1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 Xenforo Shell found

Discussion in 'XenForo Questions and Support' started by Console Crunch, Jan 22, 2015.

  1. Hello,

    I have found a shell on this directory Called Controller.php

    internal_data/attachments/0/Controller.php

    How has been added? only my ip has access into my ftp to avoid possible hackers

    This file not exist on my last backup so is recently

    I just deleted all extensions allowed on the Attachments options
     
  2. HWS

    HWS Well-Known Member

    Look like an hack attempt.

    Won't be successful, because /internal_data cannot be accessed from outside (if you setup XenForo correctly).

    I recommend to bring your server offline and check it completely for any trojans and backdoors.

    How you setup your FTP is not very important for hackers trying to access your server.
     

  3. How they uploaded it?
     
  4. HWS

    HWS Well-Known Member

    I don't know your server, but most hacker access through old software either in your web directory or at your server. They do not need FTP for upload.

    I recommend to ask your server administrator (if you use a VPS or your own server) or hosting provider.
     
  5. Mike

    Mike XenForo Developer Staff Member

    You may want to look through your access logs to see if that file was accessed (or if access was attempted). That might also give you some information of how they managed to get the file there (an earlier request by them perhaps).

    This is not a file that would have been created via XenForo. I assume that the files created by your web server have a different owner than your core XenForo files. If so, then you can check the ownership of this file to see if it was created by the web server; if so, the file was likely created by a vulnerability somewhere; if not (and other XenForo-created files are), then it would have been done via something like FTP.

    Bear in mind that the vector could also be any application installed on the server. If you're on a shared server, it may even be that the issue was from another site on the server.
     
    HWS likes this.

Share This Page