XenForo hacked

[giorgino]

Hi all. I'm in trouble with one of my board.

The hacker modify my ad_header template with a malicious link
In my admin log:

array(12) {
  ["titleArray"] => array(1) {
    [537] => string(9) "ad_header"
  }
  ["styleidArray"] => array(1) {
    [537] => string(1) "2"
  }
  ["templateArray"] => array(1) {
    [537] => string(356) "<!-- Inizio Banner Testata 728x90 -->
<div class="ad_header">
 
<!-- immobilio_728:90_header -->
<div id='div-gpt-ad-1338486582932-2' style='width:728px; height:90px;'>
<script type='text/javascript'>
googletag.cmd.push(function() { googletag.display('div-gpt-ad-1338486582932-2'); });
</script>
</div>
 
</div>
<!-- Fine Banner Testata 728x90 -->"
  }
  ["addon_id"] => string(7) "XenForo"
  ["style_id"] => string(1) "2"
  ["template_id"] => string(3) "537"
  ["title_original"] => string(9) "ad_header"
  ["includeTitles"] => array(3) {
    [1] => string(13) "ad_header.css"
    [2] => string(9) "ad_header"
    [3] => string(13) "ad_header.css"
  }
  ["_TemplateEditorAjax"] => string(1) "1"
  ["_xfRequestUri"] => string(50) "/admin.php?templates/ad_header.537/edit&style_id=2"
  ["_xfNoRedirect"] => string(1) "1"
  ["_xfResponseType"] => string(4) "json"
}

What can I do?

 

[Chris D]

I have these two that match ....

where do I need to look to see if I have the same thing?

oh right, duh vVv.. Lol! Thanks! I only have like 2 or 3 of those listed installed on my forum. I did quick search on the one file, and didn't find that "injected code" or whatever.. I'll check other file lol

Don't be too worried about what add-ons are installed.

Do a File Health Check.

The contents of my xenforo.js have been modified. The code I pasted was added to the last two lines.

Your file should end in something like:

"XenForo.Disabler");c(function(){XenForo.Facebook.start();XenForo.init()})})(jQuery,this,document);

 

[vVv]

Don't be too worried about what add-ons are installed.

Do a File Health Check.

The contents of my xenforo.js have been modified. The code I pasted was added to the last two lines.

Your file should end in something like:

"XenForo.Disabler");c(function(){XenForo.Facebook.start();XenForo.init()})})(jQuery,this,document);

Oh, okay! Well I did file health check, and tons were listed though. Of course... at first i thought, (and of course you can't point fingers and accuse someone without facts), is a resource that deals with JS files, and first one popped to head was FixTiny. But that author is legit/trusted, and I have that installed too and didn't find that injected code in the files... So, do those matching ones, involve JS file edits/overwrites at all...Doing comparisons might help, and lead the investigation to a quicker resolve though. I'll recheck again though! Just never know these days... sigh.

 

[Sheldon]

Out of the add-ons you and Chris share the same, that I have

[bd] Widget Framework
Custom BBCode Manager

I don't have anything.

Checked the files you listed here: http://xenforo.com/community/threads/xenforo-hacked.42334/page-3#post-466445

I don't have same results.

The files I have shown in the File Health Check are ones I know I have edited myself...

 

[giorgino]

Might have an add-on that check the health file every day and report in case of anomalies via admin e-mail/notification...

 

[Chris D]

Might have an add-on that check the health file every day and report in case of anomalies via admin e-mail/notification...

That's an awesome idea. And will be the next thing I release in the Resource Manager.

 

[Slavik]

Out of the add-ons you and Chris share the same, that I have

[bd] Widget Framework
Custom BBCode Manager

I don't have anything.

Checked the files you listed here: http://xenforo.com/community/threads/xenforo-hacked.42334/page-3#post-466445

I don't have same results.

The files I have shown in the File Health Check are ones I know I have edited myself...

Are you saying your JS files were edited and those 2 addons are the only ones you share with Chris and giorgino?

 

[Sheldon]

Are you saying your JS files were edited and those 2 addons are the only ones you share with Chris and giorgino?

No, I'm sorry... not sure if that is how it read..

Those two files shown above don't show in my File Health Check. I have tons of add-ons installed too...

 

[Slavik]

No, I'm sorry... not sure if that is how it read..

Those two files shown above don't show in my File Health Check. I have tons of add-ons installed too...

Ah well thats not useful and here I was hoping to only have to check 2 addons

 

[Sheldon]

 

[Chris D]

No one needs to worry about any add-ons right now.

Do a file health check. Also do a scan here: http://sitecheck.sucuri.net/scanner/

This is what you do not want to see: http://sitecheck.sucuri.net/results/www.valvetime.net

And this is the info on the malware, apparently: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v49

 

[Sheldon]

Those seem to be the addons you don't have to check.... Since it doesn't show in mine..

 

[vVv]

yay: http://sitecheck.sucuri.net/results/feetfotos.com


and i have tons of files listed in "health check" too, cause of that FixTiny resource haha

 

[Sheldon]

Don't be too worried about what add-ons are installed.

You could almost narrow it down though to see what add-on might be causing this...

 

[tenants]

This is not a new exploit, it seems to be on many blogs / cms... malware

I belive that bit of code is realted to a javascript unpacker like this:
http://jsunpack.jeek.org/?report=f4992bf7ffd7f56a502bc639b5a7c0e6d9ca0b68
(I love the way "security research" makes it's way out to the public... wasn't paros also supposed to be as security research tool... and many of the others)

Many of the sites that have this piece of code also have the blackhole-exploit (AVG picks this up for many sites)
http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit-detection/

The blackhole exploit kit, looks for security holes (this is suggesting that it's security holes with the server not the XenForo software... but thats not definate)

This might be a red herring , but javascript unpackers are not new (how they got there is more interesting right now)
http://forum.opencart.com/viewtopic.php?f=20&t=92666
http://stackoverflow.com/questions/13530576/how-do-i-write-a-php-script-to-clean-this-code-out
http://forum.bytesforall.com/showthread.php?t=18992
http://stackoverflow. com/questions/14348080/javascript-injected-into-site-hack (dont click this link)
http://blogengine.codeplex.com/workitem/12173


It's definitely worth doing a thorough scan for malware on both servers

 

[vVv]

Thinking about it again, the JS files might not even be "over written" when you upload the resource's files, but the "injection" happens after the XML file is installed, and who knows if the resource has other parts that work along side the XML file either, that work as a "team" once it's fully installed. Then the injection takes place. Like plain old C4 explosives won't just go off, if punching it or whatever, but add a way to detonate it.. and poof.

Check resource ZIPs here, is what I use sometimes: https://www.virustotal.com/
upload the ZIP of resource, it checks against like 50 or whatever virus checking sites at once..

 

[Sheldon]

Well, no need to scan the ones I listed... hah.

 

[Sheldon]

I actually checked the URL's of quite a few sites I know that have been heavily modified (by seeing them post Q's, posting them in showcase, etc...) and only one comes up with any malware so far.

 

[tenants]

I actually checked the URL's of quite a few sites I know that have been heavily modified (by seeing them post Q's, posting them in showcase, etc...) and only one comes up with any malware so far.

I've found about 30 sites (there are a lot more), all using the javascrript unpacker exploit (which I belive that bit of code is) many with the blackhole malware (4 posts up)

 

[tenants]

yes Chris, as suggested, you have the blackhole expoit on your site. I've just checked

 

[Sheldon]

This might be a red herring , but javascript unpackers are not new (how they got there is more interesting right now)

This.