MyBB Community Forums

Hi,
My forum was hacked again - this is the third (yes, 3) time. I did a lot of investigating on how was that done and I found that five(5) files where changed:
(all under the /inc/language folder)
1. /index.htm
2. /english/index.htm
3. /english/index.lang.php
4. /hebrew/index.htm
5. /hebrew/index.lang.php
All files had the same content.

What actions I did to (try and) prevent this next time:
1. Changed my admin's password
2. Changed my FTP and site's Control Panel password (both are on the same place)
3. Changed premissions of this files to 644


As I'm now preparing to do some shouting on my ISP (the domain holder/publisher), I would like to know if:
1. Can this files be changed via MyBB itself (either via the AdminCP or other method).
2. Has anyone encountered this type of hacking?
3. What do you think my best way to prevent this from happening again?
4. Is what I did good, bad or not enough?


Please help as soon as you can,
Ori...

Language files can be edited from the Admin CP if the language folder has the correct (write) permissions (I think, normally when I do language file edits I edit the file manually myself - so I can't be 100% sure).


At the end of the day though, the files can only be changed via the Admin CP and FTP directly.
If anyone one of those ways are compromised then you can be 'hacked'.
Create better passwords, keep them safe, don't share them, and make sure that you do not have any viruses, trojans, etc. that can log your keystrokes (key logger).

Yes, I do know that the language files can be edites via the AdminCP, but the content of the changed/hacked files did not resemble any known MyBB format.

Well then it must have been done via FTP.

What was different about the changed files...??

They where changed into a regular html page - no lang option.
If you want to see the hack, goto http://www.ithelp.co.il/hacked - I placed there one of the changed file.

I would recommend that you move away from FTP and start using SSH/SCP to transfer files to your website.

The reason?

FTP transfers your username and password as plain text. We've been seeing a lot more viruses that sniff for FTP traffic, filter out the username and password and IP address, then the cybercriminals use an automated program that logs into the site with the login credentials sniffed, inserts their malscript in many places and then moves onto the next site.

We've also been seeing hacks that infect a PC, sniff the FTP traffic and automatically insert the malscript into the traffic you're sending to your website. This removes the step of them logging into your site from an IP address that would show up in the logs (hardly anyone reviews their log files anyway) and you could block. This second way will only show FTP traffic from your PC to your website thus preventing you from considering changing anything on your PC.

If the moderator would like, I could produce a write-up on how to use SSH/SCP in place of FTP and this could be published here for all members to adopt. The software I use is free so I'm not looking to make any money off of this, just lend my expertise to those who need it.

Thomas,
As a general rule, your correct, but my ISP (which holds my domain/website) doesn't support anything other then FTP.

(2009-05-11, 02:22 PM)okitai Wrote: [ -> ]Thomas,
As a general rule, your correct, but my ISP (which holds my domain/website) doesn't support anything other then FTP.

Do they support SFTP? If so, I'd move to that. Ask them what other protocol they support.

/index.htm is not a mybb file.

What other scripts are you running on the site? Most likely a security hole in a script. Plus what are chmod permissions on those files?