XenForo hacked

giorgino · Dec 19, 2012

Hi all. I'm in trouble with one of my board.

The hacker modify my ad_header template with a malicious link
In my admin log:

Code:

array(12) {
  ["titleArray"] => array(1) {
    [537] => string(9) "ad_header"
  }
  ["styleidArray"] => array(1) {
    [537] => string(1) "2"
  }
  ["templateArray"] => array(1) {
    [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
<div class="ad_header">
 
<!-- immobilio_728:90_header -->
<div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
<script type='text/javascript'>
googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
</script>
</div>
 
</div>
<!-- Fine Banner Testata 728x90 -->"
  }
  ["addon_id"] => string(7) "XenForo"
  ["style_id"] => string(1) "2"
  ["template_id"] => string(3) "537"
  ["title_original"] => string(9) "ad_header"
  ["includeTitles"] => array(3) {
    [1] => string(13) "ad_header.css"
    [2] => string(9) "ad_header"
    [3] => string(13) "ad_header.css"
  }
  ["_TemplateEditorAjax"] => string(1) "1"
  ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
  ["_xfNoRedirect"] => string(1) "1"
  ["_xfResponseType"] => string(4) "json"
}

What can I do?

tenants · Dec 19, 2012

Clickfinity said:
You don't use Hostgator do you?

Had to laugh

... but if it is a unmanaged server, you've got to really tighten security your self

giorgino said:
Yes. But I think something like a MySql injection.

There are no known SQL injections exploits for XF, I take it this is just a guess... no evidence?

Can you send me your server access logs, I'll look through them... at least we can rule out a brute force of your admin account via the forum login
(I see that you only use QAs, so it would be easy to do)

Your access logs can be found here: http://xenforo.com/community/threads/my-forums-getting-lots-of-spam.35195/page-20#post-442155

giorgino · Dec 19, 2012

Digital Doctor said:
Google the hacker email to find other people who were compromised.

He used my e-mail... info@.... I don't know how he changed the password with my e-mail...
My e-mail is forum@...

For clarification...
the admin use info@....
I use forum@....

When I demoted admin to non administration user, the hacker overwrited the password of my account (user n.2) changing the e-mail also from forum@.... to info@..... ( I don't know why... both are my e-mail...

)

This our DB users list

php version is 5.3.5 and MySql 5.5.9-log

giorgino · Dec 19, 2012

tenants said:
Had to laugh ... but if it is a unmanaged server, you've got to really tighten security your self

There are no known SQL injections exploits for XF, I take it this is just a guess... no evidence?

Can you send me your server access logs, I'll look through them... at least we can rule out a brute force of your admin account via the forum login
(I see that you only use QAs, so it would be easy to do)

Your access logs can be found here: http://xenforo.com/community/threads/my-forums-getting-lots-of-spam.35195/page-20#post-442155

Thank you tenants... I'll send you the log asap!

Digital Doctor · Dec 19, 2012

If the hacker added any identifying information ... google those terms.

giorgino · Dec 19, 2012

Digital Doctor said:
If the hacker added any identifying information ... google those terms.

I'll do and report back

giorgino · Dec 19, 2012

Hi

tenants said:
Can you send me your server access logs, I'll look through them... at least we can rule out a brute force of your admin account via the forum login

Looking in the access.log of the http server, I've found some operation from hacker's IP 92.49.155.80

Code:

92.49.155.80 - - [19/Dec/2012:14:25:52 +0100] "-" 400 0 "-" "-" "-"
 
92.49.155.80 - - [19/Dec/2012:15:21:00 +0100] "-" 400 0 "-" "-" "-"
 
92.49.155.80 - - [19/Dec/2012:15:27:40 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:27:40 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:27:40 +0100] "-" 400 0 "-" "-" "-"
 
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
 
92.49.155.80 - - [19/Dec/2012:20:58:09 +0100] "-" 400 0 "-" "-" "-"

but nothing more than this...

Andy.N · Dec 19, 2012

Did you update to latest XF? SWFUpload?

giorgino · Dec 19, 2012

Andy.N said:
Did you update to latest XF? SWFUpload?

