Hi, my forum has been hacked, all index.php had been replaced by hacker.
Unfortunately i run mybb 1.6, and i want to clean all files with new ones, can i just replace all files with mybb 1.8 ? can i just delete the 1.6 files, and replace with 1.8? how about
config.php ?
Quote:To ensure that your MyBB installation is clean and no extra files have been added, you should delete all your files and upload a fresh copy of the latest version of MyBB. You only really need to backup your inc/config.php file. And even that should be double checked against the default structure of the file. Pay attention to your database details specifically, as well as your admin directory, super admins, etc.
If you have a lot of plugins, images, language packs or custom modifications, you should create a full backup and upload these things later on. Note that it is possible that a vulnerability lies within these files, so make sure to review them carefully. In the future consider using the Patchesplugin to edit all of the core files. This makes it incredibly easy to restore patches when you’re upgrading or replacing files.
Deleting the files and re-uploading a fresh copy of MyBB also has the benefit of updating to the latest code. If you were running an older version of MyBB - which is why most forums get hacked - you will now be running on code free of any known vulnerabilities. To upgrade your forum, if it wasn’t the latest version, follow the Upgrade documentation.
You can replace all the files with 1.8 versions and run the upgrade script, but make sure you're prepared to find an upgraded theme and plugin versions that will run on 1.8.
Leave config.php as it is right now (make sure to change DB credentials though - assume they're compromised). The upgrader should(?) handle making any necessary changes (though I don't think any are needed until the upcoming 1.8.8 release any time now).
Some advice for the future:
Use an ACP pin. (A LONG ONE WITH RANDOM CHARACTERS)
Use security log plugin to check if someone is trying to crack your board.
Don't use 1.6 ever. Ever!
Change your max password length to 255 characters and use randomly typed passwords stored in a cryptographically secure password wallet.
That way you can use a not so hard to remember string of letters and numbers you can use in a 12 character password that will give your passwords 2048 bit strength protection, making them nearly impossible to brute force.
You could also use a password generator too using JavaScript, just add your own salt to it and make sure it's exactly 255 characters using notepad or something.
(2016-09-19, 05:00 AM)Josh H. Wrote: [ -> ]You can replace all the files with 1.8 versions and run the upgrade script, but make sure you're prepared to find an upgraded theme and plugin versions that will run on 1.8.
Leave config.php as it is right now (make sure to change DB credentials though - assume they're compromised). The upgrader should(?) handle making any necessary changes (though I don't think any are needed until the upcoming 1.8.8 release any time now).
how about /uploads folder? I want to retain attachments.
edit: well, i have another problem, i can't login to ACP, will it be okay? can i login latter when upgrading?
(2016-09-19, 07:45 AM)zukro Wrote: [ -> ] (2016-09-19, 05:00 AM)Josh H. Wrote: [ -> ]You can replace all the files with 1.8 versions and run the upgrade script, but make sure you're prepared to find an upgraded theme and plugin versions that will run on 1.8.
Leave config.php as it is right now (make sure to change DB credentials though - assume they're compromised). The upgrader should(?) handle making any necessary changes (though I don't think any are needed until the upcoming 1.8.8 release any time now).
how about /uploads folder? I want to retain attachments.
edit: well, i have another problem, i can't login to ACP, will it be okay? can i login latter when upgrading?
WTF do you mean you can't login to ACP?
Change your ACP pin and admin password!!!!
Update: Successfully upgrade to 1.8, all threads, posts, attachments are intact.
I am doing File Verification, and found two problems. Two files have been changed, but I never do that, I was do fresh upgrade download directly from
https://mybb.com/download
inc/functions_upload.php
inc/class_feedparser.php
Does it mean someone (hacker) has changed this two files?
[
attachment=37355]
another problem is, there are still plugins settings from previous installation, although all of plugin files have been removed.
How can I remove this plugins settings?
(2016-09-19, 09:50 PM)zukro Wrote: [ -> ]well, hacker replaced index.php in my ADMIN acp folder too.
Now I can login.
Reset your passwords for cPanel (if applicable), server passwords (if applicable), all admin users, and any database users ASAP. If they had file access to modify it after you uploaded files, it seems that something is still compromised.
If you have access to a bash/zsh/anything-not-Windows CLI, run a grep -inR forum_path/ "base64_decode" and the same thing for "eval" and see if there are any lines that look oddly obfuscated and not like normal MyBB code. These two things will most likely help you identify any web shells if you find anomalies. Feel free to post here or PM me if you have any questions.
(2016-09-19, 10:12 PM)Josh H. Wrote: [ -> ]Reset your passwords for cPanel (if applicable), server passwords (if applicable), all admin users, and any database users ASAP. If they had file access to modify it after you uploaded files, it seems that something is still compromised.
If you have access to a bash/zsh/anything-not-Windows CLI, run a grep -inR forum_path/ "base64_decode" and the same thing for "eval" and see if there are any lines that look oddly obfuscated and not like normal MyBB code. These two things will most likely help you identify any web shells if you find anomalies. Feel free to post here or PM me if you have any questions.
Unfortunately I only have FTP access, I'll tell that to our server admin.
inc/functions_upload.php
inc/functions.php
inc/class_feedparser.php
I am doing file verification again, and now there're 3 files changed.
What I've done, is installing plugins. Does installing plugins change
inc/functions.php ?
Note: Now my forum is in OFFLine mode, I restrict access using .htaccess