(2014-11-16, 06:09 PM)new1 Wrote: [ -> ]Is there a way that database cant be generated from admin panel, if that will prevent such thing to happen in future? i would rather take backup from cpanel.
Add
die("backups disable");
after the PHP tags in backupdb.php
As Shemo mentioned, you can remove the admin/modules/tools/backupdb.php file.
forgot to mention, on my one forum i noticed that there was even backup taken on today as well, i just deleted the forum anyway that forum was not even growing.
(2014-11-16, 04:04 PM)sarisisop Wrote: [ -> ] (2014-11-16, 03:03 PM)mikeh Wrote: [ -> ]To know if you were actually affected, visit Admin CP -> Tools and Maintenance -> Administrator Logs and if you see that you have downloaded a backup of the current database within this timespan: 14th November 23:00 GMT to 15th November 15:30 GMT It will show that an admin with your IP downloaded the backup of the database but if you didn't actually do it, then your forum's database was seized.
Thank you for this mikeh I've just checked and one of my forums has shown the above, but it was not between the 14 - 15 it was today and at the time I went to check my backups. So is it possible there is more to this problem than you think, as it is stated 14th -15th in the blog post but it happened to me today and it certainly wasn't me that downloaded the backup.
Can I also ask how it possible that this could happen, and what steps we can take from our side on not letting this happen again?
@Shemo said avoid uploading the backupdb.php file, could someone clarify what this actually does in simple terms. If I remove it will I no longer be able to make backups?
It's unfortunate for Pirata Nervo and he has apologised, but I feel it should be looked into a little further and try and find a way of avoiding this in the future as I find it odd and disappointing that getting access to one persons account on Github could in theory end up with every MyBB forum out there being compromised.
Thank You.
rather than creating backups through the mybb admin cp, you could run backups in phpmyadmin or directly through mysql itself.
The script could have done almost anything in the ACP since it bypassed all protections. Therefor blocking the backup tool neither helps against such attacks (unless it's identically which is unlikely) nor it really secures the forum.
In the admin control panel on the entry page is a news feature. I assume that info is pushed from mybb.com. Maybe that should be discontinued.
I'm quite surprised this hasn't gotten a lot of attention. Any particular reason why?
(2014-11-16, 11:08 PM)Andrew B. Wrote: [ -> ]Maybe that should be discontinued.
It should be implemented in a way so that it can not technically cause any harm.
Dumbing down the ACP is not the way to go.
maybe there should be a authentication block before executing any script requests, just like a gatekeeper....
The log entries, claiming a database backup have been downloaded, are still happening as of 1:37pm this afternoon (11/16/14). The admin changed her password and cleared her cookies at 8am, 5.5 hours prior.
So, the "we fixed it as of 11/15 and all you need to do is change passwords and clear cookies" suggestion doesn't appear to be working.