MyBB Community Forums

Hi people, I have given myself a group, i.e, Founder (just renamed the Admin group)

Anyway, today i found another guy registered as the Founder but I have not gave him the rank. I first banned him, but again he registered in the founder group within a few minutes... I understood he was the same guy as the usernames were very matching.

Then I demoted him to the Registered users group, but i found within a minute he was back to the Founder group.

This has never happened before, & I know that I'm hacked.
Also to mention, I had changed the passes of all the admins but to no use.

Please help quickly. Thanks.

Tried changing the password to the database? (MySQL)

I think its an exploit. Please solve this quickly.

(Check your group permissions. I've seen this before; people overlook the 'Users can freely join and leave this group?'. The user would just browse to Group Memberships and join...)

There was an exploit that could allow people to make them selves admins, but it was patched. Reupload all your files to make sure you have the updated files, and also check your templates for any malicious code.

And you didn't need to PM me about this, I couldn't reply because I was unconscious.

I responded to his PM about this, told him it was fixed in the latest MyBB version, which at the time was 1.4.7

Now there is a new version, you should upgrade to that to ensure you're safe from all known vulnerabilities.

The 1.4.6 exploit is bad and now a script is published at a well-known hacker repository to gain admin. Any chance an email can be sent to all mybboard members that allow admin emails? IMHO this is going to be a problem for many that don't visit this site regularly and run mybb. It's obvious people are searching Google and penetrating as many Mybb forums as they can.

We are probably going to see threads like this regularly now. Shame this was missed by the security audit. I would make a complaint to them. They should have caught this.