XenForo hacked

[giorgino]

Hi all. I'm in trouble with one of my board.

The hacker modify my ad_header template with a malicious link
In my admin log:

array(12) {
  ["titleArray"] => array(1) {
    [537] => string(9) "ad_header"
  }
  ["styleidArray"] => array(1) {
    [537] => string(1) "2"
  }
  ["templateArray"] => array(1) {
    [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
<div class="ad_header">
 
<!-- immobilio_728:90_header -->
<div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
<script type='text/javascript'>
googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
</script>
</div>
 
</div>
<!-- Fine Banner Testata 728x90 -->"
  }
  ["addon_id"] => string(7) "XenForo"
  ["style_id"] => string(1) "2"
  ["template_id"] => string(3) "537"
  ["title_original"] => string(9) "ad_header"
  ["includeTitles"] => array(3) {
    [1] => string(13) "ad_header.css"
    [2] => string(9) "ad_header"
    [3] => string(13) "ad_header.css"
  }
  ["_TemplateEditorAjax"] => string(1) "1"
  ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
  ["_xfNoRedirect"] => string(1) "1"
  ["_xfResponseType"] => string(4) "json"
}

What can I do?

 

[MistyMeanor]

I have found a user on my forum that I had signed up on Friday but did not enter anything but jibber jabber on my registration questions regarding type of disability, if they would provide fb page or photo, etc. I manually approve all users. I had denied his registration as well on Friday... Friday evening the hacking started. The IP addy is from Russia. I went through the server log... there are hundreds of the sqli errors logged starting Friday evening. It's all been downhill since. The username was ShadowFax which I googled and just found it was related to a fictional horse from Lord of the Rings. LOL! -- at least I can say I kind of like playing a sleuth!

 

[Alpha1]

@MistyMeanor Please describe why you think your website is hacked. From what you describe it seems you have some mysqli errors to resolve, but no hacking. But maybe I am missing something. It also seems that you have vbulletin files mixed with xenforo files.

 

[Paul B]

See the other thread: http://xenforo.com/community/threads/unknown-column-forum-node_id-in-where-clause.55726/

It seems someone gained access to the server/database and maliciously deleted some data: http://xenforo.com/community/thread...e_id-in-where-clause.55726/page-2#post-594975

 

[Alpha1]

Thanks that thread gives a lot more information.

 

[Chris D]

I would argue that conversation about the current situation of @MistyMeanor should continue in the original thread, with maybe this one being locked.

Just simply because there is no link between the two incidents and this thread now only serves to cause confusion (and potentially panic, going by the thread title).

 

[Paul B]

Indeed.

Cross posting just causes more work for those trying to help and confusion.