Funny, it seems TE 8's only problem here is that, for some reason, TE 8 was not aware of the latest release. And therefore, he was running an 'old' version of MyBB.
Being he has "clients" using this software, wouldn't it be his fault, and not MyBB's, that he was hacked due to his lack of diligent support, ensuring that the latest version of MyBB was installed for his "clients"?
Only once has my forum ever been "attacked", but it was by a spammer, and it was my fault for not applying the proper settings to prevent it from happening.
I can honestly say that, in my experience, MyBB is probably the most secure free forum software currently available and I trust that the MyBB team will keep it that way.
As an admin, or "service provider", it is their job to "keep-up" on software updates and install them ASAP. IT IS NOT, necessarily, the responsibility of the developers of any software to ensure that ALL USERS of said software receive notice of such updates. Simply by 'signing up' for such a service does not always guarantee you will be informed.
I am very happy with MyBB and I have never used any software that claimed to be the "FINAL VERSION" due to it being so perfectly written that it will never need another "fix" or "update" for the rest if its existence. Obviously, there is "abandoned" software that has become the "final version". However, MyBB is not one of them.
Interestingly, after reading all of this thread, what the actual attack was, we still don't know. Hmmm....
What we do know, is that he was not running the latest version. His fault, not MyBB's.
From the initial post:
Quote:...and only find out about the severe problems when I got complaints about my server hosting phishing scams. And every time the culprit is the same: MyBB.
I am no expert by any means, but I think not! It seems to me that "phishing" is not even possible by the MyBB software without some kind of additional malicious code being added to it, or other code being placed on your server itself, to "use" MyBB, or some other legitimately installed software, to do that.
Someone, or thing, may have found a "back door" to your server or software and installed it. (Not entirely uncommon, BTW.) IMO, you should check/change your server or software security settings, password(s), etc. and look for any "unauthorized" access that allowed software installs/updates on your server(s).
Oh, here's a hint - DO NOT REMOVE THE "LOCK" FILE FROM YOUR FORUM'S INSTALL FOLDER! Without it, you are likely open to attacks!
Developers: If the above statement is "dangerous", please edit this post and remove it along with this statement. THX
I think it's time to close this thread and allow it to quietly die now, isn't it?