1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo hacked

Discussion in 'Troubleshooting and Problems' started by giorgino, Dec 19, 2012.

Thread Status:
Not open for further replies.
  1. giorgino

    giorgino Well-Known Member

    Hi all. I'm in trouble with one of my board.

    The hacker modify my ad_header template with a malicious link
    In my admin log:

    Schermata 2012-12-19 alle 16.30.17.png

    array(12) {
      ["titleArray"] => array(1) {
        [537] => string(9) "ad_header"
      ["styleidArray"] => array(1) {
        [537] => string(1) "2"
      ["templateArray"] => array(1) {
        [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
    <div class="ad_header">
    <!-- immobilio_728:90_header -->
    <div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
    <script type='text/javascript'>
    googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
    <!-- Fine Banner Testata 728x90 -->"
      ["addon_id"] => string(7) "XenForo"
      ["style_id"] => string(1) "2"
      ["template_id"] => string(3) "537"
      ["title_original"] => string(9) "ad_header"
      ["includeTitles"] => array(3) {
        [1] => string(13) "ad_header.css"
        [2] => string(9) "ad_header"
        [3] => string(13) "ad_header.css"
      ["_TemplateEditorAjax"] => string(1) "1"
      ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
      ["_xfNoRedirect"] => string(1) "1"
      ["_xfResponseType"] => string(4) "json"
    What can I do? :(
  2. James

    James Well-Known Member

    Have you reverted those templates?
    Jake Bunce likes this.
  3. giorgino

    giorgino Well-Known Member

    As soon as I seen this link, I've recovered my hacked admin password via usual e-mail procedure, and reverted the template. But after one or two days same thing
  4. Digital Doctor

    Digital Doctor Well-Known Member

    Of the last 10 times someone said their Xenforo was hacked, it was determined to be a server security issue.
    Without knowing anything about your server, no one can really help.
    Jake Bunce and luutruong like this.
  5. Slavik

    Slavik XenForo Moderator Staff Member

    Correct, all known cases of XenForo "hackings" we dealt with on support have been down to security issues with the web host.
    Puntocom and Jake Bunce like this.
  6. Digital Doctor

    Digital Doctor Well-Known Member

    Jake Bunce likes this.
  7. Digital Doctor

    Digital Doctor Well-Known Member

    Contact your host ASAP.
    Secure your current backups ASAP.
    Backup again ASAP.

    Provide information here if you want the community to help.
    Jake Bunce likes this.
  8. Chris D

    Chris D XenForo Developer Staff Member

    Also relevant. What version of XF are you running?
    Jake Bunce and borbole like this.
  9. borbole

    borbole Well-Known Member

    Indeed, version of xenforo being used is very important. In addition to that, can you also tell us what mods do you have installed and if you did any change/s to your forum prior to getting hacked?
    Jake Bunce likes this.
  10. tenants

    tenants Well-Known Member

    This time, the Admin password has been changed... it could still be any level of attack

    While you can, check your server access logs for those IP addresses (and any brute force attempts on the front end forum, this will be index.php login/login), these attempts are usually fairly obvious (thousands of attempts on the same location, usually with the same IP address)
    ... Ask your host if they can check for any brute force attempts against the CPanel/FTP (and list all the IP addresses that have accessed CPanel/FTP)

    What do you have to prevent brute force attacks against CPanel/FTP and do you have a strong passwords on them (also, do you have a strong pass on forum admin account)

    Are you on a managed server?
    And yes, is this pre 1.1.3 XF (since there is a know security issue that was fixed, see here), in which case, upgrade
    Jake Bunce likes this.
  11. giorgino

    giorgino Well-Known Member

    Thanks to all :) Really

    Some informations about our structure.
    We've three dedicated servers (One for http access via nginx, one for MySql and one for mail server). We running up to five xenforo sites, two vB sites and various worpress blogs.

    The problem regard only one xf forum. All are latest versions.
    These are the installed add ons:

    Schermata 2012-12-19 alle 18.24.23.png

    No panels on servers.

    Thanks for help :)
  12. Chris D

    Chris D XenForo Developer Staff Member

    The Admin password that was hacked on XenForo, is it used anywhere else?

    Just because the damage was caused to XenForo doesn't necessarily mean the password was extracted from there. If you use the same password on WordPress or vBulletin and that was somehow hacked. Is Wordpress and vBulletin up to date?

    Also, do you use any shared PCs? Is your own PC secure? Do you have active and up to date antivirus? Does a scan reveal you have any key logging software enabled?
    Jake Bunce likes this.
  13. Digital Doctor

    Digital Doctor Well-Known Member

    Are they all up to date ?
    Would be nice if there was a way for the admin panel to show if there was a new version of your current addons.
    Jake Bunce likes this.
  14. Slavik

    Slavik XenForo Moderator Staff Member

    The idea was suggested, and I even run it on XenTrader, however people shot it down cos they don't like callbacks.
  15. Digital Doctor

    Digital Doctor Well-Known Member

    Where was the thread ?

    Some don't want callbacks.
    Giving people control over the "amount and timing of callbacks" would be the ticket.
    "Those People" could choose [2]

    == Options ==
    [1] daily, all addons
    [2] never
    [3] manually (as in this case). one click, the calling home does it's bit, you are presented a list of out of date addons and links to download.
    [4] only check when a security issue has been identified by xenforo.com
    [5] insert calling back option here.
    [6] .... etc.

    As an ultra lazy admin, I'd like callingback. Probably would use negligible server resources.
    Mouth likes this.
  16. Digital Doctor

    Digital Doctor Well-Known Member

    Wordpress gets compromised all the time.
    Mostly because of it's popularity.
  17. giorgino

    giorgino Well-Known Member

    Yes. But I think something like a MySql injection. I have two superadmin users. Me (Il Custode - user n. 2) and me (admin - user n.1).
    In the first attack was "admin" to write in ad_header template. So I have demoted admin to normal user without administration privileges.
    So the hacker/bot used my account changing my e-mail also. For recover my password I had to change my e-mail directly from phpMyAdmin, overwriting the hacker e-mail :confused:

    All the sites are updated.

    We use only Macs... with avast. No malware here...

    Yes the addons are all updated :)
  18. Digital Doctor

    Digital Doctor Well-Known Member

    Google the hacker email to find other people who were compromised.
    Jake Bunce likes this.
  19. Digital Doctor

    Digital Doctor Well-Known Member

    What about phpinfo stuff ?
    php version ?
    Wordpress version ?
    Wordpress addons ?
    Jake Bunce likes this.
  20. CyclingTribe

    CyclingTribe Well-Known Member

    You don't use Hostgator do you?
    Digital Doctor likes this.
Thread Status:
Not open for further replies.

Share This Page