the database without a password

The following info is from my cpanel
Apache version2.2.23
PHP version5.3.17
MySQL version5.5.30-cll

I don't understand the word "stock" in this context, but I don't think it is Percona or Maria
phpMyAdmin returns "MySQL Community Server (GPL)"

Does this help.

Kindest

Neil
 

Jeremy

Well-known member
You can't access it without a password (unless your server is set up like that), but if they gain access to say cPanel, they may have direct access to your full site without hinderance.
 

Mike Edge

Well-known member
You can't access it without a password (unless your server is set up like that), but if they gain access to say cPanel, they may have direct access to your full site without hinderance.
Unless it is an injection via root. Then they could access any database or file for that matter as they are accessed via root user.
 

NeilEccles

Member
Hi Mike and King

Thanks very much. I have now changed my cPanel, database, and all Admin passwords on Xenforo. Do you think I need to do anything else?

Kind regards

Neil
 

JulianD

Well-known member
Hi Mike and King

Thanks very much. I have now changed my cPanel, database, and all Admin passwords on Xenforo. Do you think I need to do anything else?

Kind regards

Neil
Since your technical expertise is rather low in Linux systems, you've done more than you are expected to do . Just try to backup as much as you can until this get solved.

Just to be clear on something, I'm also very positive that this is not related to XenForo at all. I have been hacked in the past and most of the times it was due to outdated software, insecure add-ons (I'm looking at you, vBSEO) or shared Web hosting without proper security in place.
 

Alfa1

Well-known member
This maybe nothing, but I noticed that @MistyMeanor her site has a vbulletin favicon, which may indicate that xenforo and old vbulletin (addon) files are both present. Is it possible that old vbulletin addon files are still present on these servers? Like for example vbseo or other high risk addons.
 

NeilEccles

Member
Hi Alfa1

Interesting. Mine is a new server with a clean install of Xenforo 1.14 which was subsequently updated to 1.15 shortly afterwards.

After a tussle to get my old forum on Discusware converted, I eventually found a firm to do it which they did well (Gconverter). I have since deleted their access to all the relevant parts of the server.

So vbulletin is not common in both our problems.

It seems that most folk think hacking is the most likely cause, but I can't see why anyone would want to do it? Or how they did it unless it was one of the people I had asked to do the conversion, but I can't believe that a professional relationship would be abused. In any case I have now changed the passwords.

As is rather cruelly pointed out above :) , I don't know linux well and so may be I have missed something blindingly obvious!

Anyhow I will await the oracles or just wait and see if it happens again.

Thanks everyone for your help, it is a great community.

Kindest

Neil
 

Jeremy

Well-known member
This maybe nothing, but I noticed that @MistyMeanor her site has a vbulletin favicon, which may indicate that xenforo and old vbulletin (addon) files are both present. Is it possible that old vbulletin addon files are still present on these servers? Like for example vbseo or other high risk addons.
It isn't, the databases are completely separate and I do not believe I saw the vBulletin files (besides the favicon) still on the server.

Hi Mike and King

Thanks very much. I have now changed my cPanel, database, and all Admin passwords on Xenforo. Do you think I need to do anything else?

Kind regards

Neil
FTP passwords and if you have SSH access to your server, those should be changed as well.
 

UrlJet

Member
Hi, sorry to bring an old thread back to life but I'm curious if any determination of cause was made as I'm seeing the identical issue on a board today
 

NeilEccles

Member
Hi UrlJet

I am convinced my board was hacked. I changed all the passwords to very random ones and backed up everything daily, sometimes 3 x daily for months and nothing else happened.

Of course being still paranoid about this, I have just checked the site is ok before typing this reply.

I hope you get to the bottom of your problem, I never did.

Kindest

Neil
 

Market1234

Member
Never have heard of them. Anyway, just because the host says they are fine, doesn't mean they weren't compromised, they might not have found where they got in, making everything appear as OK. Also how respected of a business you are doesn't matter, hacking happens at all business levels, from new companies to top rated businesses with the best IT in the industry. I would recommend going though your logs yourself and looking what did the drop. If this was caused by xF, it would be happening far more then the few incidents reported.
I got this issue two nights in a row. My forum was fine and then it went blank. Not sure what is going on
 

Brogan

XenForo moderator
Staff member
If it's not an add-on involved, you should contact your host.

Tables and columns don't get removed/deleted for no reason.
 
Top