Xenforo site threatened by hackers "you'll be destroyed at all costs." What do you do?

N

Ntown

Well-known member
Long story short, an angry individual (after a good deal of back and forth via email) is claiming he's determined to destroy our WordPress/Xenforo site and will pay hackers to do so.

Real smart, warn your enemy you're going to attack, I know. But, regardless, some of the language he's using gives me an uneasy feeling that this might be more than a bluff.

If today you received what you assumed was a legit threat that someone was determined to destroy your site, what would you do?

What I've done (and it feels extremely minimal):
a.) A full site backup via cPanel, left on server and copied to local hard drive and cloud
b.) Checked Cloudflare firewall rules are in place
c.) Confirmed server software and Wordpress/Xenforo fully updated from top-to-bottom

Other than that, I'm just kind of watching Cloudflare stats to see any unusual activity.

I'm sitting here thinking how powerless I feel. Do I just rely on Cloudflare to catch it, or what?

I only have four WAF rules in place, leaving me one available. Any ideas for that?
 
Contact their ISP and let them know, you could also warn your hosting provider of a potential attack on your website (if you have the emails, show your host as well as this 'attacker's' ISP. While also doing the suggested above. :-)
 
Automating your site backups, both within CPanel and do something separate from the command-line, would be a start. Have at least two different backups automatically run at least once per day.

Update your CSF configuration to catch invalid login attempts. Easy for Wordpress, and can be done for XF.

It wouldn't hurt to plan a recovery strategy. Like if you were taken offline, could you bring your site back up on your own or who would you engage/pay to do it and what would you need to provide.

Hope this helps,
 
motowebmaster said:
Automating your site backups, both within CPanel and do something separate from the command-line, would be a start. Have at least two different backups automatically run at least once per day.

Update your CSF configuration to catch invalid login attempts. Easy for Wordpress, and can be done for XF.

It wouldn't hurt to plan a recovery strategy. Like if you were taken offline, could you bring your site back up on your own or who would you engage/pay to do it and what would you need to provide.

Hope this helps,
Click to expand...
Good stuff. I configure the LFD on CSF to block any root login failures after the first attempt. So far I haven't blocked myself. :p

In Cloudflare I have wp-login.php blocked and only myself whitelisted for WP and xf admin.
 
M@rc said:
I also never reply to the emails.
Click to expand...
100% agree. This guy sent an initial email saying I had ripped him off and i responded because the site sells an autopart globally. The conversation quickly descended into his ignorant threats. A lawyer taught me long ago that the first rule of dealing with a threat is to not respond.
 
I agree about having a backup strategy. We do database dumps at 3am and 3pm, and I have a script that runs 10 minutes after to download them from the ISP to a local computer. These go into a rotation of 14 generations (7 days), and are also stored in a secure place on the server. The ISP does daily backups of their own, as well as jetbackup (off site).

Once per day, I have a script that TARs up the physical files (non DB) of my two Xenforo forums. A remote script downloads that tar, which goes into a 7 day rotation.

First and 15th of the month backups get saved for a year.

Over the years, I've experienced two major outages. One when an ISP had a devastating loss of their data and backups, and the other on 9/11 when one of the WTC towers fell on my provider's building. (which also lost it's data connection for weeks) No one was injured, thankfully. Because of these things, I do my own off-site backups. In such an emergency, we can be moved and up in a couple hours - at a new home.

This is how I do it, but there are probably better ways.

I think that "script kiddie" is bluffing. Ignoring a petulant child is probably the best solution, imo :)
 
M@rc said:
They're either really stupid or it's just a bluff.
Click to expand...
Agreed. It's a typical response like we see with the "I was suspended so I'm going to destroy all the things" tantrums that some members send us.

Same bluff as threatening to sue us. Even if they are dumb enough to try to file a lawsuit, proving actual damages in court is decidedly not in their favor.

We still have contingency plans in place in case this stupidity does rear its head but, after running several forums and running a few that were founded anywhere from 18 to 24 years ago, we have yet to ever see a problem.

Rhody said:
I agree about having a backup strategy. We do database dumps at 3am and 3pm, and I have a script that runs 10 minutes after to download them from the ISP to a local computer. These go into a rotation of 14 generations (7 days), and are also stored in a secure place on the server. The ISP does daily backups of their own, as well as jetbackup (off site).
Click to expand...
Similar here. On the bulk of my sites, I rotate a week's worth of full backups, including database dumps. They are stored cross-server (I use three servers--one for Apache/PHP, one for database, one for Elasticsearch), where the backups are stored on each other, plus they are mirrored to a cloud storage account elsewhere (and with a couple of clicks, they're available on my computer here at home). At one of my hosts, I can make an image snapshot and deploy it instantly if needed. The other host I use makes their own backups as well.

At the very worst case, any forum issue would lose only a day's worth of data. Most likely, less than a day's worth, given the frequency of backups.

I've been in this way too long to rely on "I will make a backup of my server, one day." 😉 And the worst "breach" I've ever had were some script kiddiez who got in and defaced phpBB back in the mid 2000s. (That software was a steaming turd, full of security holes, so in a way I could say I deserved it. 😕)
 
MattW said:
If you have the ability to, depending on who provides your server, firewall ALL traffic off to only allow connections originating from Cloudflare, or your own IP to allow remote access to the server.
Click to expand...
That might make for a good tutorial. I have an idea of how I'd do it, and I already have all of Cloudflare's IP address ranges stored in an ipset list for my firewall (which makes fail2ban happy). In fact, now that I look at it, I could probably delete the two rules for ports 80 and 443 and just leave my Cloudflare rule in place. Maybe I'll test that in a bit.

I'm lucky, too, in that having split the Apache/PHP, MariaDB and Elasticsearch processes onto three separate servers, the database and search will respond only to my home/office IP addresses and a local 10.0.0.0/8 address within the host's own network.
 
You must log in or register to reply here.
Back
Top Bottom