XenForo hacked

Status
Not open for further replies.

giorgino

Well-known member
Hi all. I'm in trouble with one of my board.

The hacker modify my ad_header template with a malicious link
In my admin log:

Schermata 2012-12-19 alle 16.30.17.webp

Code:
array(12) {
  ["titleArray"] => array(1) {
    [537] => string(9) "ad_header"
  }
  ["styleidArray"] => array(1) {
    [537] => string(1) "2"
  }
  ["templateArray"] => array(1) {
    [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
<div class="ad_header">
 
<!-- immobilio_728:90_header -->
<div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
<script type='text/javascript'>
googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
</script>
</div>
 
</div>
<!-- Fine Banner Testata 728x90 -->"
  }
  ["addon_id"] => string(7) "XenForo"
  ["style_id"] => string(1) "2"
  ["template_id"] => string(3) "537"
  ["title_original"] => string(9) "ad_header"
  ["includeTitles"] => array(3) {
    [1] => string(13) "ad_header.css"
    [2] => string(9) "ad_header"
    [3] => string(13) "ad_header.css"
  }
  ["_TemplateEditorAjax"] => string(1) "1"
  ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
  ["_xfNoRedirect"] => string(1) "1"
  ["_xfResponseType"] => string(4) "json"
}

What can I do? :(
 
I have these two that match ....

where do I need to look to see if I have the same thing?
oh right, duh vVv.. Lol! Thanks! :) I only have like 2 or 3 of those listed installed on my forum. I did quick search on the one file, and didn't find that "injected code" or whatever.. I'll check other file lol
Don't be too worried about what add-ons are installed.

Do a File Health Check.

The contents of my xenforo.js have been modified. The code I pasted was added to the last two lines.

Your file should end in something like:

"XenForo.Disabler");c(function(){XenForo.Facebook.start();XenForo.init()})})(jQuery,this,document);
 
Don't be too worried about what add-ons are installed.

Do a File Health Check.

The contents of my xenforo.js have been modified. The code I pasted was added to the last two lines.

Your file should end in something like:

"XenForo.Disabler");c(function(){XenForo.Facebook.start();XenForo.init()})})(jQuery,this,document);

Oh, okay! Well I did file health check, and tons were listed though. Of course... at first i thought, (and of course you can't point fingers and accuse someone without facts), is a resource that deals with JS files, and first one popped to head was FixTiny. But that author is legit/trusted, and I have that installed too and didn't find that injected code in the files... So, do those matching ones, involve JS file edits/overwrites at all...Doing comparisons might help, and lead the investigation to a quicker resolve though. I'll recheck again though! Just never know these days... sigh.
 
Out of the add-ons you and Chris share the same, that I have

[bd] Widget Framework
Custom BBCode Manager

I don't have anything.

Checked the files you listed here: http://xenforo.com/community/threads/xenforo-hacked.42334/page-3#post-466445

I don't have same results.

The files I have shown in the File Health Check are ones I know I have edited myself...

Are you saying your JS files were edited and those 2 addons are the only ones you share with Chris and giorgino?
 
Are you saying your JS files were edited and those 2 addons are the only ones you share with Chris and giorgino?

No, I'm sorry... not sure if that is how it read..

Those two files shown above don't show in my File Health Check. I have tons of add-ons installed too...
 
This is not a new exploit, it seems to be on many blogs / cms... malware

I belive that bit of code is realted to a javascript unpacker like this:
http://jsunpack.jeek.org/?report=f4992bf7ffd7f56a502bc639b5a7c0e6d9ca0b68
(I love the way "security research" makes it's way out to the public... wasn't paros also supposed to be as security research tool... and many of the others)

Many of the sites that have this piece of code also have the blackhole-exploit (AVG picks this up for many sites)
http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit-detection/

The blackhole exploit kit, looks for security holes (this is suggesting that it's security holes with the server not the XenForo software... but thats not definate)

This might be a red herring , but javascript unpackers are not new (how they got there is more interesting right now)
http://forum.opencart.com/viewtopic.php?f=20&t=92666
http://stackoverflow.com/questions/13530576/how-do-i-write-a-php-script-to-clean-this-code-out
http://forum.bytesforall.com/showthread.php?t=18992
http://stackoverflow. com/questions/14348080/javascript-injected-into-site-hack (dont click this link)
http://blogengine.codeplex.com/workitem/12173


It's definitely worth doing a thorough scan for malware on both servers
 
  • Like
Reactions: vVv
Thinking about it again, the JS files might not even be "over written" when you upload the resource's files, but the "injection" happens after the XML file is installed, and who knows if the resource has other parts that work along side the XML file either, that work as a "team" once it's fully installed. Then the injection takes place. Like plain old C4 explosives won't just go off, if punching it or whatever, but add a way to detonate it.. and poof.

Check resource ZIPs here, is what I use sometimes: https://www.virustotal.com/
upload the ZIP of resource, it checks against like 50 or whatever virus checking sites at once..
 
I actually checked the URL's of quite a few sites I know that have been heavily modified (by seeing them post Q's, posting them in showcase, etc...) and only one comes up with any malware so far.
 
I actually checked the URL's of quite a few sites I know that have been heavily modified (by seeing them post Q's, posting them in showcase, etc...) and only one comes up with any malware so far.

I've found about 30 sites (there are a lot more), all using the javascrript unpacker exploit (which I belive that bit of code is) many with the blackhole malware (4 posts up)
 
Status
Not open for further replies.
Back
Top Bottom