MyBB Community Forums

Hi,

My users and I have been getting some redirects from just the message board portion of my site. The redirects only happen about once a day or when I get a new IP address. Here is what some of them look like:

Do NOT click on these:

http://o49gsjc9y1ql8zq9r94ku7i52264ddb7f...index2.php
http://lrxekl8qvya0wmzbl72y9ji.alfurni.be/index.php?n
http://xnmlnvttdztt43uqvq6w2hi52264ddb84...-volley.be.
http://dgmh8u6y8u75hhxf3cner9x.alola.org...aW5lLnBocA=
http://1ya1tb6ptsyqpequktptxix.hostbooya...S9ib2FyZC8=

I was convinced that these redirects were from an Apache server malware called Backdoor.Cdorked, but the host says there "httpd" binary is clean. Is it possible that this could be from somewhere in MyBB. It appears so randomly and the links are all different. Also redirects can occur on more then just the index.php

One other reason Is I've not seen any redirects since my upgrade to 1.6.10 (from 1.6.9) last night and entering through the webpage portion of my site gets no redirects only when entering the message board portion of the site do redirects occur.

Any Idea?

- Rich -

Have you checked your .htaccess file in the forum root or web root, if you have any .htaccess files.

It would also be wise to note any modifications to core files you may have made, and then replace the MyBB files with clean versions from a new package. Check each folder of the site in FTP/SSH for any suspicious standalone files that could reinfect your site.

Hi,

Quote:Have you checked your .htaccess file in the forum root or web root, if you have any .htaccess files.

I have checked them and nothing wrong there. If they were effected wouldn't the redirects happen more often and not be random and wouldn't the redirects be static?

BTW, I have checked all my plugins and removed any that were labeled as including a vulnerability some time ago (well before this redirect problem).

Thanks,
- Rich -

No. Here's why:

As for the random part, you could easily have a script pick from an array (false,false,false,yes). And if it picks yes, the browser is what it wants and the OS is what the script wants, then it could act.

Not saying this is how the one affecting you works, but it could.

As for the changing sites, a lot of injections call to a server that gives the script the actual URL.

I know you said you removed plugins listed as vulnerable, but if you could paste your plugin list here, that could help.

Hi,

Here ya go Josh,

WelcomeAd (1.1)
A2detector (1.1)
Ajax PM Notification (1.8.1)
Announcement (2.4)
Auto Media (2.1)
Spider Bots (1.1)
Fassim Anti Spam (1.3)
Favicon in address bar (1.0.1)
Fit on Page (2.3)
Goodbye Spammer (1.0)
Go to Full Reply/Edit (0.1.1)
Google +1 (1.0)
Index Ads (1.1)
Profile Images (1.0)
Advance ads on index. (1.0)
Infobar (1.4)
iShare (1.2.1)
MentionMe (1.6)
MyAlerts (1.04)
Naoar Donation (2.0)
Profile Albums (1.0)
Profile Comments (0.9.2)
QuickQuote (1.0)
reCAPTCHA Plugin (1.1)
Sidebox (1.2.0)
Stop Forum Spam (1.4)
TTINNO - Thread Titles (and static links) in Next Newest/Oldest (1.1)
User Quickmenu In Postbit (1.0)
Userpages for MyBB (1.3)
MyBB WYSIWYG Editor (1.0.3)
My Youtube (1.2)

That is all the active plugins for MYbb. Let me know if there is security problem with any of these.

Security is a tough thing to maintain for sure. I'm writing a MMO game and I can't tell you how much research and testing goes into that and even with an authoritative server I expect hacking to occur. Just got to stay one step ahead.

- Rich -

Assuming you are manually controlling which ads you're putting on the index, I think those plugins are okay.

Are you using Adsense? Sometimes malicious ads end up XSSing a site or causing other issues. That would explain randomness if it isn't often that it occurs.

Hi,

Nope, no ads or Google Adsence at all. In fact I make sure that all the data/resources used by MYbb is pulled from my site. Aside from user post and off site links there is no active links to ads or other resources from other sites.

- Rich -

---

I should add that my board has never been spammed in the six months it's been up. I really keep after spammers and hackers.

---

Also a scan from Virustotal.com reports my site as clean.

Check your site at http://sitecheck.sucuri.net/scanner/

Hi,

All clean.

It's a head scratch'er. Like I said I have had no redirects since I updated MyBB (about 24+ hours ago) but at the same time I was working with my host as I was sure it was their problem so it's hard to say if it's fixed or not. My host (I think all) just will not admit they are infected with anything which makes it doubly hard to isolate the problem.

I do have a backup of the MyBB before the upgrade. Do you have any suggestions on where I might look around for injections into files. If the database was involved I would think I or one of my staff would be hit with a redirect since the upgrade to 1.6.10. So I'm thinking if it is on my end the evidence might be in the per-upgrade backup.

Thanks,
- Rich -

I guess if it's resolved, it's resolved. What host are you using?