MyBB

MarkW7 · 10-13-2011, 11:08 PM

Just wondering.. what exploit does this allow? It seems such a small change.

Dylan M. · 10-13-2011, 11:16 PM

(10-13-2011 11:08 PM)MarkW7 Wrote: Just wondering.. what exploit does this allow? It seems such a small change.

Ability to modify just about anything by executing arbitrary code in the index.php file.

Nathan Malcolm · 10-14-2011, 07:30 AM

(10-13-2011 10:24 PM)JaysonL Wrote: Quite strange to see an exploit already.

I don't understand why you would think that. No project is 100% bug free. Bugs and exploits are always there. They just need to be found.

seminar techi · (This post was last modified: 10-14-2011 07:58 AM by seminar techi.)

Important
the bot just adding a small script on all index.php and showthread.php after closing php ( thats "?>") ... be aware and search for all index.php to remove suspicious script (i mean all index.php files in server even if there is no relation with mybb files)

i hope they used shell access to edit this ..!

Tom Catterick · 10-14-2011, 10:06 AM

OK I have cleansed no less than 6 installations of mybb by re-uploading all the compromised files for each one and a file verification for all 6 now comes up clean. So that looks good. Cool

However, I notice that on each installation the config.php was modified at the same time as the other (now cleansed) files. This leads to 2 questions:

1) If the config.php has indeed been modified as the time/date on the file suggests, why doesn't it show as changed in the file verification? I'm guessing it's because the config.php is unique to each mybb and can't be verified?

2) As there is no config.php in the newly available mybb download, what is the correct procedure for replacing the compromised config.php in order to eliminate the apparently altered code?

StefanT · 10-14-2011, 10:19 AM

1) Exactly, it is different on all installations.
2) It must look like this: http://wiki.mybb.com/index.php/Inc/config.php

Tom Catterick · 10-14-2011, 11:32 AM

Thank you StefanT.

I've now found the code which was added to my config.php files and have removed it, so hopefully I am 100% clean.

Ruby · 10-14-2011, 12:51 PM

I guess, that there is still any wrong code on our forums.

I mentioned it already yesterday, when I delete the Spam postings on Moderator-CP, I get to read, that I accepted these postings. They are deleted, but I want the forum show up, that the postings are deleted.

Which files depend on Moderation-CP ?

Do we perhaps still have another security hole, anywhere on the forum, because, I now had to delete about 30 spam postings, from this morning until now. I run these plugins against spam:

Akismet (1.2.1)
Bad Behavior (1.0.0)
Fassim Anti Spam (1.21)
Goodbye Spammer (1.0)
Stop forum spam (1.2)

Thanks in advance for every answer.

aglioeolio · 10-14-2011, 01:22 PM

Reverted all files reported, applied "Patches Plugin" again (mybb Google Seo)

Thanks mybb Group Wink

**Paul H.** · 10-14-2011, 01:48 PM

I want to emphasize that everyone needs to check config.php. It's not verified by file verification and I found some pretty malicious/dangerous code in mine.