XenForo hacked

[giorgino]

Hi all. I'm in trouble with one of my board.

The hacker modify my ad_header template with a malicious link
In my admin log:

array(12) {
  ["titleArray"] => array(1) {
    [537] => string(9) "ad_header"
  }
  ["styleidArray"] => array(1) {
    [537] => string(1) "2"
  }
  ["templateArray"] => array(1) {
    [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
<div class="ad_header">
 
<!-- immobilio_728:90_header -->
<div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
<script type='text/javascript'>
googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
</script>
</div>
 
</div>
<!-- Fine Banner Testata 728x90 -->"
  }
  ["addon_id"] => string(7) "XenForo"
  ["style_id"] => string(1) "2"
  ["template_id"] => string(3) "537"
  ["title_original"] => string(9) "ad_header"
  ["includeTitles"] => array(3) {
    [1] => string(13) "ad_header.css"
    [2] => string(9) "ad_header"
    [3] => string(13) "ad_header.css"
  }
  ["_TemplateEditorAjax"] => string(1) "1"
  ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
  ["_xfNoRedirect"] => string(1) "1"
  ["_xfResponseType"] => string(4) "json"
}

What can I do?

 

[MattW]

For the people who have found these files, is it possible for you to install Tripwire or some similar directory/file monitoring application?

 

[MattW]

No one needs to worry about any add-ons right now.

Do a file health check. Also do a scan here: http://sitecheck.sucuri.net/scanner/

This is what you do not want to see: http://sitecheck.sucuri.net/results/www.valvetime.net

And this is the info on the malware, apparently: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v49

Quite an old version of php running the site Chris

Scan for: http://www.valvetime.net
Hostname: www.valvetime.net
IP address: 176.56.63.84

System Details:
Running on: nginx/0.8.55
Powered by: PHP/5.3.3

http://www.cvedetails.com/vulnerabi...8/version_id-97802/opbyp-1/PHP-PHP-5.3.3.html

 

[MistyMeanor]

I have had the same exact issues, been hacked twice in less than 24hrs. I noticed "json" at the end of some of the admin logs. All pw's have been changed going down to the server, php, sql, etc. All add ons have been disabled for now.

So I have seen a ton of back and forth discussion and thoughts on this... but does anyone know really the source of entry? How is one supposed to know its their web host, an add on, or another way. I am about to go NUTS over this. I can't check into SSH access because I have to call to validate my account, today they are closed. I mean seriously, this seems to be a pretty significant problem affecting a lot of people. I never had this happen with vBulletin ever!

 

[Jeremy]

JSON calls are normal, they are used within AJAX requests (such as saving a draft or fetching alerts).

 

[Mike Edge]

The JSON stuff is nothing to worry about, it's simply AJAX working within your forum. Did you try running a health check in ACP?

This really isn't a xF issue, these vulnerabilities are caused by insecure hosts and not the xenForo software. Super big hosts allow far too many things in PHP settings to accommodate 1,000's of scripts to work on their servers.

 

[MistyMeanor]

Oh ok...whew!! But still... I am in the middle of reading all of the thread related to "BluePrint4Love" and all her problems. That is how mine started as just sqli errors, and thought it was an add on issue. Then got hacked twice, and I just looked from today under my ip addresses and there was one from the netherlands... I banned that ip. I am just waiting to get hit again... just like her. Everytime she thought it was over and fixed, the people kept getting in. All add-ons are disabled right now incase it is "injecting" or whatever.

 

[MistyMeanor]

The JSON stuff is nothing to worry about, it's simply AJAX working within your forum. Did you try running a health check in ACP?

This really isn't a xF issue, these vulnerabilities are caused by insecure hosts and not the xenForo software. Super big hosts allow far too many things in PHP settings to accommodate 1,000's of scripts to work on their servers.

Yes, I know health check was done, and all was fine. So let me ask this, how is one to KNOW that a particular host is secure??? I have used many a web hosts over the last 15 years and I have never had this problem. The cheapy shared servers and all. If your passwords are SUPER STRONG throughout your web server, myPHPadmin, FTP, all the way up to the admin pw... then how the hell are they getting in.

 

[Mike Edge]

Yes, I know health check was done, and all was fine. So let me ask this, how is one to KNOW that a particular host is secure??? I have used many a web hosts over the last 15 years and I have never had this problem. The cheapy shared servers and all. If your passwords are SUPER STRONG throughout your web server, myPHPadmin, FTP, all the way up to the admin pw... then how the hell are they getting in.

Did you run the health check yourself? Did you check all your folder and file dates to assure no files were replaced after this happened, deleting the altered files with files that would again pass a health check. Do the health check yourself if you haven't, don't take someone else's word for it, considering you don't know yet how this happened.

As for strong passwords, they are great to have and should be changed often. Personally, before I update any password I first rescan my computer for malware/viruses/key loggers. In the event of an injection though, passwords don't matter as entry is gained though a security hole via the injection.

 

[MistyMeanor]

Just ran it... yes "all 1,091 files are present and correct "

 

[sonnb]

Oh ok...whew!! But still... I am in the middle of reading all of the thread related to "BluePrint4Love" and all her problems. That is how mine started as just sqli errors, and thought it was an add on issue. Then got hacked twice, and I just looked from today under my ip addresses and there was one from the netherlands... I banned that ip. I am just waiting to get hit again... just like her. Everytime she thought it was over and fixed, the people kept getting in. All add-ons are disabled right now incase it is "injecting" or whatever.

What is exactly error log that you get? It might help us to help you out by providing more detail information about the errors.

 

[Jeremy]

There are no apparent error logs from XenForo, the server logs will be checked tomorrow.