All latest versions

SWFUpload? What's is this?

Andy.N · Dec 19, 2012

http://xenforo.com/community/threads/xenforo-security-fix-for-1-0-0-1-1-2.32890/

Chris D · Dec 19, 2012

giorgino said:
All latest versions SWFUpload? What's is this?

Andy.N said:
http://xenforo.com/community/threads/xenforo-security-fix-for-1-0-0-1-1-2.32890/

If you're running XF 1.1.3 then it's irrelevant and you're protected.

giorgino · Dec 19, 2012

Andy.N said:
http://xenforo.com/community/threads/xenforo-security-fix-for-1-0-0-1-1-2.32890/

Thank you Andy, but we have the last xenforo version available

tenants · Dec 19, 2012

giorgino said:

Hi

Code:

92.49.155.80 - - [19/Dec/2012:14:25:52 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:21:00 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:27:40 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:27:40 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:27:40 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:15:34:10 +0100] "-" 400 0 "-" "-" "-"
92.49.155.80 - - [19/Dec/2012:20:58:09 +0100] "-" 400 0 "-" "-" "-"

Yes you will see them, there might be some useful information here, so get all the data you can from this and save it, since some logs arent always kept around for long (some 24 hours... save the server access log locally now if you can)

RU ip, and he's changed his IP address, I would almost always assume they are using a proxy, so go back as far as you can and look for an IP address that you may not have yet seen, hitting the same location thousands of times (if this is a brute force of the front end)

Do the same for your FTP logs (you have no CPanel, so we can rule that out)

How do you manage your server and access your database (phpMyAdmin or anything else)?... lots of known security issues with old versions of phpMyAdmin

Apache version?

Are you in contact with your host yet?

giorgino · Dec 19, 2012

How do you manage your server and access your database (phpMyAdmin or anything else)?

phpMyAdmin

Apache version?

We use nginx nor apache...

x3sphere · Dec 20, 2012

Do you know the entry point? If nginx is not properly configured it can let people upload images with PHP code and execute them.

Try creating a malformed image with PHP code at the top, then visit yoursite.com/image.gif/.php. If the code executes, then this is likely how you were hit.

giorgino · Dec 20, 2012

Do you know the entry point? If nginx is not properly configured it can let people upload images with PHP code and execute them.

I don't think that nginx is the door...

Try creating a malformed image with PHP code at the top, then visit yoursite.com/image.gif/.php. If the code executes, then this is likely how you were hit.

Tried. Thank you for suggestion

Shamil · Dec 20, 2012

You or may not find this useful, but I don't use PHPMyAdmin or any other script based interface to manage my SQL databases and server. If it's a MySQL Server, I use MySQL Workbench to do almost everything.

giorgino · Jan 3, 2013

Update:

Seems that wasn't a MySql injection, but a login brute force. After changed the admin password, no more has happened...

In the main time some files .php was injected with malicious code (another iframe code with a file call to 1.php in the root) and a file was added to the root: 1.php

psTubble27 · Jan 3, 2013

giorgino said:
Update:

Seems that wasn't a MySql injection, but a login brute force. After changed the admin password, no more has happened...

In the main time some files .php was injected with malicious code (another iframe code with a file call to 1.php in the root) and a file was added to the root: 1.php

For reasons like this, some future version of XF needs to have a login limit.

tenants · Jan 3, 2013

R_A said:
login limit.

User locks

They are present on the ACP, but they need to be present on the forum login/login too
I still haven't seen any evidence that this was a brute force of the login page (nothing in the access logs)

But, when we know this is happening, I'll give this away for free: Login User Locks

Meh.. I'll give it away for free now (why wait for something serious to happen to everyones forum)

tenants · Jan 3, 2013

The plugin for Login User Locks is now free, you can download the plugin directly here:
(no need to register)

http://www.surreyforum.co.uk/thread...-attempts-to-brute-force-the-login-area.1688/

(I'm waiting for a mod to change this to a free resource... if thats possible, before adding it to XF)

XenForo hacked

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

XenForo developer

Well-known member

Well-known member

Well-known member

Active member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Similar threads

We value your privacy