I am in need of assistance with an SQL Injection attack against my forum.
I am unable to access ACP due to the attack targeting the cookie settings.
Have you more detals ? server logs ? DB backups ?
I currently have DB access for whoever wants it. Send me a PM.
I had to run a very old db backup and restore a bunch of files.
So here are the total symptoms of the attack that I just went through.
1) DB was modified heavily, it seems that they mostly targeted the settings table, they changed my board name and the board url to a porn site.
2) even after reverting settings in the DB manually via phpmyadmin the board settings were not being reflected, leading me to believe that perhaps there was something else also going on.
3) either due to the changed settings or due to another part of the attack MyBB was refusing to set cookies, making it so I couldn't log into ACP.
Theories:
Sql Injection paired with dns cache poisoning?
Conclusion: Bye MyBB
Do you really guess this was an attack on the MyBB forums system??? Or maybe a successfully attempt to get remote access to your database!?
Does your forum administrator log say something about any changes made?
(Mind these records could be removed when having database access)
Check your server logs - espacially webserver log files (access log files) for any connections at that time!
Get to know connections for investigation!
Reset passwords immediately to be safe for the moment.
[ExiTuS]
Depending on your server environment, deny all access except from your IP.
https://docs.mybb.com/1.8/administration...-the-forum
There are several different methods. This works for me on Apache 2.4.41 VPS.
<RequireAll>
Require ip xxx.xxx.xxx.xxx
</RequireAll>
This does not affect FTP access which is how you gain access to your server files.
My shell is on a custom port and is restricted to my IP. The other thing is I am the only one who knows the server IP since we are protected by 2 CDN networks that I have high faith that they werent both compromised. And MyBB is notorious for sql injection.
Oh and also I know other sites running MyBB having the same issue.
(2019-12-14, 04:04 AM)Stage4000 Wrote: [ -> ]My shell is on a custom port and is restricted to my IP. The other thing is I am the only one who knows the server IP since we are protected by 2 CDN networks that I have high faith that they werent both compromised. And MyBB is notorious for sql injection.
You should check the HTTP server log for accesses, if any, and system log for sure to see if the real weak point is in MyBB or MyBB's plugins or even other things. Templates would also be vulnerable.
There are a lot of ways of compromising a web site. Please see this also:
https://docs.mybb.com/1.8/administration...rotection/
If you think it's a MyBB security issue, hope you could report it to the team, more info on this page:
https://docs.mybb.com/1.8/development/se...-workflow/ or post your issue in this private forum:
https://community.mybb.com/forum-135.html
I appreciate your suggestions and since I run a hacking forum I take security seriously. My ACP is in a new location, is PIN protected, and is only accessable by 3 people by means of IP restriction and 2FA.
Further the 2 other people have no motive for sabotage as they rely on the site for their paycheck.
2 other hacking forums using mybb have also been compromised. Ive shared notes with them and I share no common addons with them (ie plugins or themes). This leads me to believe that this is a core security issue.
Your theory is unfortunately pretty unrealistic. Even if there was a specific SQL injection vulnerability that allows the attacker to change the settings in the database nothing would happen in first place. MyBB pulls its settings from a file (inc/settings.php) instead.
So either the attacker had access to the file system (not possible with SQL injection) or access to you ACP. Since you claim your ACP is protected by a custom location (not saved in the database), a secret PIN (not in database either) and IP restricted it's impossible to gain access to it with a SQL injection vulnerability.
So please provide some evidence or at least some clues to provide your point.
(2019-12-14, 11:47 AM)StefanT Wrote: [ -> ]Your theory is unfortunately pretty unrealistic. Even if there was a specific SQL injection vulnerability that allows the attacker to change the settings in the database nothing would happen in first place. MyBB pulls its settings from a file (inc/settings.php) instead.
So either the attacker had access to the file system (not possible with SQL injection) or access to you ACP. Since you claim your ACP is protected by a custom location (not saved in the database), a secret PIN (not in database either) and IP restricted it's impossible to gain access to it with a SQL injection vulnerability.
So please provide some evidence or at least some clues to provide your point.
The board name, the board url, all of the general settings of the site were modified. Like you said yourself the ACP would be impossible to access via an SQL injection but that doesnt mean that the attacker cant change the general site settings.
Further, it would have been impossible to change the settings to what they did from inside the ACP as the ACP would have used a regex to verify some of the data that was modified and I guarantee that the new data doesnt fit within the regex.
My final point is that the server doesnt allow for external db connections, and mybb was the only thing on the server with db access at the time of attack. And even if it did, I am the only one who knew the randomly generated password.
I need a secure website and MyBB is not able to provide that.