MyBB Community Forums

Full Version: Nature of GitHub hack attack?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7
Could we get some clarification on the nature of the GitHub hack problem?

It sounds as if the very act of logging into the AdminCP during the mentioned time span would have left one open to some sort of attack.

Is this correct?

It sounds also as if the nature of the attack is that someone could obtain a copy of the database by causing a backup to be created.

Is this correct?

Having created such a backup is it the case that such an attacker could also receive the copy of the backup. If so, by what means?

Is it clear that such a copy would necessarily be left on the server or could the attacker have deleted it?

How would the admin logs appear after such a copy was made? Would it carry the name of an administrator? Or the "0" user? Or would there even be a log entry?

In our case we were active as AdminCP during the stated hours and we made a backup copy ourselves during this time period. We see only one which matches our admin log. May we conclude we were not attacked?

If we were attacked does that mean that all data (content, passwords, etc) may have been copied?

Thanks!
MyBB grabs data from mybb.com, trusts it and prints it out without checks or escapes. That allowed JavaScript to be inserted. Said JavaScript made your browser download your mybb_users table and upload it to a remote site. The log entry for that backup would have been made in your name (xyz downloaded the current database).

The method used wasn't terribly efficient, since down- and upload would take some time (depending on number of registered users and your internet speed). There's a chance the process would've been cancelled if you didn't let it sit at the ACP index / version check but continued on to a different page (like settings or plugins or whatever you actually wanted to do when going in the ACP).

This is just guesswork but this hack feels like it was done for demonstration purposes, rather than doing real harm. The site it was sent to seems to belong to a well-known hacker, the attack vector was visible (at least, to anyone following commits on GitHub), and the possibilities it offered were endless (they could have deleted your database and all backup files, or encrypted everything and demanded ransom, that kind of thing) so that they went for the users table seems quite harmless in comparison...

Of course that's just how it appeared to me after it was already discovered; the site that served the javascript is dynamic so it's entirely possible it served a different bit of JavaScript to someone else, so it could have targeted specific sites in a different manner.

If affected, admins and moderators should change their passwords, users should be advised to do the same, and for those who don't you should change the loginkeys in the users table. Something like this query: (haven't tested it)

UPDATE mybb_users SET loginkey='';

That relies on MyBB generating a new loginkey on the next login. If paranoid you could set something random yourself:

UPDATE mybb_users SET loginkey=SHA1(CONCAT(RAND(),UUID(),loginkey));

Either one should force everyone to re-login and make the old loginkeys in the stolen database useless. And bruteforcing the passwords hopefully should take a bit of time, since they're salted.
Thank you that clarifies things quite well.

To note:

There was no indication in the backup copies since none was retained on the server. We did see that a backup copy was downloaded which was NOT left on the server. That was evident from the Administrator's Log entry rather than from the backup copy list. I infer that our mybb_user table was copied.

I have used (successfully) your recommended key clearing method (the first one listed).

It does seem concerning that anything is pulled from off-site and then trusted to perform administrator functions. That makes our security always limited to that of the off-site location. 

Thanks again.
does this hack rely on the backupdb.php file existing on the server? if so, I avoid uploading the backupdb.php file whenever it is included in an update.
I hope they are working on it.
(2014-11-16, 08:00 AM)Michael2014 Wrote: [ -> ]I hope they are working on it.

its been already fixed... the commits which were made by the hackers has been reverted back....
The loginkeys should be regenerated anyway for all the administrators, as they were sent along with the board address two times (http://pastebin.com/3gef4RRd).
(2014-11-16, 07:59 AM)Shemo Wrote: [ -> ]does this hack rely on the backupdb.php file existing on the server? if so, I avoid uploading the backupdb.php file whenever it is included in an update.
If that was not present in your server, it wouldn't work for them.

(2014-11-16, 01:41 AM)frostschutz Wrote: [ -> ]MyBB grabs data from mybb.com, trusts it and prints it out without checks or escapes. That allowed JavaScript to be inserted. Said JavaScript made your browser download your mybb_users table and upload it to a remote site. The log entry for that backup would have been made in your name (xyz downloaded the current database).

The method used wasn't terribly efficient, since down- and upload would take some time (depending on number of registered users and your internet speed). There's a chance the process would've been cancelled if you didn't let it sit at the ACP index / version check but continued on to a different page (like settings or plugins or whatever you actually wanted to do when going in the ACP).

This is just guesswork but this hack feels like it was done for demonstration purposes, rather than doing real harm. The site it was sent to seems to belong to a well-known hacker, the attack vector was visible (at least, to anyone following commits on GitHub), and the possibilities it offered were endless (they could have deleted your database and all backup files, or encrypted everything and demanded ransom, that kind of thing) so that they went for the users table seems quite harmless in comparison...

Of course that's just how it appeared to me after it was already discovered; the site that served the javascript is dynamic so it's entirely possible it served a different bit of JavaScript to someone else, so it could have targeted specific sites in a different manner.

If affected, admins and moderators should change their passwords, users should be advised to do the same, and for those who don't you should change the loginkeys in the users table. Something like this query: (haven't tested it)

UPDATE mybb_users SET loginkey='';

That relies on MyBB generating a new loginkey on the next login. If paranoid you could set something random yourself:

UPDATE mybb_users SET loginkey=SHA1(CONCAT(RAND(),UUID(),loginkey));

Either one should force everyone to re-login and make the old loginkeys in the stolen database useless. And bruteforcing the passwords hopefully should take a bit of time, since they're salted.

At time of detection they were only making database backups and I haven't heard of anyone having their whole forum destroyed so I definitely hope that was it...I feel enough embarrassed already. Afterwards I noticed they changed it to sending cookies only but they switched back again quickly afterwards again.

Once again, my apologies to everyone that had problems due to this.
The info on this page is wrong: http://blog.mybb.com/2014/11/15/github-a...mpromised/

Quote:To be sure about it, please log on to your AdminCP now and check your Database Backup Logs from ACP -> Tools & Maintenance -> Database Backups.

To know if you were actually affected, visit Admin CP -> Tools and Maintenance -> Administrator Logs and if you see that you have downloaded a backup of the current database within this timespan: 14th November 23:00 GMT to 15th November 15:30 GMT It will show that an admin with your IP downloaded the backup of the database but if you didn't actually do it, then your forum's database was seized.
Oh ,two of my forums was hacked then. I see the said things. So do i need to run this

UPDATE mybb_users SET loginkey='';

or UPDATE mybb_users SET loginkey=SHA1(CONCAT(RAND(),UUID(),loginkey));

sql query in my databases ?
Pages: 1 2 3 4 5 6 7