MyBB Community Forums

Hi, I'm owner of a MyBB forum (about 5k threads and 20k messages) that is being targetted by some hacker wannabe, probably. The thing is, that guy is somehow exploiting my SQL with a botnet, and basically it takes 100% of my 8 4.2ghz cores, and doesn't goes down til I reboot my MariaDB and Apache2 services. I tried logging EVERY query that MariaDB executes, but I can't figure out what's happening, I'm not able to see a pattern to determinate what could be able to be exploited. My 3306 port is closed, since I'm running everything locally in my dedicated server, so they are NOT attacking directly to the port.

I'm running MyBB 1.8.19.
I'm using a custom theme (Flatty) with this plugins:

1. Multiple Usergroup Images on Postbit/Profile (1.2)
   
2. Shows Avatar on Threadlist and Forumlist (3.0)
   
3. Discord Webhooks for MyBB (2.0)
   
4. MyAlerts (2.0.4)
   
5. My Arcade (1.3.1)
   
6. MyProfile (1.2)
   
7. MyCode: [spoiler] (1.2.1)
   
8. CoderMe Donation FREE (6.0.0)
   
9. ProStats /proʊˈstæts/ (1.9.7)
   
10. Servers board (3.5)
    
11. Style Usernames (MyBB 1.8) (1.5.0)
    

Things that I already tried:

1. Limited search engine only for registered (and verified) users, also limited the results to 100.
   
2. Removed "Reload" button from ProStats since I thought it does some hard queries, and doesn't have any kind of spam protection.
   
3. Added CloudFlare (free service) to my website.
   
4. Blocked all those IPs and countries from where the attack was coming from (I wasn't interested in those countries to join my website either).
   

I'm not sure of what I should try right now. I would really appreciate if some of you share your security knowledges for this platform with me. Thanks for trying to help me, greetings!

(2018-12-13, 09:53 PM)zAnonimo Wrote: [ -> ]Hi, I'm owner of a MyBB forum (about 5k threads and 20k messages) that is being targetted by some hacker wannabe, probably. The thing is, that guy is somehow exploiting my SQL with a botnet, and basically it takes 100% of my 8 4.2ghz cores, and doesn't goes down til I reboot my MariaDB and Apache2 services. I tried logging EVERY query that MariaDB executes, but I can't figure out what's happening, I'm not able to see a pattern to determinate what could be able to be exploited. My 3306 port is closed, since I'm running everything locally in my dedicated server, so they are NOT attacking directly to the port.

I'm running MyBB 1.8.19.
I'm using a custom theme (Flatty) with this plugins:

1. Multiple Usergroup Images on Postbit/Profile (1.2)
   
2. Shows Avatar on Threadlist and Forumlist (3.0)
   
3. Discord Webhooks for MyBB (2.0)
   
4. MyAlerts (2.0.4)
   
5. My Arcade (1.3.1)
   
6. MyProfile (1.2)
   
7. MyCode: [spoiler] (1.2.1)
   
8. CoderMe Donation FREE (6.0.0)
   
9. ProStats /proʊˈstæts/ (1.9.7)
   
10. Servers board (3.5)
    
11. Style Usernames (MyBB 1.8) (1.5.0)
    

Things that I already tried:

1. Limited search engine only for registed (and verified) users, also limited the results to 100.
   
2. Removed "Reload" button from ProStats since I thought it does some hard queries, and doesn't have any kind of spam protection.
   
3. Added CloudFlare (free service) to my website.
   
4. Blocked all those IPs and countries from where the attack was coming from (I wasn't interested in those countries to join my website either).
   

I'm not sure of what I should try right now. I would really appreciate if some of you share your security knowledges for this platform with me. Thanks for trying to help me, greetings!

Try deactivating #9 - ProStats. 

I have found through my previous experience that this plugin is a bit buggy and acts weird at times.

I pretty much use all of the other plugins except for #1 and #10. I do not have any issues with any botnets or hackers attempting to DoS my website.

But then... I do use a paid hosting service for my website. Looks like you are using VPS.

(2018-12-13, 11:48 PM)Serpius Wrote: [ -> ]Try deactivating #9 - ProStats. 

I have found through my previous experience that this plugin is a bit buggy and acts weird at times.

I pretty much use all of the other plugins except for #1 and #10. I do not have any issues with any botnets or hackers attempting to DoS my website.

But then... I do use a paid hosting service for my website. Looks like you are using VPS.

Thanks for the answer, Serpius!

