Just went to goto my site and found we had been hacked into, running MyBB 1.1.3
Firstly...thanks so much for leaving the version numberon the login to the ACP!
Secondly, the message "This Site Has Been Hacked by amirhossein313 for SMA !" was left across the top of my forum
Heres the users info (he registered a few days ago).
IP: 85.185.44.118
Email:
[email protected]
Username: amir313
Why the HELL is there a link in the 1.1.4 announcement to a website SHOWING how to use the secuiry flaw?
Im very disapointed to say the least.
Moving away from MyBB...
Firstly, read
this
Secondly, if that's the only thing he did that's easy to fix. check your templates.
MyBB does not show how to use the security flaw. They are publicly viewable from other pages.
This is not MyBB fault, there are always going to be bugs. Just stay up-to-date and you will be fine.
But if you've made up your mind, bye bye.
Hmm!! Let's talk in peace!.
Rick.M please don't take random judgments, I understand how hard is to have your board hacked, and to find everything you made was lost, but also remember it is not a 100%mybb fault.
MyBB team has been working always on 2 updates which came after the version you had, and there was a big boom 3 days ago with the same as your case, and mybb was always released the correct patches and the problems are gone.
Many have reported, and many have experiences what you have just did, and inspite that some may not like to check frequently for the updates, and they want a one software for once, but also dont miss that you need to come so often here and check what's on. There is no software without bugs, so i guess it will be great if you subscribe the announcments thread so that you don't miss any patch later on.
Now rather than thinking how to blame a software, i guess it is prety smarter to find a way to recover your board, and guard it against any new threats by applying the patches mybb has released.
many regards
I wasnt intending on blaming the software, sorry if i seem a little annoyed.
I just find it very frustrating, a few questions come to mind when something like this happnes and its realy affected the way i feel about the software.
Such as, why was there not a notice about the two updates when MyBB knew that people were doing this? A simple email to forum members would have worked.
I can understand, I had already upgraded and got 10 people trying to hack me.
There are newsletter you can sign up on. An subscription on the Announcement forum will work aswell.
Quote:Such as, why was there not a notice about the two updates when MyBB knew that people were doing this? A simple email to forum members would have worked.
If you wish to receive such updates, either subscribe to the announcements forum or the mailing list. We do not send out emails as such over the forum.
http://www.mybboard.com/mailinglist.php
Also bear in mind that ALMOST ANY program/script that interacts with a webuser is vulnerable to some extent. Almost any web program/script has a vulnerability just waiting to be discovered and exploited...
So please guys, always make sure to keep informed about the new updates, it is just a little signup process.
regards