Hello everyone,
I'd like to share my experience I had a couple of weeks ago.
So, I've been using MyBB for a few years now. I've never had any "hack" problems in the past.
However, earlier during the year, myself and all other members noticed odd things happening... Sometimes, when I logged in, it was displaying another username than my own, when I tried to log out, it gave me an error saying "javascript" is affecting the logout.
So I upgraded the forum to 1.8.10, hoping this would resolve the issue (from 1.8.6).
Then, things got worse.. much worse.
Anytime a member refreshed the page they where logged in as someone else, even if they weren't logged in to begin with.
Some pages on my website remained the exact same after editing code. (Example, an edited html page looked the exact same as it did before it was edited).
Members then randomly logged into a secret administrator account. In our cbox (chat room) for the website the hacker started to tease and taunt of his success, he spoke Chinese with the username "DiamondKevin". At this point I knew the website was hacked.
The website became unusable, I had to close it down from my website provider.
I'm currently rebuilding a new website on a new web server with MyBB 1.8.10 hoping that the issue was in an older version causing the hack.
I didn't have much plugins either, in fact, I only had the "MyProtection" plugin. Luckily they got no passwords from this hack either. I feel this hack is due to URL injection.
I'd like to hear your thoughts about this everyone,
Stay safe!
Sounds like the same issue Steam had - a lot of hosts these days install Varnish or something similar. Like Stefan said, you visit a page, and it caches the HTML for that URL - doesn't matter that it's a page generated for a certain logged in user, it just saves that HTML. When someone else goes to the same URL, it just serves up the cached HTML, so says your username etc to someone else. We've seen an increasing number of shared hosts installing server-level caching, and you're not the first to think it's a hack of some sort either.
(2017-01-19, 05:28 PM)StefanT Wrote: [ -> ]This sounds like your host caches pages aggressively. User A visits the site, host caches it and user B sees the site that was generated for user A.
Related discussion: https://community.mybb.com/thread-194804.html
Thank you for your input Stafan,
Hostgator are the blokes that host my website(s),
What happened was very unusual as I didn't edit any files on the server, particularly .
htacces.
I believe it was a hack considering my website had myBB running on it for a few years before this situation happened.
However, fingers are slowly beginning to point at the MyProtection plugin. A week before this issue begun I attempted to make another user an administrator and the Myprotection plugin seemed to of crashed my website for going over a CPU limit of 25% by hostgator.
I had to disable the plugin as soon as I was able to and it stopped the CPU issue, perhaps this was heavy caching?
(2017-01-19, 05:36 PM)Matt Wrote: [ -> ]Sounds like the same issue Steam had - a lot of hosts these days install Varnish or something similar. Like Stefan said, you visit a page, and it caches the HTML for that URL - doesn't matter that it's a page generated for a certain logged in user, it just saves that HTML. When someone else goes to the same URL, it just serves up the cached HTML, so says your username etc to someone else. We've seen an increasing number of shared hosts installing server-level caching, and you're not the first to think it's a hack of some sort either.
Thank you for your thoughts Matt, it was indeed a shared host.
I will get in contact with Hostgator and let you know what they say about all of this.
You guys do a good thing here at MyBB.
MyProtection doesn't cache whole pages of HTML this will be something done at a server level, not a MyBB level. The thing is though hosts actually often deny they even have it installed (even when I can see it is from HTTP headers), so they may not even be completely truthful about it.
Quote:Anytime a member refreshed the page they where logged in as someone else, even if they weren't logged in to begin with.
This is a cache problem. Just confirming to you what others have stated. Suggest you go through all your services and ensure that only static content is cached (images, jscript, and css).
Further to the above, if you're on cloudflare you will need to reduce the cache level and turn off things like rail gun, which causes a lot of problems with mybb
As everyone has already stated your webhost is aggressively caching webpages. I recommend switching to an unmanged vps provider and setting up your own webserver and all. It's fun and you learn a lot. It's really bad that shared hosts are lying to their users and caching stuff without anyones consent. Anyways good luck with whatever provider you switch so and we're sorry for the confusion
Hello everyone, thank you all so much for your support,
Here is an update on the situation;
Hostgator
denied caching pages aggressively, they blocked my website for a whole month claiming it's my fault until they came to their senses and purged the cache.
As soon as they purged everything was in working order.
It was such a frustrating experience overall but I'm glad it's taken care of.
I'm still with hostgator as of right now however I'm looking for a new website host provider to host my websites, as hostgator has now put insane limits onto what you can change in your websites php.ini file.
For example; There is now a 64MB upload file size limit for php code, since my website is a gaming platform community, users are able to upload their own games... this is where that limit becomes a problem.
Can anyone recommend the
best main stream/long standing hosting service that has less limits than hostgator, better performance and potentially cheaper (hostgator tends to be more expensive than most hosts)?
Thank you!
If you want to check out my website feel free to do so;
http://zeoworks.com/home/games.php?filter=1
Quote:Hostgator denied caching pages aggressively
Quote:they came to their senses and purged the cache
Classic hosting U-turn. The amount of times hosts have gone from "we have no caching" to "we have disabled caching" after an hour or two... I'm sorry, I thought you said you didn't have caching
Hostgator enabled this caching on the 2nd of Feb, as two other users had caching issues start on that day and were bot on Hostgator too.