Possible Backdoor hack?

[LemonGrenade]

This morning I found a new random post in a forum that is locked to member-only posting, there is no genuine way a guest could post in there. Any other reports of this happening to anyone? It hadn't happened before today.

 

 

[Marc]

Please could you provide me with a link to that post?

[LemonGrenade]

I sent the link via PM @Marc Stridgen

If the site is open security-wise, I'd rather not add the site to a public post.

[Marc]

Please update access details on file. At present you have display name there, but your site requires email

[LemonGrenade]

3 minutes ago, Marc Stridgen said:

Please update access details on file. At present you have display name there, but your site requires email

Changed. Thanks.

[Marc]

Taking a look through there, I suspect whats happened there is permissions have been changed that were allowed to guests elsewhere on the site. While there are none there at present, and may not have every been for that specific forum, the topic in question was moved from another forum at some point.

The other thing that it may be, is one of the 3rd party items you have installed. If you do see it happen again, please disable all of those while you test this. 

One thing I can say for sure, is I can see no way anyone would be able to post on there as guest at present

[LemonGrenade]

Thanks, @Marc Stridgen There isn't any guest posting anywhere, there never has been, which is why I was so concerned. It did move forum, because I moved it to a moderating forum, and then moved it back for you to check.

I did slightly doubt that it was the board, as you guys would know about it way before, and obviously, others would be saying the same thing.

I would agree and suspect it may be a third-party app, but without the marketplace hooked up in admin now and no notifications of updates, I wouldn't know where it could be from. Plus all devs are spread on sites around the internet now, which makes it so much harder when things like this occur and looking for updates.

Thanks for looking into it anyway.

[Adriano Faria]

17 minutes ago, LemonGrenade said:

but without the marketplace hooked up in admin now and no notifications of updates, I wouldn't know where it could be from. Plus all devs are spread on sites around the internet now, which makes it so much harder when things like this occur and looking for updates.

You can find the devs at https://invisioncommunity.com/third-party/providers-directory/

Their site is available in their profile. 

[Jim M]

I haven't looked at your instance but was the user who made this post deleted without having their content deleted?

[LemonGrenade]

Just now, Jim M said:

I haven't looked at your instance but was the user who made this post deleted without having their content deleted?

The user had no account previously and posted as a guest in a member post protected forum.

[Jim M]

Just now, LemonGrenade said:

The user had no account previously and posted as a guest in a member post protected forum.

When a user gets deleted but their content stays around, you would also get what you're seeing now. Which is why the question was proposed. 

[LemonGrenade]

Yep understood, but it was new content, plus the post itself was a very 'hacked' type message.

[Jim M]

Just now, LemonGrenade said:

Yep understood, but it was new content, plus the post itself was a very 'hacked' type message.

It looks spammy. Looking at your administrator log, there was indeed a user deleted earlier today and 2 on the 24th.

[LemonGrenade]

Indeed, but it wasn't him.

[Marc]

All I can suggest at this point is to monitor, and if it happens again, disable all 3rd party applications and monitor again.

[LemonGrenade]

Thanks @Marc Stridgen I've removed some 3rd party apps already and kept the ones that are only really needed!