XenForo hacked

Status
Not open for further replies.

giorgino

Well-known member
Hi all. I'm in trouble with one of my board.

The hacker modify my ad_header template with a malicious link
In my admin log:

Schermata 2012-12-19 alle 16.30.17.webp

Code:
array(12) {
  ["titleArray"] => array(1) {
    [537] => string(9) "ad_header"
  }
  ["styleidArray"] => array(1) {
    [537] => string(1) "2"
  }
  ["templateArray"] => array(1) {
    [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
<div class="ad_header">
 
<!-- immobilio_728:90_header -->
<div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
<script type='text/javascript'>
googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
</script>
</div>
 
</div>
<!-- Fine Banner Testata 728x90 -->"
  }
  ["addon_id"] => string(7) "XenForo"
  ["style_id"] => string(1) "2"
  ["template_id"] => string(3) "537"
  ["title_original"] => string(9) "ad_header"
  ["includeTitles"] => array(3) {
    [1] => string(13) "ad_header.css"
    [2] => string(9) "ad_header"
    [3] => string(13) "ad_header.css"
  }
  ["_TemplateEditorAjax"] => string(1) "1"
  ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
  ["_xfNoRedirect"] => string(1) "1"
  ["_xfResponseType"] => string(4) "json"
}

What can I do? :(
 
Indeed, version of xenforo being used is very important. In addition to that, can you also tell us what mods do you have installed and if you did any change/s to your forum prior to getting hacked?
 
This time, the Admin password has been changed... it could still be any level of attack

While you can, check your server access logs for those IP addresses (and any brute force attempts on the front end forum, this will be index.php login/login), these attempts are usually fairly obvious (thousands of attempts on the same location, usually with the same IP address)
... Ask your host if they can check for any brute force attempts against the CPanel/FTP (and list all the IP addresses that have accessed CPanel/FTP)

What do you have to prevent brute force attacks against CPanel/FTP and do you have a strong passwords on them (also, do you have a strong pass on forum admin account)

Are you on a managed server?
And yes, is this pre 1.1.3 XF (since there is a know security issue that was fixed, see here), in which case, upgrade
 
Thanks to all :) Really

Some informations about our structure.
We've three dedicated servers (One for http access via nginx, one for MySql and one for mail server). We running up to five xenforo sites, two vB sites and various worpress blogs.

The problem regard only one xf forum. All are latest versions.
These are the installed add ons:

Schermata 2012-12-19 alle 18.24.23.webp

No panels on servers.

Thanks for help :)
 
The Admin password that was hacked on XenForo, is it used anywhere else?

Just because the damage was caused to XenForo doesn't necessarily mean the password was extracted from there. If you use the same password on WordPress or vBulletin and that was somehow hacked. Is Wordpress and vBulletin up to date?

Also, do you use any shared PCs? Is your own PC secure? Do you have active and up to date antivirus? Does a scan reveal you have any key logging software enabled?
 
people shot it down cos they don't like callbacks.
Where was the thread ?


Some don't want callbacks.
Giving people control over the "amount and timing of callbacks" would be the ticket.
"Those People" could choose [2]

== Options ==
[1] daily, all addons
[2] never
[3] manually (as in this case). one click, the calling home does it's bit, you are presented a list of out of date addons and links to download.
[4] only check when a security issue has been identified by xenforo.com
[5] insert calling back option here.
[6] .... etc.

As an ultra lazy admin, I'd like callingback. Probably would use negligible server resources.
 
The Admin password that was hacked on XenForo, is it used anywhere else?

Yes. But I think something like a MySql injection. I have two superadmin users. Me (Il Custode - user n. 2) and me (admin - user n.1).
In the first attack was "admin" to write in ad_header template. So I have demoted admin to normal user without administration privileges.
So the hacker/bot used my account changing my e-mail also. For recover my password I had to change my e-mail directly from phpMyAdmin, overwriting the hacker e-mail :confused:

All the sites are updated.

Also, do you use any shared PCs? Is your own PC secure? Do you have active and up to date antivirus? Does a scan reveal you have any key logging software enabled?
We use only Macs... with avast. No malware here...

Are they all up to date ?
Would be nice if there was a way for the admin panel to show if there was a new version of your current addons.
Yes the addons are all updated :)
 
Status
Not open for further replies.
Top Bottom