Sadly, I already tried disabling ProStats, and attacks are still coming and effectives as always. Yes, I do host my website in my VPS, but I'm pretty sure it's not a DDoS but a SQL Exploit or Injection. Basically, I'm not getting my bandwitch compromised, only my MariaDB (SQL) is being stressed out a lot.

Can you SSH into your VPS, and do a quick check on how many connections to your MariaDB instance? Something like

netstat -an|grep 3306

Also, run top and do a quick check and see what kind of resources apache and mariadb are using.

(2018-12-14, 12:14 AM)snakeoilos Wrote: [ -> ]Can you SSH into your VPS, and do a quick check on how many connections to your MariaDB instance? Something like

netstat -an|grep 3306

Also, run top and do a quick check and see what kind of resources apache and mariadb are using.

Sure, as I said, my 3306 port is closed using IPTables.


I can't figure out how to see which resources are using MariaDB and Apache2 tho. Is that info in top/htop? Thanks for your answer!

Yes, HTOP will show you what MySQL/MariaDB and Apache/NGINX are running at. If you hit F4 within Htop you'll be able to filter the results.

Here's the result:


I limited the CPU usage of MariaDB to 20% because it was affecting my gameservers. I'm not being attacked right now tho, most of the times attacks are on the morning (like today) and this started like one week ago.

Looks normal (I think). Now you have a baseline...

So just wait for this to happen again, and look for differences. Run netstat and see if you get any suspicious or out of character connections. Not just to 3306, but others (e.g. your HTTPS/443, and so on). And try to look at your Apache logs (error and access) and syslog and try spot any correlations.

For now, go through the apache logs, do you see any weird HTTP requests? If yes, you can consider running something like fail2ban and ban those IPs.

(2018-12-14, 05:48 AM)snakeoilos Wrote: [ -> ]Looks normal (I think). Now you have a baseline...

So just wait for this to happen again, and look for differences. Run netstat and see if you get any suspicious or out of character connections. Not just to 3306, but others (e.g. your HTTPS/443, and so on). And try to look at your Apache logs (error and access) and syslog and try spot any correlations.

For now, go through the apache logs, do you see any weird HTTP requests? If yes, you can consider running something like fail2ban and ban those IPs.

Sorry for my late response, I was feeling sick lately and I wasn't really monitoring the VPS. Yesterday I finally checked what you suggested.

Port 80 seems normal, but port 443 it's filled with a lot of weird IPs, which is predictable cause we're getting attacked by a botnet. We limited the connections to 15 for each IP, but there are a few of hundreds IPs attacking.

Apache logs have some normal but interesting stuff as I consider, this, for example:

