MyBB Community Forums

MyBB Community Forums > 1.8 Support > Security Management and Support > Payload.sh
Full Version: Payload.sh
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Moonface

2021-08-04, 12:29 PM
Last night, my forum was compromised by a group I only know to be called ./Payload.sh. They gained access to both my own and my moderators account, although how I do not know. I do not know yet what else they have managed to do.

Can anyone assist me on how this happened and what I can do to prevent it? I've never had this happen before so I'm really panicked.

https://universalgaming.net/index.php

Matt

2021-08-04, 12:46 PM
You would need to work with your host to see if there are any logs that may give some insight as to how they got in. Assuming you're on the latest version of MyBB, there's no known vulnerabilities. It would also be worth checking all your plugins are up to date and seeing if any have had security fixes if they're not.

Would also be worth following these steps: https://docs.mybb.com/1.8/administration.../recovery/

Moonface

2021-08-04, 12:47 PM
According to my wife Payload is a script so I guess they used that and went from there.

Matt

2021-08-04, 12:49 PM
There would still need to be some sort of entry point to the forum that they've used, and server logs may have information that points to what they actually did to get access.

Moonface

2021-08-04, 01:08 PM
Okay. I tried finding logs myself but so far haven't had much luck so I contacted my host. Thank you.

Omar G.

2021-08-04, 08:22 PM
If you want drop a list of your plugins here, it is not uncommon for private/non-public plugins to be found vulnerable.

Moonface

2021-08-04, 08:34 PM
As far as I know they're all up to date now, but this is what I have:

MentionMe (3.2.12)
MyAlerts (2.0.4)
NewPoints (2.1.1)
Online Today (2.0.4)
OUGC Awards (1.8.22)
Page Manager (2.1.3)
Warn about new posts (1.0)
Spoiler MyCode (1.8.2)
Thread Description (1.3)
Upcoming Events (1.2)

Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user. Toungue

Omar G.

2021-08-04, 08:55 PM
Which Newpoints plugins do you use ? Could you share all your Page Manager pages ?

I fixed the following in my OUGC Awards plugin : (should be fixed in 1.8.22)
https://github.com/Sama34/OUGC-Awards/co...26b92c3432

But this would only be a treat if you don't trust your moderators, as they are the only ones that can assign a custom "reason" for awards.

Omar G.

2021-08-04, 08:58 PM
(2021-08-04, 08:34 PM)Moonface Wrote: [ -> ]Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user. Toungue

Could you share the DB rows for awards granted to that user? It might be possible this plugin is what caused the "backdoor".

But please note, for the moderator to exploit this the moderator account should had been compromised first or the moderator should have been untrustworthy from the beginning, no bug up to today found in the plugin would grant access to accounts in any way.

Moonface

2021-08-04, 09:47 PM
(2021-08-04, 08:55 PM)Omar G. Wrote: [ -> ]Which Newpoints plugins do you use ? Could you share all your Page Manager pages ?

I fixed the following in my OUGC Awards plugin : (should be fixed in 1.8.22)
https://github.com/Sama34/OUGC-Awards/co...26b92c3432

But this would only be a treat if you don't trust your moderators, as they are the only ones that can assign a custom "reason" for awards.
I only use the standard currency for Newpoints. It doesn't have any other plugins in use on the Newpoints Plugins page.

(2021-08-04, 08:58 PM)Omar G. Wrote: [ -> ]
(2021-08-04, 08:34 PM)Moonface Wrote: [ -> ]Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user. Toungue

Could you share the DB rows for awards granted to that user? It might be possible this plugin is what caused the "backdoor".

But please note, for the moderator to exploit this the moderator account should had been compromised first or the moderator should have been untrustworthy from the beginning, no bug up to today found in the plugin would grant access to accounts in any way.

Well, my moderator is my wife so I can definitely attest she is trustworthy, plus she was not online when her account was compromised. Where can I find the DB rows exactly (I'm still not very tech savvy with looking inside databases), and would the ones they had prior to the attack suffice? I removed all the extra awards they were granted during the attack.

If it's of any help, this was the website linked back to during the attack: https://payload.sh/
Pages: 1 2
MyBB Community Forums > 1.8 Support > Security Management and Support > Payload.sh