If you have been HACKED, PLEASE READ

[MattRogowski]

Due to the recent levels of people being compromised with an exploit present in MyBB <= 1.4.6, this thread will tell you what to do about it.

What to do if you get hacked

If you were on a MyBB release BEFORE OR EQUAL TO 1.4.6
-- Make sure that no new admin accounts have been made, delete them immediately if there are any.
-- Look in your ./cache/themes/ folder, if you see a files called themes.php, please delete it.
---- One user here http://community.mybboard.net/thread-522...#pid368623 reported that the themes.php backdoor was used to create additional php files in the cache/theme folders. Since no such file belongs there they should all be deleted - frostschutz
-- Reupload your ./index.php file and revert your index template to default.
-- Follow the rest of the general post-hack steps below.

If you were on a MyBB release AFTER 1.4.6

Upgrade to most recent release
Upgrading to the most recent release won't solve the results of you being hacked, but it will make sure your forum is secure. [Wiki: Upgrading]

Reset passwords
Once you are able to, you should immediately change your forum password, and also the password to your database. This is to make sure that the hacker can’t just login to anything again; new passwords mean they’re back to where they were before. If you change your database password you will need to update it in ./inc/config.php too.

Check for new users
Check all new users registered after the time the hacker gained access to the forum; there may be a chance one of them has been added to a group with ModCP or ACP access, or they may have even created a new usergroup for a user. If you see anything like this, delete it.

Reupload all files
Download the MyBB package, and upload all of the MyBB files, except ./inc/settings.php. This will make sure that all of your files are clean, and there isn’t any malicious code in any of them. Make a note of any file changes you have made before doing this, though, so you can make them again after. This process will also make sure you have all the most recent files; you may have missed an important file in a security upgrade which contained the exploit that was used to hack you.

Check your CHMOD permissions
Check your CHMOD permissions after you have reuploaded the files. Make sure you’re not giving files or folders extra permissions that they don’t need. [Wiki: CHMOD_Files]

Delete settings.php
Head to your ./inc/ folder and download your copy of settings.php… and then delete it from your server. It will be generated again, with the correct values from the database, and then we’ll know it’s a clean copy of the file, with no malicious code. You may need to click around on the forum a bit to get it to regenerate; the downloaded file is there so you can upload it again should it fail to regenerate automatically.

Rebuild config.php
You can manually remake your config.php to make sure it’s clean. Use this code ([Wiki: Inc/config.php]) to rebuild the file, and enter in your database details. Also make sure you change any other settings you need to, for example, the admin directory, hiding ACP links, or super admins.

Check your templates for malicious code
A common result of being hacked is having malicious code added to your templates, meaning it’s executed whenever a page is loaded. A common place for code to be added is the header, headerinclude, index, and footer template, as these templates are loaded the most. Check all templates, however, that aren’t default (have their name in green) and remove any code that isn’t supposed to be there. It’s usually in <script> tags and is usually a load of random numbers and letters. This should be removed as soon as possible.


If anyone has anything else to add, post it here and it will be added.

[frostschutz]

One user here http://community.mybboard.net/thread-522...#pid368623 reported that the themes.php backdoor was used to create additional php files in the cache/theme folders. Since no such file belongs there they should all be deleted.

[destroyer]

It would be a good move for all users that have been hacked to compare the files on their server with the files in the MyBB download package - especially the files in cache/*.

[BMR777]

Another good thing to do is to run your forum through a check at UnmaskParasites, which will let you know if there is any suspicious code on your forums as well as help you in locating what that code looks like. This can aid you in removing any malicious code from your templates.

Also, it's important to remember that if your forum is hacked it doesn't necessarily mean that the MyBB software was the source of the hack. It could be a MyBB plugin that is responsible, another script on your web server, or it could be that the server itself was compromised. In addition to updating MyBB, I would suggest updating your MyBB plugins to their latest versions as well as updating any other software on your site to the latest versions as another program could possibly be the source of the hack, especially if you run multiple programs on the same database.

[Tomm M]

I can't stress this enough - make regular backups; I would definitely suggest once a day.

[skywalker2208]

(07-06-2009 09:22 PM)destroyer Wrote:  It would be a good move for all users that have been hacked to compare the files on their server with the files in the MyBB download package - especially the files in cache/*.

You might want to suggest on how to do that because I am sure most users won't know how to check which files differ.

[MadamZuZu]

I upgraded to the 1.48 and only then found a new user "admin", deleted him,

should i now upload the 1.48 fiiles again? including the install folder?

[MattRogowski]

No, you shouldn't need to do any of that again if you've already upgraded... you probably just missed the new admin before you upgraded... you did delete any non-MyBB files from ./cache/themes/, yes??

[MadamZuZu]

in the /cache/themes/ there's no themes.php files, however there are folders names /theme1, /theme5, etc....

should i delete those?

[MattRogowski]

No, unless you also want to delete your themes...