MyBB Community Forums

Hey gang,

so I was just browsing the community here, going about my daily business of finding new and interesting tidbits to read, (hey, browsing the community is serious studying) and low and behold, I come across this thread:
"My forum has been hacked help
http://community.mybb.com/thread-162608.html"

Okay ouch, now that sucks, was my first thought, my second thought was, how do we stop these hackers from invading our forums so easily?

My third thought was, basically the same as my second thought but with a bit more judgement,
how did these *bleep *bleep hackers get into this poor fella's forum?

So it leads me to questions and more questions,
is MyBB an easy target for hackers? Does posting a link to your forum on this site make you a target for MyBB hackers? Or does MyBB have excellent security features that just need to be put into place.

I know that no website is unhackable but the hacker spook and shade (more like Beavis and Buthead)
seem to have predatory knack for hacking MyBB because this isn't the first I've heard of them or him, or whatever.

Or was there more to the story, maybe there wasn't enough security set up on this guy's forum.
So, more questions again, like, what steps can a person take to secure their forum from these crappers, I mean hackers?

Now I've put hundreds of hours into my forum's development, well hundreds of hours because I'm not a pro developer, but I'm impressed with the results I'm getting.

Our forums are our children, in a way, (very needy but always a pleasure watching them grow)
and these hackers are the cavity creeps that cost us time, money and not to mention, a lot of pain.

So in closing, I must beg the question, how can we stop these hacknerds?

I've posted my link before when my forum was online, and it never got hacked. Why? Probably because I didn't add too many plugins, made sure my passwords were secure and different for each service/account and I monitored software/plugin updates religiously.

I think there's a lot more to the story. You'd be amazed how little some people know at the start of their career in managing a website.

(2014-11-10, 10:27 PM)Josh H. Wrote: [ -> ]I've posted my link before when my forum was online, and it never got hacked. Why? Probably because I didn't add too many plugins, made sure my passwords were secure and different for each service/account and I monitored software/plugin updates religiously.

I think there's a lot more to the story. You'd be amazed how little some people know at the start of their career in managing a website.

Exactly. I am a member of a few forums who still run MyBB 1.4.x 

It's pretty sad when you think about it...

There is no clear indication of how shade and spook have been hacking mybb forums lately until one of the victim analyzes their situation and alerts the public. Hopefully one of these unfortunate souls will let the rest of us know how they got hacked. But from now on I don't think posting your forum here publicly is a good idea.

You just have to take the proper precautions.

(2014-11-11, 12:16 AM)mikeh Wrote: [ -> ]There is no clear indication of how shade and spook have been hacking mybb forums lately until one of the victim analyzes their situation and alerts the public. Hopefully one of these unfortunate souls will let the rest of us know how they got hacked. But from now on I don't think posting your forum here publicly is a good idea.

I analyzed the above forum and it doesn't seem to have been a problem with MyBB.

(2014-11-11, 12:36 AM)Paul H. Wrote: [ -> ]

(2014-11-11, 12:16 AM)mikeh Wrote: [ -> ]There is no clear indication of how shade and spook have been hacking mybb forums lately until one of the victim analyzes their situation and alerts the public. Hopefully one of these unfortunate souls will let the rest of us know how they got hacked. But from now on I don't think posting your forum here publicly is a good idea.

I analyzed the above forum and it doesn't seem to have been a problem with MyBB.

What was the problem?

(2014-11-11, 12:44 AM)mikeh Wrote: [ -> ]

(2014-11-11, 12:36 AM)Paul H. Wrote: [ -> ]

(2014-11-11, 12:16 AM)mikeh Wrote: [ -> ]There is no clear indication of how shade and spook have been hacking mybb forums lately until one of the victim analyzes their situation and alerts the public. Hopefully one of these unfortunate souls will let the rest of us know how they got hacked. But from now on I don't think posting your forum here publicly is a good idea.

I analyzed the above forum and it doesn't seem to have been a problem with MyBB.

What was the problem?

An administrator account seemed to have been compromised, and from what I could tell it was not MyBB's fault.

In my opinion, the ACP PIN feature is brilliant because it is stored in the files rather than the database. A typical SQL injection hack (and in some cases, XSS as well) would not allow someone to gain access to the admin control panel unless they had access to the files to find the PIN. I'm not sure it would do any good for XSS in the situation that the admin is already logged into the admin CP though.

From what I had heard recently, one of the forums supposedly hacked by "shade and spook" was in fact hacked as a result of an admin's account being compromised. I've heard of multiple cases recently where people have hacked forums by convincing administrators to promote them as well. Of course that doesn't say much because these hackers could be anyone, but I honestly have a feeling that it's just a few amateurs around the community looking for easy targets (e.g. vulnerable plugins, outdated versions of MyBB, insecure accounts, etc. ). Those who use the latest version of MyBB, avoid unreputable plugins, and secure their accounts aren't likely going to be as easily targeted.

I'm kind of frightened to be honest, i really don't know what to say right now after reading this thread and others.

Can it be possible that someone with Security Knowledge on Mybb share with us extra security measures so that we as Admins can put it in place just in case were the next targets? Thanks!