my forum got hacked today

Technical Support
Log in to reply
  • C

    EDIT
    My password got compromised, nevermind.

    Hello

    Somehow a user posted under my account. and it was posted with the tag "cid-4-privileges-read". Because nodebb was in dev mode, the last requested links were
    20/3 01:07 [1618] - warn: Route requested but not found: /groups/cid-4-privileges-read
    20/3 04:18 [1618] - verbose: [translator] No resource file found for en_US/markdown, using provided fallback language file
    20/3 04:21 [1618] - warn: Route requested but not found: /CHANGELOG.txt
    20/3 04:21 [1618] - warn: Route requested but not found: /readme.html
    20/3 04:42 [1618] - warn: Route requested but not found: /user/c???????
    20/3 05:01 [1618] - warn: Route requested but not found: /category/27
    20/3 06:57 [1618] - warn: Route requested but not found: /index.php?app=forums&module=extras&section=stats&do=who&t=1234
    20/3 09:34 [1618] - warn: Route requested but not found: /topic/189/hacker

    Is there any log files i can see how this happened? I was running the forums on latest build in dev mode, guess that isn't helpful?

    Thanks

    ? charles 2 Replies 1
  • ?

    @chas nope none of these logs contain any useful info.

    Please note that the dev mode is not meant for a productional system.
    Additionally you should be sure that your chosen password is secure. Just like the device & browser you are using to log into it.

    1
  • charles

    @chas

    which theme do you have installed? can you also list all the plugins you have installed?

    0
  • C

    persona theme, but i think this was done via injection, they tried all kinds of things by the looks of it
    "GET /topic/80/script-alert-is-this-escaped-p-s-chas-is-a-noob-window-location-http-www-youtube-com-watch-v-dqw4w9wgxcq-script

    Does any developer want to analyze my nginx logs ?

    pichalite 1 Reply 0
  • pichalite
    Plugin & Theme Dev

    @chas did you have another forum software running on this domain before switching to NodeBB?

    C 1 Reply 0
  • nhl.pl

    You can contact NodeBB Team by sending an email to security@nodebb.org

    C 1 Reply 0
  • C

    @pichalite Yes but completely different server

    pichalite 1 Reply 0
  • C

    @nhl.pl Thanks i'll do that

    0
  • pichalite
    Plugin & Theme Dev

    @chas doesn't matter if it's a different server or not... if it's the same domain then, search bots are going to crawl for the old links to see if they still work.

    those "route requested but not found" warnings are from the bots checking the old url not somebody hacking your server.

    C 1 Reply 0
  • C

    @pichalite Yup i know, just posting the last few lines of the dev terminal after it happened.

    charles 1 Reply 0
  • charles

    @chas you don't have any plugins installed?

    C 1 Reply 0
  • C

    I've sent some logs to security@nodebb and we'll go from there. I don't want to cause alarm because it could be somehow my password got compromised (though i have no idea how)

    @charles Yes

    nodebb-plugin-composer-default
    nodebb-plugin-dbsearch
    nodebb-plugin-emoji-extended
    nodebb-plugin-markdown
    nodebb-plugin-mentions
    nodebb-plugin-recent-cards
    nodebb-plugin-soundpack-default
    nodebb-plugin-spam-be-gone
    nodebb-rewards-essentials
    nodebb-theme-lavender
    nodebb-theme-persona
    nodebb-theme-vanilla
    nodebb-widget-essentials

    0
  • C

    Yep Sorry guys, finally figured it out.

    They decrypted my password through the Xsplit db leak and managed to login to my account.

    Time to look at that 2FA plugin !...

    Thanks again and apologies for the panic

    1

Suggested Topics

| |
Copyright © 2020 NodeBB | Contributors