MyBB Community Forums

(2011-10-17, 07:45 PM)Ruby Wrote: [ -> ]I have found a new file which seems to be unknown to MyBB:

forums/inc/languages/english/imgs.classs.php

It's a very big file. If anyone is interested to get the code, I can post it once more.

Luckily, I don't have this file:

forums/inc/languages/english/imgs.classs.php

(2011-10-15, 04:33 PM)labrocca Wrote: [ -> ]Curious but was an email sent out to the mailing list? I don't recall getting one.

I had the same thought. A systems check turned over a change in CHMOD for my Config file which alerted me to the situation, then a couple of my members sent me reports from their browser and virus systems.

Would be appreciative of a quicker method of notice somehow in the future.

Chris

(2011-10-17, 02:51 PM)WoodLark Wrote: [ -> ]In addition to the files already mentioned (/index.php, /showthread.php, /admin/config.php), I also found malignant code in /archive/index.php and /admin/index.php).

all index.php include /archive/index.php and /admin/index.php

and if you added any additional index.php in any folder ... that also need to check to remove hack code

or use CPANEL search function to find all index.php file in server

(2011-10-18, 05:39 AM)chris_wlkr Wrote: [ -> ]

(2011-10-15, 04:33 PM)labrocca Wrote: [ -> ]Curious but was an email sent out to the mailing list? I don't recall getting one.

I had the same thought. A systems check turned over a change in CHMOD for my Config file which alerted me to the situation, then a couple of my members sent me reports from their browser and virus systems.

Would be appreciative of a quicker method of notice somehow in the future.

Chris

I would also like to chime in here and say I agree with the other 2 posters on this. It looks like the 6th of Oct. was D Day and I heard nothing of it until this morning, when I was contacted by a board member via phone to inform me of the problem.

But, I digress.

Looks like a well-worded email notification for the mailing list is in order. I'm sure there are still plenty of people that don't know they might have been compromised and are running exploitable code.

(2011-10-18, 06:28 PM)labrocca Wrote: [ -> ]Looks like a well-worded email notification for the mailing list is in order. I'm sure there are still plenty of people that don't know they might have been compromised and are running exploitable code.

It seems in our private thread on this that doing the email/twitter thing was mentioned by Tomm. I'm not sure why it never got done. But yes, it probably is a good idea to do it now.
* Dylan M. prods Tim or whoever else has access to these.

I intended to publish another blog post and put out an email to the mailing list then, but I was waiting for Chris to respond to a few things first. 1.6.5 is also pretty close, but I'll send out an email to the mailing list with everything to date on the weekend. I know it has already been posted on facebook and twitter.

No notification of this, just realized now...

Edit:

So far I've found three malicious snippets of code in each of these files:

/admin/index.php
/index.php
/inc/config.php

Damn...

(2011-10-20, 03:59 AM)Jessie S. Wrote: [ -> ]So far I've found three malicious snippets of code in each of these files:

Please post the malicious code which you have found in [ code ] here. Thanks in advance.

If your mybb forum is not the top level of your website, check the directories ABOVE the forum directory. I found that the malicious code appeared in every file named "index.php" in the directories above the forum.