I installed MyBB for my friend a few months ago. He says it could be hacked either because he didn't upgrade the version or the 2 guys he gave access to for adding images to the forum hacked it.
Either way. I had him take weekly backup of the forum by disabling all plugins so I assume he can start over. I think the hackers messed with the htaccess files. Because when I deleted all the files to do a clean install the uploads directory was refusing to get deleted and there is a folder names "I47" under it I have the htaccess file of the website hidden. I tried to change permission and delete and it didn't get deleted. I tried to look up on Google but it was of no use. Also under the I47 was a folder named root which redirects to the normal public_html folder.
Any help resolving this would be of great help to me and hopefully my friend can start his forum fresh with a clean install. Thanks.
Log in as your root user if you haven't tried that yet. If your webhost has CPanel installed, use File Manager to do this since you should be logged in as the root user by default. A root user can always modify any file or folder permissions.
The best thing with this, is to start with a fresh install of MyBB and install it that way. This will fix the issue that may be modfied .htaccess or shells. Then after that check the mysql database so you don't see any malicious tables.
Keep in mind most hackers don't go empty handed. So they most likely added a shell or even shelled your theme to get access to it. So best idea is a complete reinstall.
(2014-06-24, 03:11 PM)Ace700 Wrote: [ -> ]The best thing with this, is to start with a fresh install of MyBB and install it that way. This will fix the issue that may be modfied .htaccess or shells. Then after that check the mysql database so you don't see any malicious tables.
Keep in mind most hackers don't go empty handed. So they most likely added a shell or even shelled your theme to get access to it. So best idea is a complete reinstall.
I was planning to do the same but the .htaccess file inside the uploads folder just won't go away and even though I installed MyBB's htaccess it still uses the one in the uploads folder.
(2014-06-24, 02:13 PM)dragonexpert Wrote: [ -> ]Log in as your root user if you haven't tried that yet. If your webhost has CPanel installed, use File Manager to do this since you should be logged in as the root user by default. A root user can always modify any file or folder permissions.
I don't think he has host access, he just brought it from a web hosting provider.
(2014-06-24, 04:31 PM)pg001 Wrote: [ -> ] (2014-06-24, 03:11 PM)Ace700 Wrote: [ -> ]The best thing with this, is to start with a fresh install of MyBB and install it that way. This will fix the issue that may be modfied .htaccess or shells. Then after that check the mysql database so you don't see any malicious tables.
Keep in mind most hackers don't go empty handed. So they most likely added a shell or even shelled your theme to get access to it. So best idea is a complete reinstall.
I was planning to do the same but the .htaccess file inside the uploads folder just won't go away and even though I installed MyBB's htaccess it still uses the one in the uploads folder.
(2014-06-24, 02:13 PM)dragonexpert Wrote: [ -> ]Log in as your root user if you haven't tried that yet. If your webhost has CPanel installed, use File Manager to do this since you should be logged in as the root user by default. A root user can always modify any file or folder permissions.
I don't think he has host access, he just brought it from a web hosting provider.
Try this compleatly nuke it (meaning delete everything!) It shouldn't regenerate if everything is removed. If it does come back for some odd reason try this, rename the .htaccess to something: I like pie. Also you might wana change ftp info and cpanel info just to be safe so the hacker can't get into it and change things again.
Are you on a vps btw?
(2014-06-24, 09:42 PM)Ace700 Wrote: [ -> ]Try this compleatly nuke it (meaning delete everything!) It shouldn't regenerate if everything is removed. If it does come back for some odd reason try this, rename the .htaccess to something: I like pie. Also you might wana change ftp info and cpanel info just to be safe so the hacker can't get into it and change things again.
Are you on a vps btw?
You mean delete the folders above Public_html too?
Because I tried deleting everything inside it and it still doesn't go away.
(2014-06-25, 01:16 PM)pg001 Wrote: [ -> ] (2014-06-24, 09:42 PM)Ace700 Wrote: [ -> ]Try this compleatly nuke it (meaning delete everything!) It shouldn't regenerate if everything is removed. If it does come back for some odd reason try this, rename the .htaccess to something: I like pie. Also you might wana change ftp info and cpanel info just to be safe so the hacker can't get into it and change things again.
Are you on a vps btw?
You mean delete the folders above Public_html too?
Because I tried deleting everything inside it and it still doesn't go away.
Delete like everything including the public_html folder. I'm assuming thats shared hosting. If it was a vps it would of been /var/www
Who are you hosting with by the way?
Its a php web shells I47 100% and they make symlink for 100%,and yes you are on the VPS or?
(2014-06-26, 12:00 PM)d0m Wrote: [ -> ]Its a php web shells I47 100% and they make symlink for 100%,and yes you are on the VPS or?
I think it's shared hosting. If it is a php web shell is there any way to remove it?
Please and thanks.
(2014-06-26, 01:26 PM)pg001 Wrote: [ -> ] (2014-06-26, 12:00 PM)d0m Wrote: [ -> ]Its a php web shells I47 100% and they make symlink for 100%,and yes you are on the VPS or?
I think it's shared hosting. If it is a php web shell is there any way to remove it?
Please and thanks.
First, don't put all of your eggs in one basket, it's not necessarily a shell.
You should firstly look through your web server logs which are available in cPanel for download. You should check for access to any unknown files or suspicious files, if you don't think you've ever seen the file on a MyBB forum then check it, only look for PHP files as those are what get executed server-side. If you delete all of your files (check around for other files, too, in your cPanel storage, there may be other sites or something you didn't notice), and the 'shell'/hacker keeps compromising the site, it may be something wrong with the hosting provider, or it might just be him getting your passwords somehow. What host are you on?