MyBB Community Forums

So as of this year approx. 1 week ago I was hacked or injected with an exploit within the software perhaps. 
I been using MYBB since 2008 up to now. I have had a few different Domains. I have always hosted MYBB at home. Never had any problems what so ever in 13 years.
Recently I decided to change over from Windows 10 to Linux this year.
I installed apache,php7.4,mysql within Linux and had no problems running it on Linux Mint 20. Now during this time 2 weeks ago I was seeing on Youtube that switching apache to nginx switching mysql to mariadb would increase performance ratings along with redis-server, php-redis, php-opache, php-fpm, php-cgi, php-xml, php-gd.  Before i forget to mention i also reformatted and installed ubuntu 20.10 I believe. 

Last week after all these changes I did some online website speed test and yes performance increased so i defiantly was happy. One morning I woke up got onto my forum to make sure everything was running and noticed that my thread rating was out of place so I came on here asking for help I am sure some of you remember but none of it help my situation so i just disabled the feature so that the code wasn't all over my site. Then at the same time I also noticed that my profile/country flag was changed to another country and my profile/website url in my description was pointing to a pharmaceutical company my profile/skype or profile/aol id was pointing to this person and profile/signature was also pointing to a pharmaceutical company. 

Here is the weird thing no logs showing up on any other IPS or Admins I even had someone from the ubuntu team to see if i had any open doors or malware on my ubuntu server and there was none. However who ever did this was from here lurking.... Nobody on Youtube knew that I was running Linux and nobody on Ubuntu knew who I was.  Obviously in my profile on MYBB below here and in the profile on here obviously someone on here who I assume did this to me. It's been taken care of obviously but i just wanted to share this info with everyone to be careful and cautious because there are people looking for what you say as the hackers preying on posts with info regarding vulnerable ones like myself on here MYBB. I say this because when I mentioned on MYBB in a thread that I was changing over from Windows to Linux not long after all this trouble started.

As for what happened to me can anyone hopefully share some light on how or where or who could change these little things without any signs of entering onto the Linux or MYBB software? Let me remind you once I noticed the rating stars code had looked like someone had played around with the code is exact same time other things on my profile were mysteriously changed. Thread ratings is still disabled.

Passwords or emails were never tampered with.

Definitely sounds like you have been breached. It's difficult to really ascertain the exact cause at this point in time. I will say that you are using a fantastic server setup with Ubuntu, PHP-fpm, nginx, and MariaDB. This is a very fast, industry-standard combination (and a lot of people are afraid to try out non-Apache tools to get the performance improvements). I'm using nginx myself and it's been with fantastic results.

It's hard to really rule out a server-related vulnerability at this point, but I wouldn't rule out a MyBB related issue either. It could very well be either, and to look into that, we would need to ask several more questions on it. But first, on the server side of things:

• You're obviously very up-to-date on software, so unless it's a zero day, it's likely not a software update issue.
  
• You're not using any unofficial, community-made PHP modules.
  
• Make sure that you have run mysql_secure_installation after installing MariaDB. otherwise, anyone can log into your MySQL server with no password. (Yes, the default password really is blank and allows anonymous access. Amazing that they haven't fixed this to this day).
  
• Make sure PHP PathFixAuto is disabled in your PHP.ini
  
• Make sure your file permissions don't allow writes from anywhere. This is perhaps one of the trickiest parts of the setup because this can cause PHP to act funky if you haven't chowned the directory to www-data (PHP's user). But this is a good step to take because it can make it more difficult for someone to gain access and mess with the files/add backdoors.
  
• I'm assuming your passwords are secure, random generated, and that you have an SSH private/public keypair already.
  
• I'm assuming you've changed your MyBB password to a unique, random generated password already. (Make sure that all of your staff do the same, because some passwords may have been stolen in the breach).
  
• I'm assuming of course that you're using MyBB 1.8.24 as well?
  

Beyond the server side of things, there are two leading possibilities for front end breaches. The more likely of the two is SQL injection, given that this was done without a trace. SQL injection effectively bypasses MyBB's normal checks for everything. There are no IP logs, no ACP logs, or otherwise no traces that can really help to ascertain exactly who performed it. It is a fly-by-night operation that can change profile fields, templates, settings, user accounts, dump databases, delete data, and so forth.

(I myself was hacked through SQL injection in a third-party plugin several months ago. This is exactly how it happened. Totally without a trace. We of course disabled all plugins, reinstalled the server/MyBB, restored files and databases from a backup, and manually moved more recent posts one-by-one to restore. We got back online without much data loss, but it was a mess).

I would of course double check the logs as well (and search them very carefully). Make sure that there are no logs at all in the ACP under any admin's account that look suspicious or that look like actions you did not take (and certainly any record of the logs being pruned is suspicious). XSS would allow an account takeover through bad javascript stealing your cookie, so this would likely put, at the very least, logs into the ACP for template modifications (and it would be under an administrator's name).

Front end changes (such as profile fields) could have easily been done with XSS/CSRF or with SQL injection, both of which would have been possible. The back end changes are much harder to imagine being possible without some sort of SQL injection or deeper server-level breach. If they were done without any logs, it likely wasn't XSS, hence SQLi is a very plausible first suspicion here.

