my forum got hacked today

chas

persona theme, but i think this was done via injection, they tried all kinds of things by the looks of it
"GET /topic/80/script-alert-is-this-escaped-p-s-chas-is-a-noob-window-location-http-www-youtube-com-watch-v-dqw4w9wgxcq-script

Does any developer want to analyze my nginx logs ?

pichalite

@chas did you have another forum software running on this domain before switching to NodeBB?

nhl.pl

You can contact NodeBB Team by sending an email to [email protected]

chas

@pichalite Yes but completely different server

chas

@nhl.pl Thanks i'll do that

pichalite

@chas doesn't matter if it's a different server or not... if it's the same domain then, search bots are going to crawl for the old links to see if they still work.

those "route requested but not found" warnings are from the bots checking the old url not somebody hacking your server.

chas

@pichalite Yup i know, just posting the last few lines of the dev terminal after it happened.

charles

@chas you don't have any plugins installed?

chas

I've sent some logs to security@nodebb and we'll go from there. I don't want to cause alarm because it could be somehow my password got compromised (though i have no idea how)

@charles Yes

nodebb-plugin-composer-default
nodebb-plugin-dbsearch
nodebb-plugin-emoji-extended
nodebb-plugin-markdown
nodebb-plugin-mentions
nodebb-plugin-recent-cards
nodebb-plugin-soundpack-default
nodebb-plugin-spam-be-gone
nodebb-rewards-essentials
nodebb-theme-lavender
nodebb-theme-persona
nodebb-theme-vanilla
nodebb-widget-essentials

chas

Yep Sorry guys, finally figured it out.

They decrypted my password through the Xsplit db leak and managed to login to my account.

Time to look at that 2FA plugin !...

Thanks again and apologies for the panic