(2014-11-17, 06:37 AM)mmadhankumar Wrote: [ -> ]maybe there should be a authentication block before executing any script requests, just like a gatekeeper.... 
Perhaps MyBB could implement
CSP headers throughout the ACP to prevent external scripts/assets being loaded by default. Sure, something like this is unlikely to happen again but it would remove the possibility of it or anything similar being able to happen.
Content-Security-Policy: script-src 'self' $cdnurl; connect-src 'none' frame-src 'self', object-src 'none';
(2014-11-17, 07:25 AM)Biscuit1001 Wrote: [ -> ]The log entries, claiming a database backup have been downloaded, are still happening as of 1:37pm this afternoon (11/16/14). The admin changed her password and cleared her cookies at 8am, 5.5 hours prior.
So, the "we fixed it as of 11/15 and all you need to do is change passwords and clear cookies" suggestion doesn't appear to be working.
try to run the version check again to restore the updated files and check...
(2014-11-17, 07:39 AM)Cameron:D Wrote: [ -> ]prevent external scripts/assets being loaded by default.
It probably wouldn't have helped. It wasn't an external script; the 'external' part was handled by PHP, in the HTML output the javascript was local...
(2014-11-17, 07:25 AM)Biscuit1001 Wrote: [ -> ]The log entries, claiming a database backup have been downloaded, are still happening as of 1:37pm this afternoon (11/16/14).
So it's probably in the update_check cache... ouch.
Disable JavaScript in your browser, go to ACP->Tools->Cache->update_check. It should look something like this:
Array
(
[last_check] => 1416085808
[latest_version] => <span style="color: #C00;"><strong>1.8.2</strong> (1802)</span>
[latest_version_code] => 1802
)
If there's <script></script> in there, rebuild that cache, then re-run version check... then go back to the cache manager and check if the <script> part is still there. If it's still there, there may be some other caching involved.
frostschutz is right. If it got cached during that time, it may still be running. @Biscuit1001 could you please let us know if that data got cached for you? I've updated the blog post with that anyway just in case.
MyBB 1.6 has the update_check cache too.
Thanks frostchutz, I was not able to check the code at that time.
(2014-11-17, 08:32 AM)frostschutz Wrote: [ -> ] (2014-11-17, 07:25 AM)Biscuit1001 Wrote: [ -> ]The log entries, claiming a database backup have been downloaded, are still happening as of 1:37pm this afternoon (11/16/14).
So it's probably in the update_check cache... ouch.
Disable JavaScript in your browser, go to ACP->Tools->Cache->update_check. It should look something like this:
Array
(
[last_check] => 1416085808
[latest_version] => <span style="color: #C00;"><strong>1.8.2</strong> (1802)</span>
[latest_version_code] => 1802
)
If there's <script></script> in there, rebuild that cache, then re-run version check... then go back to the cache manager and check if the <script> part is still there. If it's still there, there may be some other caching involved.
The forum admin did that this morning just before 9am. No more errant log entries since 1:37pm yesterday. So it seems to have worked, and yet I wonder if something else stopped it, because of the huge time gap? The downloads/attempted downloads were happening sporadically yet at times every 1-5 minutes.
Btw, we're still on 1.6.15. I was waiting for the new version "bug shake out" before upgrading. I saw there was a security release for 1.8.x this morning. Will there be a patch for 1.6.x also? I would guess there's a lot of forums still on 1.6.x
And thank you so much for your help.
(2014-11-17, 11:05 AM)Pirata Nervo Wrote: [ -> ]frostschutz is right. If it got cached during that time, it may still be running. @Biscuit1001 could you please let us know if that data got cached for you? I've updated the blog post with that anyway just in case.
Thank you, that may have done it. The forum admin saw your blog post and rebuilt the cache, and so far so good. Though I'm a little hesitant to attribute one to the other, since the last malicious log entry happened at 1:37pm yesterday/Sunday, and the cache was rebuilt at 8:53am this morning/Monday.
Also, I saw there was a security release for 1.8.x this morning. Will there be the same for 1.6.x? There really should be.
Thank you for all your help.
MyBB 1.8.2 has nothing to do with this (it was released before the attack happened). As stated in the announcement the issues don't affect 1.6.x.
(2014-11-17, 07:01 PM)StefanT Wrote: [ -> ]MyBB 1.8.2 has nothing to do with this (it was released before the attack happened). As stated in the announcement the issues don't affect 1.6.x.
Thank you for clarifying (I haven't seen the announcement yet, only saw Installatron's notice). I did think that was incredibly fast to release a patch!
The attack is now fully terminated
We've contacted the attacking website and they have taken down the malicious script. Apparently someone was taking advantage of them too. Unfortunately we didn't contact them sooner to stop even more progress.
All boards that are still affected by the malicious code should not be in any harm anymore because the script has been removed. However, we still advise you to follow the procedure we posted on the blog article.