2014-12-05, 05:46 AM
Greetings, denizens of MyBB.
After seeing many threads of "halp i've been hacked what to do", I'm going to make a general thread on what to do immediatly after an attack, what kinds of attacks exist, and how to properly request help on this forum. This is not a full-encompassing 'how to protect against hackers' thread (but if you're looking for that, you can find it Here), but is much rather how to directly respond to your site being attacked.
What kinds of attacks exist?
Generally, a attack against a myBB platform will fall into one of several categories;
While MySQL injection and XSS Exploiting are directly done via myBB, SSL Vulnrabilities and DDoS attacks are not; It is important to determining the type of attack when posting, which will be detailed soon.
Determining what is happening to you.
Each attack type will generally leave some symptoms.
Denial of Service: Website will be sluggish and unresponsive, usually for extended periods of time. It could just be a extended flow of users, so make sure you know what it is before responding to it. You will see a lot of random IP's in logs and Cpanel if it is a Distributed Denial of Service attack - a Denial of Service attack perpetrated from multiple host/compromised systems.
A denial of service attack in no way will compromise system security - Think of it as a bunch of fat people trying to get through a revolving door; All it does is clog traffic up. Although, it may be performing in conjunction with a more serious attack so-as to confuse security.
Unfortunately, a denial of service attack has nothing to do with the MyBB software itself, you are best off contacting your hosting provider for assistance or implementing a CDN service like CloudFlare.
MySql Injecting SQL injecting is usually perpetrated through plugins, as the code of these is less secure then myBB itself. The most obvious way of detecting a SQL injection is if something possible through a mySQL query, but not directly through the website itself by a sanctioned activity, occurs, a good example would be a random user who just registered is set to the Administrator group. He then can use his newfound administrative powers to deface the board using templates.
XSS Exploits - This is increasingly common given exploits found in earlier versions of MyBB. XSS exploits typically hijack the session of a verified user (Usually a admin), enabling the attacker to be logged in as them. This will be abhorrently obvious in admin logs as you will see a administrator from a foreign IP performing admin actions, in recent times, this has been making a backup of the database then defacing the website.
SSL Vulnrabilities - As with DoS/DDoS attacks, this has nothing to do with MyBB itself but its increasingly common. If you run HTTPS using SSL, you can be vulnrable to things like Heartbleed and POODLE attacks. This is something you need to clear with your webhost if you believe you are being attacked using either, things like the Heartbleed Checker and POODLE scanner will help you with these, It's worth noting you shouldn't be vulnrable if you are not using SSL encryption for HTTPS.
I've just been hit, now what?
First and foremost should be Secure your stuff. This means manually locking users out of your forum, the most direct way of doing this will be a passworded directory, which you can do via Cpanel. Yes, you will disrupt normal service to users (if they attackers havn't already disrupted it), but it is crucial to ensure they can't perform any more damage.
Once the forum is secured, check admin logs, Both the two issues that the software, in this case, myBB harbors, are likely to leave logs if it's a major attack. Look for the following:
A MySQL injection attack (Not all will leave traces if they just attack the database, however, if they deface the website it usually will) will usually promote a new user, the attacker, to admin, however, as discussed before, XSS injection attacks hijack the session key of a administrator already logged in, so the attacker will perform actions as that administrator.
Second off, Shut them out! There are typically a few ways to do this.
If you believe it's a MySQL attack:
If you believe it is a XSS attack:
If you believe it's a SSL/DDoS attack
Lock down your forums (if it's a SSL attack, they can stay up in event of DDoS because, as mentioned above, it has little effect on actual system security) and contact your host. We can't help you much here as it's a server-side issue.
Properly posting a thread
So you've been hit hard and still need help. We need some things of you in order to assist you best.
General tips
Always be courteous and calm with your webhost and people on this forum
Yes, your website is being attacked, but they and we have lives too. Don't take any anger out on them or us.
Always keep backups.
This is the golden rule of any website. Preferably you want daily, or even 12-6 hour backups on more popular websites.
Do NOT communicate with the attackers
'Ransom attacks' and ect will try to contact you. Do not contact them - Yes it seems like this will stop your website from being attacked, but most attackers will get personal information out of you or blackmail you further using this. It's best not to contact them in any way shape or form
Better safe then sorry
Disabling your website for a few hours to sort out what's going on is better then not and getting hit with a major attack. Security of your website and its users should come before downtime.
Final notes
I wouldn't be surprised if I missed a lot or made mistakes, feel free to mercilessly correct my incompetence.
After seeing many threads of "halp i've been hacked what to do", I'm going to make a general thread on what to do immediatly after an attack, what kinds of attacks exist, and how to properly request help on this forum. This is not a full-encompassing 'how to protect against hackers' thread (but if you're looking for that, you can find it Here), but is much rather how to directly respond to your site being attacked.
What kinds of attacks exist?
Generally, a attack against a myBB platform will fall into one of several categories;
- Denial of Service attack (most common)
- MySQL Injection
- XSS Exploiting
- SSL Vulnrabilities
While MySQL injection and XSS Exploiting are directly done via myBB, SSL Vulnrabilities and DDoS attacks are not; It is important to determining the type of attack when posting, which will be detailed soon.
Determining what is happening to you.
Each attack type will generally leave some symptoms.
Denial of Service: Website will be sluggish and unresponsive, usually for extended periods of time. It could just be a extended flow of users, so make sure you know what it is before responding to it. You will see a lot of random IP's in logs and Cpanel if it is a Distributed Denial of Service attack - a Denial of Service attack perpetrated from multiple host/compromised systems.
A denial of service attack in no way will compromise system security - Think of it as a bunch of fat people trying to get through a revolving door; All it does is clog traffic up. Although, it may be performing in conjunction with a more serious attack so-as to confuse security.
