XenForo hacked

Status
Not open for further replies.

giorgino

Well-known member
Hi all. I'm in trouble with one of my board.

The hacker modify my ad_header template with a malicious link
In my admin log:

Schermata 2012-12-19 alle 16.30.17.png

Code:
array(12) {
  ["titleArray"] => array(1) {
    [537] => string(9) "ad_header"
  }
  ["styleidArray"] => array(1) {
    [537] => string(1) "2"
  }
  ["templateArray"] => array(1) {
    [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
<div class="ad_header">
 
<!-- immobilio_728:90_header -->
<div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
<script type='text/javascript'>
googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
</script>
</div>
 
</div>
<!-- Fine Banner Testata 728x90 -->"
  }
  ["addon_id"] => string(7) "XenForo"
  ["style_id"] => string(1) "2"
  ["template_id"] => string(3) "537"
  ["title_original"] => string(9) "ad_header"
  ["includeTitles"] => array(3) {
    [1] => string(13) "ad_header.css"
    [2] => string(9) "ad_header"
    [3] => string(13) "ad_header.css"
  }
  ["_TemplateEditorAjax"] => string(1) "1"
  ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
  ["_xfNoRedirect"] => string(1) "1"
  ["_xfResponseType"] => string(4) "json"
}
What can I do? :(
 

Slavik

XenForo moderator
Staff member
Of the last 10 times someone said their Xenforo was hacked, it was determined to be a server security issue.
Without knowing anything about your server, no one can really help.
Correct, all known cases of XenForo "hackings" we dealt with on support have been down to security issues with the web host.
 

borbole

Well-known member
Indeed, version of xenforo being used is very important. In addition to that, can you also tell us what mods do you have installed and if you did any change/s to your forum prior to getting hacked?
 

tenants

Well-known member
This time, the Admin password has been changed... it could still be any level of attack

While you can, check your server access logs for those IP addresses (and any brute force attempts on the front end forum, this will be index.php login/login), these attempts are usually fairly obvious (thousands of attempts on the same location, usually with the same IP address)
... Ask your host if they can check for any brute force attempts against the CPanel/FTP (and list all the IP addresses that have accessed CPanel/FTP)

What do you have to prevent brute force attacks against CPanel/FTP and do you have a strong passwords on them (also, do you have a strong pass on forum admin account)

Are you on a managed server?
And yes, is this pre 1.1.3 XF (since there is a know security issue that was fixed, see here), in which case, upgrade
 

giorgino

Well-known member
Thanks to all :) Really

Some informations about our structure.
We've three dedicated servers (One for http access via nginx, one for MySql and one for mail server). We running up to five xenforo sites, two vB sites and various worpress blogs.

The problem regard only one xf forum. All are latest versions.
These are the installed add ons:

Schermata 2012-12-19 alle 18.24.23.png

No panels on servers.

Thanks for help :)
 

Chris D

XenForo developer
Staff member
The Admin password that was hacked on XenForo, is it used anywhere else?

Just because the damage was caused to XenForo doesn't necessarily mean the password was extracted from there. If you use the same password on WordPress or vBulletin and that was somehow hacked. Is Wordpress and vBulletin up to date?

Also, do you use any shared PCs? Is your own PC secure? Do you have active and up to date antivirus? Does a scan reveal you have any key logging software enabled?
 

Slavik

XenForo moderator
Staff member
Are they all up to date ?
Would be nice if there was a way for the admin panel to show if there was a new version of your current addons.
The idea was suggested, and I even run it on XenTrader, however people shot it down cos they don't like callbacks.
 

Digital Doctor

Well-known member
people shot it down cos they don't like callbacks.
Where was the thread ?


Some don't want callbacks.
Giving people control over the "amount and timing of callbacks" would be the ticket.
"Those People" could choose [2]

== Options ==
[1] daily, all addons
[2] never
[3] manually (as in this case). one click, the calling home does it's bit, you are presented a list of out of date addons and links to download.
[4] only check when a security issue has been identified by xenforo.com
[5] insert calling back option here.
[6] .... etc.

As an ultra lazy admin, I'd like callingback. Probably would use negligible server resources.
 

giorgino

Well-known member
The Admin password that was hacked on XenForo, is it used anywhere else?
Yes. But I think something like a MySql injection. I have two superadmin users. Me (Il Custode - user n. 2) and me (admin - user n.1).
In the first attack was "admin" to write in ad_header template. So I have demoted admin to normal user without administration privileges.
So the hacker/bot used my account changing my e-mail also. For recover my password I had to change my e-mail directly from phpMyAdmin, overwriting the hacker e-mail :confused:

All the sites are updated.

Also, do you use any shared PCs? Is your own PC secure? Do you have active and up to date antivirus? Does a scan reveal you have any key logging software enabled?
We use only Macs... with avast. No malware here...

Are they all up to date ?
Would be nice if there was a way for the admin panel to show if there was a new version of your current addons.
Yes the addons are all updated :)
 
Status
Not open for further replies.
Top