MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Attempted attack?
Full Version: Attempted attack?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

RawLightning

2005-08-20, 06:17 PM
I got a warning email from my site -- it's only had mybb for about 3 days total:

A user has tried to access the Administration Control Panel for Boltsmag Message Forum. They were unable to succeed in doing so.
Below are the login details:

Username: \\\' or 1=1 /*
Password: (MD5: d41d8cd98f00b204e9800998ecf8427e)

IP Address: 10.29.8.98
Hostname: 10.29.8.98

Now, I've seen the security vulnerability and patched my software but I don't know if I should worry about htis or what...

Snake

2005-08-20, 06:26 PM
change the admin folder to something else like mommy or something people can't get 2. Thats what MsgPlus forum did.

marcgo15

2005-08-22, 04:49 AM
Here's a copy of the thread on my forum, i gave people options on how to protect their forum.

Marc Wrote:It has been reported that people have been trying to do exploit attempts on MyBB RC4 by trying login as an admin. There are a few steps that you can take to keep your forum running safe.

1st Option

Chris Boulton Wrote:Add
if(strpos($_POST['username'], "'") !== false && $do == "login")
{
die("");
}

In admin/global.php right before:

if($do == "login") {

2nd option is renaming the admin path to something else.

3rd option is log into cpanel, go to "Password Protect Directories", find your way to your forums folder and then click "admin" (or the name of the admin cp path). It will give you details about protecting that area.

decswxaqz

2005-08-22, 08:14 AM
if(strpos($_POST['username'], "'") !== false && $do == "login")
{
die("");
}

Won't work if the admin has a ' in their name. But then again, not many people do that. Just a word of caution if people do do it.

EDIT: Only script kiddies/low level hackers will try to use the admin login function. It's easier to find a weakness in the code (eg phpbb highlight exploit) than to crack a password or use mysql injection in sources that are already filtered properly (login pages etc).

Dennis Tsang

2005-08-23, 06:03 PM
marcgo15 Wrote:Here's a copy of the thread on my forum, i gave people options on how to protect their forum.

Marc Wrote:It has been reported that people have been trying to do exploit attempts on MyBB RC4 by trying login as an admin. There are a few steps that you can take to keep your forum running safe.

1st Option

Chris Boulton Wrote:Add
if(strpos($_POST['username'], "'") !== false && $do == "login")
{
die("");
}

In admin/global.php right before:

if($do == "login") {

2nd option is renaming the admin path to something else.

3rd option is log into cpanel, go to "Password Protect Directories", find your way to your forums folder and then click "admin" (or the name of the admin cp path). It will give you details about protecting that area.

4th option: All of the above Wink

Marth

2005-08-24, 12:38 AM
I've had the same attack happen to my forums. However, I was too late when I checked my emails, and then I saw my forums got the worst end of the stick: The cracker had a success.

This is what happened to my forum - http://vgc.theglassprison.net/board
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Attempted attack?