Unfortunately, a denial of service attack has nothing to do with the MyBB software itself, you are best off contacting your hosting provider for assistance or implementing a CDN service like CloudFlare.
MySql Injecting SQL injecting is usually perpetrated through plugins, as the code of these is less secure then myBB itself. The most obvious way of detecting a SQL injection is if something possible through a mySQL query, but not directly through the website itself by a sanctioned activity, occurs, a good example would be a random user who just registered is set to the Administrator group. He then can use his newfound administrative powers to deface the board using templates.
XSS Exploits - This is increasingly common given exploits found in earlier versions of MyBB. XSS exploits typically hijack the session of a verified user (Usually a admin), enabling the attacker to be logged in as them. This will be abhorrently obvious in admin logs as you will see a administrator from a foreign IP performing admin actions, in recent times, this has been making a backup of the database then defacing the website.
SSL Vulnrabilities - As with DoS/DDoS attacks, this has nothing to do with MyBB itself but its increasingly common. If you run HTTPS using SSL, you can be vulnrable to things like Heartbleed and POODLE attacks. This is something you need to clear with your webhost if you believe you are being attacked using either, things like the Heartbleed Checker and POODLE scanner will help you with these, It's worth noting you shouldn't be vulnrable if you are not using SSL encryption for HTTPS.
I've just been hit, now what?
First and foremost should be Secure your stuff. This means manually locking users out of your forum, the most direct way of doing this will be a passworded directory, which you can do via Cpanel. Yes, you will disrupt normal service to users (if they attackers havn't already disrupted it), but it is crucial to ensure they can't perform any more damage.
Once the forum is secured, check admin logs, Both the two issues that the software, in this case, myBB harbors, are likely to leave logs if it's a major attack. Look for the following:
- A individual not sanctioned as admin enacting admin commands
- A admin enacting admin commands from a strange IP address
- Any database download/template editing.
A MySQL injection attack (Not all will leave traces if they just attack the database, however, if they deface the website it usually will) will usually promote a new user, the attacker, to admin, however, as discussed before, XSS injection attacks hijack the session key of a administrator already logged in, so the attacker will perform actions as that administrator.
Second off, Shut them out! There are typically a few ways to do this.
If you believe it's a MySQL attack:
- Demote/ban the attacker (duh!)
- Disable any unsecure/new plugins. These are probably the cause of it.
- Ensure the database has not been dumped (You will see something along the lines of (User) has downloaded the database in admin logs)
- If it has, you should have all users and especiually admins change passwords. Although double hashed and salted, these are in theory crackable. You also want to ensure if you left any information like FTP passwords, mySQL information, on a private section of the forum, change them as the attacker can see them
- Restore the most recent database backup. They could of ran queries to establish back-door admin accounts. and ecetera that could come back to bite you
- Check for compromised templates (Usually they will deface it using the built-in templates sytem), If it is compromised in any way, you are best off reinstalling the theme entirely as they couldove put backdoors in.
- If you haven't, ensure you have installed the lastest myBB version - A lot of these exploits are in older versions and have been patched.
- If you feel the attack is beyond your scope and want outside help, post on this forum with information that will be covered below
If you believe it is a XSS attack:
- Demote/ban the admin that commited the acts. Yes, it was not him/her, but you need to verify his/her account is not compromised on a 3rd party program like Skype.
- Ensure the database has not been dumped (You will see something along the lines of (User) has downloaded the database in admin logs)
- If it has, you should have all users and especiually admins change passwords. Although double hashed and salted, these are in theory crackable. You also want to ensure if you left any information like FTP passwords, mySQL information, on a private section of the forum, change them as the attacker can see them
- Check for compromised templates (Usually they will deface it using the built-in templates sytem), If it is compromised in any way, you are best off reinstalling the theme entirely as they couldove put backdoors in.
- Establish security methods to subvert the XSS attacks - These include enabling admin PIN (A setting in inc/config.php), password-protecting the admin directory and only giving certified admins the directory password (this should subvert the XSS injecting method alltogether as it doesen't effect directory-level authentication), and flat out changing the admin directory (You'll need to set it in inc/config.php to the one you rename it too).
- If you haven't, ensure you have installed the lastest myBB version - A lot of these exploits are in older versions and have been patched
- If you feel the attack is beyond your scope and want outside help, post on this forum with information that will be covered below
If you believe it's a SSL/DDoS attack
Lock down your forums (if it's a SSL attack, they can stay up in event of DDoS because, as mentioned above, it has little effect on actual system security) and contact your host. We can't help you much here as it's a server-side issue.
Properly posting a thread
So you've been hit hard and still need help. We need some things of you in order to assist you best.
- A link to your forum is preferred for us to see what's going on but not required.
- What's happening
- What you believe the cause is
- What actions(if any) you've taken to correct it as is.
- Plugins you are using
- Any other details.
General tips
Always be courteous and calm with your webhost and people on this forum
Yes, your website is being attacked, but they and we have lives too. Don't take any anger out on them or us.
Always keep backups.
This is the golden rule of any website. Preferably you want daily, or even 12-6 hour backups on more popular websites.
Do NOT communicate with the attackers
'Ransom attacks' and ect will try to contact you. Do not contact them - Yes it seems like this will stop your website from being attacked, but most attackers will get personal information out of you or blackmail you further using this. It's best not to contact them in any way shape or form
Better safe then sorry
Disabling your website for a few hours to sort out what's going on is better then not and getting hit with a major attack. Security of your website and its users should come before downtime.
Final notes
I wouldn't be surprised if I missed a lot or made mistakes, feel free to mercilessly correct my incompetence.