(2014-11-16, 03:03 PM)mikeh Wrote: [ -> ]To know if you were actually affected, visit Admin CP -> Tools and Maintenance -> Administrator Logs and if you see that you have downloaded a backup of the current database within this timespan: 14th November 23:00 GMT to 15th November 15:30 GMT It will show that an admin with your IP downloaded the backup of the database but if you didn't actually do it, then your forum's database was seized.
Thank you for this mikeh I've just checked and one of my forums has shown the above, but it was not between the 14 - 15 it was today and at the time I went to check my backups. So is it possible there is more to this problem than you think, as it is stated 14th -15th in the blog post but it happened to me today and it certainly wasn't me that downloaded the backup.
Can I also ask how it possible that this could happen, and what steps we can take from our side on not letting this happen again?
@Shemo said avoid uploading the backupdb.php file, could someone clarify what this actually does in simple terms. If I remove it will I no longer be able to make backups?
It's unfortunate for Pirata Nervo and he has apologised, but I feel it should be looked into a little further and try and find a way of avoiding this in the future as I find it odd and disappointing that getting access to one persons account on Github could in theory end up with every MyBB forum out there being compromised.
Thank You.
(2014-11-16, 04:04 PM)sarisisop Wrote: [ -> ]Can I also ask how it possible that this could happen, and what steps we can take from our side on not letting this happen again?
Hopefully the next MyBB release will contain a fix for the XSS possibility:
https://github.com/mybb/mybb/issues/1617.
Quote:@Shemo said avoid uploading the backupdb.php file, could someone clarify what this actually does in simple terms. If I remove it will I no longer be able to make backups?
Yes. The malicious script was using the built-in mechanism to create and download the copy of the database.
Quote:It's unfortunate for Pirata Nervo and he has apologised, but I feel it should be looked into a little further and try and find a way of avoiding this in the future as I find it odd and disappointing that getting access to one persons account on Github could in theory end up with every MyBB forum out there being compromised.
MyBB should not allow to execute code from unsafe sources in the first place.
Pirata Nervo Wrote:I’ve already enabled 2 Factor Authentication on my GitHub account and changed my password.
(2014-11-16, 03:03 PM)mikeh Wrote: [ -> ]The info on this page is wrong: http://blog.mybb.com/2014/11/15/github-a...mpromised/
Quote:To be sure about it, please log on to your AdminCP now and check your Database Backup Logs from ACP -> Tools & Maintenance -> Database Backups.
To know if you were actually affected, visit Admin CP -> Tools and Maintenance -> Administrator Logs and if you see that you have downloaded a backup of the current database within this timespan: 14th November 23:00 GMT to 15th November 15:30 GMT It will show that an admin with your IP downloaded the backup of the database but if you didn't actually do it, then your forum's database was seized.
I've just corrected the blog post, thank you.
(2014-11-16, 04:04 PM)sarisisop Wrote: [ -> ] (2014-11-16, 03:03 PM)mikeh Wrote: [ -> ]To know if you were actually affected, visit Admin CP -> Tools and Maintenance -> Administrator Logs and if you see that you have downloaded a backup of the current database within this timespan: 14th November 23:00 GMT to 15th November 15:30 GMT It will show that an admin with your IP downloaded the backup of the database but if you didn't actually do it, then your forum's database was seized.
Thank you for this mikeh I've just checked and one of my forums has shown the above, but it was not between the 14 - 15 it was today and at the time I went to check my backups. So is it possible there is more to this problem than you think, as it is stated 14th -15th in the blog post but it happened to me today and it certainly wasn't me that downloaded the backup.
Can I also ask how it possible that this could happen, and what steps we can take from our side on not letting this happen again?
@Shemo said avoid uploading the backupdb.php file, could someone clarify what this actually does in simple terms. If I remove it will I no longer be able to make backups?
It's unfortunate for Pirata Nervo and he has apologised, but I feel it should be looked into a little further and try and find a way of avoiding this in the future as I find it odd and disappointing that getting access to one persons account on Github could in theory end up with every MyBB forum out there being compromised.
Thank You.
All team members with access to GH I believe have gone through their GH security logs (just like I went) to find out suspicious activity. I was the only one attacked so I went through all my commits between the time of the attacker login and the time I activated 2FA and revoked access to the attacker on GH.
The attack could only be made within the time I mentioned in the blog article as far as I know. This of course, required you to clear your cookies so that the attacker could not use the same cookies to login to your forum.
MyBB 1.8.3 will have this issue addressed so that if remote code gets compromised, MyBB forums do not - this should have been like this from the start and a mistake made by someone had a big cost now. In the meantime, all team members have activated 2FA on GH to enhance security.
(2014-11-16, 04:48 PM)Pirata Nervo Wrote: [ -> ]The attack could only be made within the time I mentioned in the blog article as far as I know. This of course, required you to clear your cookies so that the attacker could not use the same cookies to login to your forum.
Sorry didn't read the bit about cookies will sort it now.
So just for clarification this isn't something we should be to concerned about and it is now sorted Yes ?
As far as I know, yes. I've been tracking GH over the past hours and no suspicious activity was found yet (I've been running scans on my laptop just in case as well). We believe the issue is fixed but of course, if a developer account gets compromised, this can happen again (hence why we activated 2FA for all accounts and we're considering to the same here on the forums).
(2014-11-16, 04:57 PM)Pirata Nervo Wrote: [ -> ]As far as I know, yes. I've been tracking GH over the past hours and no suspicious activity was found yet (I've been running scans on my laptop just in case as well). We believe the issue is fixed but of course, if a developer account gets compromised, this can happen again (hence why we activated 2FA for all accounts and we're considering to the same here on the forums).
OK Thank you I'll leave you to your work.
Logs show my database has been downloaded
But I have a htpasswd protection in admin directory am i affected?
Can the remote host bypass htpasswd authentication?
//sorry for my english
You are affected because it's you who actually performs the download! The attack consists of running JS to generate the backup and send it to a certain remote server.
(2014-11-16, 05:45 PM)Forevermybb Wrote: [ -> ]Can the remote host bypass htpasswd authentication?
They don't have to, since by using JavaScript, they made your own browser execute the database down- and upload.
Is there a way that database cant be generated from admin panel, if that will prevent such thing to happen in future? i would rather take backup from cpanel.