 

[MistyMeanor]

An exception occurred: Mysqli prepare error: Unknown column 'forum.node_id' in 'on clause' in /home3/nomuscle/public_html/community/library/Zend/Db/Statement/Mysqli.php on line 77

Zend_Db_Statement_Mysqli->_prepare() in Zend/Db/Statement.php at line 115
Zend_Db_Statement->__construct() in Zend/Db/Adapter/Mysqli.php at line 381
Zend_Db_Adapter_Mysqli->prepare() in Zend/Db/Adapter/Abstract.php at line 478
Zend_Db_Adapter_Abstract->query() in Zend/Db/Adapter/Abstract.php at line 825
Zend_Db_Adapter_Abstract->fetchOne() in UnreadPostCount/Model/Unread.php at line 31
UnreadPostCount_Model_Unread->getUnreadPostCount() in UnreadPostCount/Listener.php at line 20
UnreadPostCount_Listener::templateHook() in XenForo/CodeEvent.php at line 58
XenForo_CodeEvent::fire() in XenForo/Template/Abstract.php at line 285
XenForo_Template_Abstract->callTemplateHook() in XenForo/Template/Abstract.php(265) : eval()'d code at line 2520
eval() in XenForo/Template/Abstract.php at line 265
XenForo_Template_Abstract->_renderInternal() in XenForo/Template/Abstract.php at line 191
XenForo_Template_Abstract->render() in XenForo/Template/Public.php at line 110
XenForo_Template_Public->render() in XenForo/ViewRenderer/HtmlPublic.php at line 135
XenForo_ViewRenderer_HtmlPublic->renderContainer() in XenForo/FrontController.php at line 604
XenForo_FrontController->renderView() in XenForo/FrontController.php at line 158
XenForo_FrontController->run() in /home3/nomuscle/public_html/community/index.php at line 13

This is how it started... about 4 days ago... thought it was "nodes as tabs by Jake" add on at first, when another gentleman here was comparing the same error. But I think this was just the beginning of this hacker gaining access to things.

 

[MistyMeanor]

I am getting kind of afraid to post here, because it seems this person is watching my posts.

If you are read this: I AM A DISABLED YOUNG LADY THAT IS VERY DETERMINED! STOP HACKING MY SITE AND FIND SOMETHING BETTER TO DO WITH YOUR TIME!

 

[sonnb]

I have seen this error somewhere on this forum. By looking at this information, I could not tell you that your forum was hacked or not. But sometime, an addon might made a mistake by drop your column/table on installation or installation. So at the first step, recover your database then you should check your addons. Do not install/uninstall any addon at this time.

 

[MistyMeanor]

What does "blacklist check" mean? for the address from the netherlands, I clicked on blacklist check and it pulled up a ton of DNS'

The Netherlands IP addy was June 20, and this is when I feel like the hacker initially got in. I am just speculating though.

 

[sonnb]

Another thing you need to check is your hosting. If you are on a shared hosting, you should check with your host provider to check for local attack.

 

[MistyMeanor]

I have seen this error somewhere on this forum. By looking at this information, I could not tell you that your forum was hacked or not. But sometime, an addon might made a mistake by drop your column/table on installation or installation. So at the first step, recover your database then you should check your addons. Do not install/uninstall any addon at this time.

Yes, it was on the thread with the other lady here that kept getting hacked. It's how hers started. It was also talked about in another recent thread that was made by me asking about it. Yes, we did initally think this was an add on issue like I stated. Another man was getting the same error and we compared add ons and with the timing of when it started we thought it was the "Nodes as Tabs by Jake" add on we had just added. Another man had the same add on. But, the day that seemed to get fixed when that add on was deactivated, the hacking started. So now, I don't believe that was from the add on... other than sheer coincidence in timing of how this all went down. All add ons are deactived for now...

 

[MistyMeanor]

Another thing you need to check is your hosting. If you are on a shared hosting, you should check with your host provider to check for local attack.

Done that as well. They claim no issues shown anywhere on the server end. The only thing they could tell was that the site was accessed roughly 6am this morning.

 

[sonnb]

Yes, it was on the thread with the other lady here that kept getting hacked. It's how hers started. It was also talked about in another recent thread that was made by me asking about it. Yes, we did initally think this was an add on issue like I stated. Another man was getting the same error and we compared add ons and with the timing of when it started we thought it was the "Nodes as Tabs by Jake" add on we had just added. Another man had the same add on. But, the day that seemed to get fixed when that add on was deactivated, the hacking started. So now, I don't believe that was from the add on... other than sheer coincidence in timing of how this all went down. All add ons are deactived for now...

So even with all addons are disabled and table was recovered. After awhile you still get it?

Done that as well. They claim no issues shown anywhere on the server end. The only thing they could tell was that the site was accessed roughly 6am this morning.

Sometime they do not have enough of data to determine that. I suggest you moving to a VPS (even cheap one. DigitalOcean.com as an example start at 5$ per month). Shared hosting is not a good place to store your important things.

 

[MistyMeanor]

So even with all addons are disabled and table was recovered. After awhile you still get it?

We are waiting to see if I get hacked again now that all the add ons are disabled. But no the error doesn't happen anymore, now it's just straight up forum being hacked by someone. Wasn't real sure what you meant here.

Sometime they do not have enough of data to determine that. I suggest you moving to a VPS (even cheap one. DigitalOcean.com as an example start at 5$ per month). Shared hosting is not a good place to store your important things.

The lady this happened to as well (started as SQLI errors then she started being hacked) was on a VPS. She was told that because she wasn't very tech savvy (just like myself) to not move in to another VPS because most of the time they want the owner to manage it all themselves. Hers was managed for her, however they were not doing the best job in managing it.