Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
MyBB 0-Day? WTF?
#1
I have a forum that is EXTREMELY locked down, as it's run on a secure VPS and managed by IT professionals and overlooked by me.

And yet some guy named "Team LNXRoot" from lnxroot.org somehow is posting threads from an account that isn't even registered, saying that he hacked my database.

WTF?
<snip - spam>
Reply
#2
Hello,

I am sorry I made some mistake and denied you, it's sorted now.

Can you post your forum url here? Are you only one who has access to VPS, and you're only admin?
Jovan J.
MyBB Software Developer
Reply
#3
(09-14-2013, 06:58 PM)Jovan J. Wrote:  Hello,

I am sorry I made some mistake and denied you, it's sorted now.

Can you post your forum url here? Are you only one who has access to VPS, and you're only admin?

I just took the forum offline for the moment to make it stop. And I have 2 fellow administrators, but I've known them for years personally and they wouldn't do this.

I can post screenshots and logs.

The IP it's from is 117.237.49.156
<snip - spam>
Reply
#4
What plugins are you running? I'd be surprised if it were a major issue within the core as we normally hear about things like that pretty quickly.
Reply
#5
It turns out the perpetrator changed their user agent to Googlebot so he could post, because we have Googlebot set as a registered member for SEO purposes.
<snip - spam>
Reply
#6
(09-14-2013, 08:06 PM)Paradox21 Wrote:  It turns out the perpetrator changed their user agent to Googlebot so he could post, because we have Googlebot set as a registered member for SEO purposes.

That's actually really intelligent. Wonder if we could check to see if googlebot is really googlebot by checking to see if it's within Google's IP ranges.

Edit: Then again, Googlebot shouldn't be in the registered group. Should have a separate group for that.
Nathan Malcolm Wrote:* Nathan Malcolm likes how Facebook sent him a white page and a "500 OK" response code
* Nathan Malcolm says "No facebook, that is not OK."
Reply
#7
(09-14-2013, 08:06 PM)Paradox21 Wrote:  It turns out the perpetrator changed their user agent to Googlebot so he could post, because we have Googlebot set as a registered member for SEO purposes.

Very glad you induced panic by postulating there was a Zero Day when really you and your IT professionals just made a stupid permission error. Thanks.

Publicly posting that there is a major security flaw in MyBB without any evidence should be grounds for suspension. This happens way too often.
Reply
#8
(09-15-2013, 03:55 AM)brad-t Wrote:  
(09-14-2013, 08:06 PM)Paradox21 Wrote:  It turns out the perpetrator changed their user agent to Googlebot so he could post, because we have Googlebot set as a registered member for SEO purposes.

Very glad you induced panic by postulating there was a Zero Day when really you and your IT professionals just made a stupid permission error. Thanks.

Publicly posting that there is a major security flaw in MyBB without any evidence should be grounds for suspension. This happens way too often.

I concur.
Reply
#9
(09-15-2013, 03:55 AM)brad-t Wrote:  Publicly posting that there is a major security flaw in MyBB without any evidence should be grounds for suspension.

Evidence or not, major security flaws should be discussed with a team member privately. If this were an actually vulnerability OP would have been helping to educate any nefarious person reading this.
Reply
#10
By default, Spiders / Bots are in the "Guests" user group (read most everywhere, posting denied most everywhere). I create a separate group for Spiders where I can more closely regulate their permissions. This thread shows that maybe this should be the default setup.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)