MyBB Community Forums

Full Version: Mybb security issue!
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Dear folks, 

Actually Im getting attack on mybb 1.8.19
Here how things appears: 

Member is offline, (user Cpanel) but he is online less than one min.
If i search logs of the same member, I see he is hitting unreadPosts:
this in the last few hrs for unreaded posts: 48876 55.93% 1215 4.39%    4.58 MiB GET  HTTP/1.1 /xmlhttp.php?action=unreadPosts_getUnreads&fid0

Over 500 members are effected with being offline and showing online less than one min.
Note that, there IP's still showing the original one!

Now, If I change any of these members password, he will not able to keep showing online less than a minute.

Also I would like to ask about task.php 
what is this file used for and is it normal for it to be accessed by forum visitors directly (I see it in access.log).

Kindly advice.
task.php should not be used by forum visitors, they won't be able to access it.

You are probably using unread posts plugin by Lucas. It might be possible that plugin may be vulnerable, can you try disabling the plugin for time being and see if you are getting same attack ? This seems like a case of DDOS to me.
I disabled/uninstall this plugin but no change!

URI /xmlhttp.php?action=unreadPosts_getUnreads&fid0

Still under attack!

Best regards.
(2019-01-30, 02:57 PM)mhh_rabih Wrote: [ -> ]Also I would like to ask about task.php 
what is this file used for and is it normal for it to be accessed by forum visitors directly (I see it in access.log).

It's normal, it's how PHP task systems work in lieu of a real cron functionality. Tasks are run by piggy-backing on user visit requests. If nobody visits your site (or you remove task.php from the user templates), tasks will not run.


(2019-01-30, 06:50 PM)mhh_rabih Wrote: [ -> ]I disabled/uninstall this plugin but no change!

URI /xmlhttp.php?action=unreadPosts_getUnreads&fid0

Still under attack!

Best regards.

You can't stop people from sending requests to your webserver.

If you don't like it you have to start banning IP (on firewall or webserver level, not just in the admin cp).