It's also worth noting that whilst the download may have been started and logged in the ACP, it has to download to your machine, then upload to another server. Both of these actions take time (the amount of time depends on the size of the database and backup). It's entirely possible your database never finished downloading or uploading, but there's no way of knowing for sure.
(2014-11-18, 03:29 PM)Maechlis Wrote: [ -> ]UPD: I read in the parallel thread that the malicious code has been removed from its URL, so now it does not matter whether the recommendations are corrected or not.
Actually is does, because the malicious code might (probably is) still reside in forums' cache, the ACP is still vulnerable to XSS attacks and the MyBB Team does not have control over that particular address (it's a third party server), so it better be corrected.
(2014-11-18, 03:29 PM)Maechlis Wrote: [ -> ] (2014-11-18, 11:22 AM)Pirata Nervo Wrote: [ -> ]And I recommended people to go to the ACP because I either recommended them to go there and rebuild their cache or I'd tell them to open up PHPMyAdmin, go to the datacache table and empty the update_check entry. I'm sure most of the users would complain - as always, people will complain if you say X and people will complain if you say Y.
Strange. I wonder why the MyBB staff fails to understand that the current recommendation in the blog post forces at least some admins to themselves trigger the malicious download of their database, given that there's that cache problem in place.
Take my example (sorry!) once again. We know that my DB was not stolen during 14-15th (because I was not in my ACP those days). Very well.
The problem has been fixed on the GitHub side since then. So the reasonable outcome would be that after 15th I would be safe against the problem, if following your recommendations.
Now what was the actual outcome was that I did follow your recommendations and thus got my DB stolen yesterday - this exclusively because the recommendations were incomplete - they did not take that cache issue into account.
OK, what's done is done, we discussed the matter yesterday and realized that it was the cache issue that led to that unfortunate result.
But why do you not correct your recommendations to account for that cache issue? Why are you still actually recommending people: "Go to your ACP and trigger your own DB to be stolen" ???
I think the recommendations should be corrected asap.
UPD: I read in the parallel thread that the malicious code has been removed from its URL, so now it does not matter whether the recommendations are corrected or not.
Anyway, please excuse me, but they were poorly and inadequately engineered. If I did not follow them yesterday, I would not have been compromised. Security should be in the first place, all possible "user inconvenience" of going into phpmyadmin should be in the second.
Those guys might have been millionaires by now if they prepared a bit better to this attack and ventured to download complete databases, not just the "users" table. Thanks God that attackers have limited aspirations.
Thank you for your input, I'd appreciate if you could provide us information on how you'd do it. Perhaps we'll act more accordingly if something of this scale happens again (hopefully not).
(2014-11-17, 02:12 PM)Pirata Nervo Wrote: [ -> ]In theory, yes. But you need to check your admin logs. If no backups were made by you without actually making them yourself, you're safe.
So this is 100% accurate? If so, I'd like to share something I've been using that I hope will help out other Administrators:
Create a .htaccess in your Admin CP folder, and put this inside
<FilesMatch "backupdb.php|optimizedb.php|tasks.php|maillogs.php|mailerrors.php|file_verification.php|cache.php|recount_rebuild.php">
order deny,allow
deny from all
#List all your own IP addresses:
allow from 127.0.0.1
#Obviously you want to replace the above line with your own, allow entire ISP ranges if you must.
ErrorDocument 403 http://YOURWEBSITE.com/index.php
ErrorDocument 404 http://YOURWEBSITE.com/index.php
</FilesMatch>
Most hackers are proxying, by limiting certain functions such as the Database tools to only your ISP service, you're narrowing down who has the ability to access these tools.
Unfortunately they can still deface your site through the templates, unless you block out your Admin CP entirely based on the IPs.
I'm not really sure if this helps, but there's no log showing someone else created a back up on mine. I think we should be all for extra layers of security anyway.
That wouldn't protect you because it's you who makes the backup. That's the point of XSS.
I wasn't sure, but that at least helps in an incident if the account was hijacked, and they weren't going through XSS.
But I think I'm safe, last back up on the log was in early October.
(2014-11-18, 11:22 AM)Pirata Nervo Wrote: [ -> ]Please read here: http://community.mybb.com/thread-162862-page-5.html
Yes, you're safe. And I recommended people to go to the ACP because I either recommended them to go there and rebuild their cache or I'd tell them to open up PHPMyAdmin, go to the datacache table and empty the update_check entry. I'm sure most of the users would complain - as always, people will complain if you say X and people will complain if you say Y.
Okay, I'm not trying to complain. But trying to explain what the original user was trying to ask, but wasn't being understood. It seemed a legitimate question...Why recommend logging into ACP if that's actually what triggers the attack...
Anyways, I'm astounded by all the work that is done by MyBB staff for free. I, for one, think some way should be found to monetize MyBB. Similar to how PrestaShop does it (make money off commission of plugin sales). Some would balk at the idea, but it would draw more quality plugin developers and bigger variety of plugins and ensure they keep plugins updated due to monetary concerns (eg, if the plugin isn't updated for most recent version of MyBB, noone will buy it). I do however think there should be some type of ceiling to price. Some of the PrestaShop module prices are absolutely ridiculous.
Could we please institute some bare minimum notification for these major security issues? I just learned about this last night, and my forum (with around 400 users) was hit 3 times by this incident. If it weren't for a friend who also operates a MyBB board, I would not have known about this exploit for God knows how long. I only check the MyBB website when the ACP alerts me that there's an update available.
Even something like sending a mass e-mail to all registered users here would have been very welcome.
There are several ways to keep up-to-date:
- Recent news in the ACP (unfortunately, the medium this attack targeted)
- Twitter
- The official blog
- Announcements at the top of this forum's index
Sending a mass mail may be possible, but there are several thousand members who would need the mail sending to them. It's something the team would need to discuss.
Some kind of mailing list should be done/email alert when a new release occurs.
Was lucky to see it popup in my facebook feed.