I'm also very curious on your plugin list. While using only official, mod DB plugins is an important start, I should warn that there are a number of vulnerable plugins that are not publicly known (some of which come from suprising sources, believe me). If you can PM me a list, I can try look into my own research and see if there are further issues that are known in the circles that I am present in. In the meantime, I'd disable as many as you're able to as a start. (I myself got hacked from a third party plugin some number of months ago and have audited a number of them, so I definitely know the potential of this sort of thing...)

Hope others are able to give some good advice too. We'll get to the bottom of this one way or another.

(2021-02-02, 02:42 PM)Darth Apple Wrote: [ -> ]Definitely sounds like you have been breached. It's difficult to really ascertain the exact cause at this point in time. I will say that you are using a fantastic server setup with Ubuntu, PHP-fpm, nginx, and MariaDB. This is a very fast, industry-standard combination (and a lot of people are afraid to try out non-Apache tools to get the performance improvements). I'm using nginx myself and it's been with fantastic results.

It's hard to really rule out a server-related vulnerability at this point, but I wouldn't rule out a MyBB related issue either. It could very well be either, and to look into that, we would need to ask several more questions on it. But first, on the server side of things:

• You're obviously very up-to-date on software, so unless it's a zero day, it's likely not a software update issue.
  
• You're not using any unofficial, community-made PHP modules.
  
• Make sure that you have run mysql_secure_installation after installing MariaDB. otherwise, anyone can log into your MySQL server with no password. (Yes, the default password really is blank and allows anonymous access. Amazing that they haven't fixed this to this day).
  
• Make sure PHP PathFixAuto is disabled in your PHP.ini
  
• Make sure your file permissions don't allow writes from anywhere. This is perhaps one of the trickiest parts of the setup because this can cause PHP to act funky if you haven't chowned the directory to www-data (PHP's user). But this is a good step to take because it can make it more difficult for someone to gain access and mess with the files/add backdoors.
  
• I'm assuming your passwords are secure, random generated, and that you have an SSH private/public keypair already.
  
• I'm assuming you've changed your MyBB password to a unique, random generated password already. (Make sure that all of your staff do the same, because some passwords may have been stolen in the breach). 
  
• I'm assuming of course that you're using MyBB 1.8.24 as well?
  

Beyond the server side of things, there are two leading possibilities for front end breaches. The more likely of the two is SQL injection, given that this was done without a trace. SQL injection effectively bypasses MyBB's normal checks for everything. There are no IP logs, no ACP logs, or otherwise no traces that can really help to ascertain exactly who performed it. It is a fly-by-night operation that can change profile fields, templates, settings, user accounts, dump databases, delete data, and so forth.

(I myself was hacked through SQL injection in a third-party plugin several months ago. This is exactly how it happened. Totally without a trace. We of course disabled all plugins, reinstalled the server/MyBB, restored files and databases from a backup, and manually moved more recent posts one-by-one to restore. We got back online without much data loss, but it was a mess).

I would of course double check the logs as well (and search them very carefully). Make sure that there are no logs at all in the ACP under any admin's account that look suspicious or that look like actions you did not take (and certainly any record of the logs being pruned is suspicious). XSS would allow an account takeover through bad javascript stealing your cookie, so this would likely put, at the very least, logs into the ACP for template modifications (and it would be under an administrator's name).

Front end changes (such as profile fields) could have easily been done with XSS/CSRF or with SQL injection, both of which would have been possible. The back end changes are much harder to imagine being possible without some sort of SQL injection or deeper server-level breach.  If they were done without any logs, it likely wasn't XSS, hence SQLi is a very plausible first suspicion here.

I'm also very curious on your plugin list. While using only official, mod DB plugins is an important start, I should warn that there are a number of vulnerable plugins   that are not publicly known (some of which come from suprising sources, believe me). If you can PM me a list, I can try look into my own research and see if there are further issues that are known in the circles that I am present in. In the meantime, I'd disable as many as you're able to as a start. (I myself got hacked from a third party plugin some number of months ago and have audited a number of them, so I definitely know the potential of this sort of thing...)

Hope others are able to give some good advice too. We'll get to the bottom of this one way or another.

This is well written very informative, an amazing write up on what we all should be taking serious note and checking also verifying.

Honestly ok the very first time I did forget to do the "mysql_secure_installation" but eventually within 24hrs it was done.
I have no idea what this is "PHP PathFixAuto"  just curious what does it do and if it's security risk why it is not disabled by default.
I am extremely new and to be honest I still can't figure out what "www-data (PHP's user)" does exactly but im guessing user specific permissions. I am still not understanding this to well.
As for MYBB www folder  i followed the page somewhere around here on how to command in terminal the specific permissions for admin/folder and inc/folder.

I am very happy that you have brought all these things to my attention. Hopefully it helps others who are new to Linux.

Also I am eventually thinking of getting rid of plugins i will find a reputable Theme Developer on here to design perhaps a theme or redesign an already theme to my liking along with some added php code edits that way i can prevent myself ever using extra plugins altogether.