MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Email I got over the weekend from my forum
Full Version: Email I got over the weekend from my forum
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

wolfden

2005-06-07, 09:59 AM
A user has tried to access the Administration Control Panel for KJS Computer Services. They were unable to succeed in doing so.
Below are the login details:

Username: [blabla]\' UNION SELECT username,uid,password,usergroup FROM mybb_users/*
Password: (MD5: d41d8cd98f00b204e9800998ecf8427e)

IP Address: 195.68.248.134
Hostname: dialup5.westlucky.net

Thank you.

no idea if the info is important or not, figured I should let someone see it

Cory

2005-06-07, 10:18 AM
That's good, at least it gives us info of someone trying to crack through the admin cp login using SQL injection. If it was just repeated attempts of your username and password then it wouldn't have been so important.

wolfden

2005-06-07, 10:22 AM
so that is an SQL injection?

Bill

2005-06-07, 12:31 PM

k776

2005-06-07, 08:23 PM
If you got that email, I do believe it means he failed in his attempt to get everyone username, uid, password, and usergroup.
http://www.mybboard.com/community/showth...7#pid16487' Wrote: [ -> ]There is some other ways you can prevent myBB being hacked though. Change the admin directory name to something more complex like "rdq3f5a5" or something, the install this mod from decswxaqz: http://mybbmods.eckohost.net/view.php?did=67. That should make access to the Admin area 99% impossible to hackers
More ways are removing un-needed files in your forum like you've started doing. If you dont need the calendar, remove the php file and all links to it. The less code/files there is, the less chance a secuirty hole can be exploted.

As for the hackers, theres nothing you can do but block their ip's from the forum! Admin CP > Board Settings > Changes > Banning Options > Ban by IP

decswxaqz

2005-06-07, 08:35 PM
[ blabla]\' UNION SELECT username,uid,password,usergroup FROM mybb_users/*

Yes it's SQL injection. The \' if not quoted becomes ' which would terminate the sql.

For example
$sql = "SELECT * FROM mybb_users where user_name = '$user_name' AND password = PASSWORD('$password')";
The sql would become
$sql = "SELECT * FROM mybb_users where user_name = '[blabla]' UNION SELECT username,uid,password,usergroup FROM mybb_users/*' AND password = PASSWORD('$password')";

The ' terminates the sql and allows the attacker to enter their own sql. This seems a stranger sql injection that most. I think the usual is
' OR 1=1;--
The OR 1=1 would always return true which should allow you to login depending on the source code. The -- makes the rest or the sql following a comment.

Try searching for sql injection on the net.

HomeDawg

2005-06-08, 01:53 AM
Blocking peoples IP's from the forum usually dont do much, since the average hacker is using a proxy already, he'll just hop on another proxy or socks4/5 connection and get right back on your site, also, blocking from your MyBB forum isnt really doing anything, its just a simple if statement with your ip in it seeing if it proves true, if it does, all you see is a 'hey your banned page'. Usually people can still exploit it. Your best bet is to block them using an .htaccess rather than the Admin CP. 
Deny from 192.168.0.1

But like I said, this really wont do much.

Dennis Tsang

2005-06-08, 01:59 AM
I got that too. I thought it was just me :p

wolfden

2005-06-08, 05:41 AM
well what in the world? someone come to this site and going down the member list and trying to exploit the software or what.

anyway to do wildcards with an .htacess? 195.68 seems to be consistant
MyBB Community Forums > Community > General Discussion > Email I got over the weekend from my forum