172.69.206.77 - - [14/Dec/2018:17:37:56 +0000] "GET /showthread.php?tid=10924 HTTP/1.1" 200 13925 "https://foros.proyectomila.net/forumdisplay.php?fid=32" "Mozilla/5.0 (Linux; Android 8.0.0; ATU-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Mobile Safari/537.36"
172.69.206.77 - - [14/Dec/2018:17:37:56 +0000] "GET /css.php?stylesheet=18 HTTP/1.1" 200 9636 "https://foros.proyectomila.net/showthread.php?tid=10924" "Mozilla/5.0 (Linux; Android 8.0.0; ATU-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Mobile Safari/537.36"
172.69.206.77 - - [14/Dec/2018:17:37:56 +0000] "GET /css.php?stylesheet=19 HTTP/1.1" 200 6784 "https://foros.proyectomila.net/showthread.php?tid=10924" "Mozilla/5.0 (Linux; Android 8.0.0; ATU-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Mobile Safari/537.36"
172.69.206.77 - - [14/Dec/2018:17:37:56 +0000] "GET /css.php?stylesheet=60 HTTP/1.1" 200 26490 "https://foros.proyectomila.net/showthread.php?tid=10924" "Mozilla/5.0 (Linux; Android 8.0.0; ATU-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Mobile Safari/537.36"
172.69.206.77 - - [14/Dec/2018:17:37:56 +0000] "GET /css.php?stylesheet=35 HTTP/1.1" 200 4934 "https://foros.proyectomila.net/showthread.php?tid=10924" "Mozilla/5.0 (Linux; Android 8.0.0; ATU-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Mobile Safari/537.36"
172.69.206.107 - - [14/Dec/2018:17:37:56 +0000] "GET //uploads/avatars/avatar_1230.jpg?dateline=1543794377 HTTP/1.1" 304 4358 "https://foros.proyectomila.net/showthread.php?tid=10924" "Mozilla/5.0 (Linux; Android 8.0.0; ATU-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Mobile Safari/537.36"
172.69.206.77 - - [14/Dec/2018:17:37:56 +0000] "GET /css.php?stylesheet=69 HTTP/1.1" 200 5350 "https://foros.proyectomila.net/showthread.php?tid=10924" "Mozilla/5.0 (Linux; Android 8.0.0; ATU-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Mobile Safari/537.36"
108.162.246.54 - - [14/Dec/2018:17:38:08 +0000] "GET /showthread.php?mode=linear&tid=5795&pid=31372 HTTP/1.1" 200 18933 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
172.69.206.95 - - [14/Dec/2018:17:38:20 +0000] "GET /showthread.php?tid=11028&page=2 HTTP/1.1" 200 13941 "https://foros.proyectomila.net/showthread.php?tid=11028&pid=42406" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.69.206.95 - - [14/Dec/2018:17:38:20 +0000] "GET /css.php?stylesheet=60 HTTP/1.1" 200 22393 "https://foros.proyectomila.net/showthread.php?tid=11028&page=2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.69.206.95 - - [14/Dec/2018:17:38:21 +0000] "GET /css.php?stylesheet=69 HTTP/1.1" 200 5350 "https://foros.proyectomila.net/showthread.php?tid=11028&page=2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.69.206.95 - - [14/Dec/2018:17:38:21 +0000] "GET /css.php?stylesheet=18 HTTP/1.1" 200 13733 "https://foros.proyectomila.net/showthread.php?tid=11028&page=2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.69.206.95 - - [14/Dec/2018:17:38:21 +0000] "GET /css.php?stylesheet=35 HTTP/1.1" 200 4934 "https://foros.proyectomila.net/showthread.php?tid=11028&page=2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.69.206.95 - - [14/Dec/2018:17:38:21 +0000] "GET /css.php?stylesheet=19 HTTP/1.1" 200 6784 "https://foros.proyectomila.net/showthread.php?tid=11028&page=2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.69.206.77 - - [14/Dec/2018:17:38:21 +0000] "POST /newthread.php?fid=18&processed=1 HTTP/1.1" 200 6640 "https://foros.proyectomila.net/newthread.php?fid=18" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
172.69.206.95 - - [14/Dec/2018:17:38:21 +0000] "GET /css.php?stylesheet=19 HTTP/1.1" 200 2687 "https://foros.proyectomila.net/newthread.php?fid=18&processed=1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
172.69.206.95 - - [14/Dec/2018:17:38:22 +0000] "GET /css.php?stylesheet=69 HTTP/1.1" 200 1253 "https://foros.proyectomila.net/newthread.php?fid=18&processed=1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
172.69.206.77 - - [14/Dec/2018:17:38:22 +0000] "GET /css.php?stylesheet=18 HTTP/1.1" 200 13733 "https://foros.proyectomila.net/newthread.php?fid=18&processed=1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
172.69.206.107 - - [14/Dec/2018:17:38:22 +0000] "GET /css.php?stylesheet=35 HTTP/1.1" 200 4934 "https://foros.proyectomila.net/newthread.php?fid=18&processed=1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
172.69.206.107 - - [14/Dec/2018:17:38:22 +0000] "GET /css.php?stylesheet=60 HTTP/1.1" 200 26490 "https://foros.proyectomila.net/newthread.php?fid=18&processed=1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"

And a lot of dummy connections that happens when the service collapses (MariaDB and Apache2)

::1 - - [14/Dec/2018:05:35:11 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.25 (Debian) OpenSSL/1.0.2l (internal dummy connection)"

Anything that looks interesting to you?

You're only getting a few requests a second. So yup, as you said, not a DDOS. Based on these longs, there's nothing you can filter in fail2ban so that idea is out .

Is that POST legit? Maybe can try and dump that POST data and see what it's doing?

Here's what I'd do if I'm in your shoes:
1. In the ACP, go to Settings ->General Settings. Turn on "Friendly Redirection Pages"  if it's OFF. This adds a new delay page everytime a user perform a search or post a new thread.
2. In ACP Settings-> Search System. Tweak the settings to suit the size of your board (# of posts)
3. Try and rule out a mis-configuration. Disable all plugins and use the default theme and see if still get the same problems.
4. Update your OS to include the latest patches
5. Go through this security (https://docs.mybb.com/1.8/administration...rotection/) again.

I really really hate mod_security myself. But maybe it can help track/identify bad POST or get data. Perhaps you can try and enable mod_security briefly and see what's going on.