MyBB Community Forums

Hi,

I'm so tired of this, but I'm gonna answer this type of posts once more.

Your "hacked" Mybb had the default theme (not a nulled one), have no plugins (and of course you don't use any plugin not endorsed by MyBB's staff), and its raw files are untouched?

You only have a forum's website, not another CMS like Wordpress or similar, or others pre-made websites not updated.

Your server is up to date and you have all the security meassures you can in it.

And of course, you never, never, never downloaded anything from obscure origin to your computer that could have a trojan inside (and please, don't answer me with "I have an AV").

If you have any proof of the injection, fine, report it to MyBB, and of course any of the "other sites" with the same problem.

Anything besides that it's a waste of time.

(2019-12-14, 02:44 PM)Stage4000 Wrote: [ -> ]The board name, the board url, all of the general settings of the site were modified. Like you said yourself the ACP would be impossible to access via an SQL injection but that doesnt mean that the attacker cant change the general site settings.

You can't just alter any database table with SQL injection so that's highly unlikely. And again, you can't modify a specific file with SQL injection.

(2019-12-14, 02:44 PM)Stage4000 Wrote: [ -> ]Further, it would have been impossible to change the settings to what they did from inside the ACP as the ACP would have used a regex to verify some of the data that was modified and I guarantee that the new data doesnt fit within the regex.

MyBB doesn't use regular expressions to verify settings (except for some specific options).

(2019-12-14, 02:44 PM)Stage4000 Wrote: [ -> ]My final point is that the server doesnt allow for external db connections, and mybb was the only thing on the server with db access at the time of attack. And even if it did, I am the only one who knew the randomly generated password.

That's not a prove at all. All your claims are based on (partly incorrect) assumptions.