I was running 1.42 and my shared host reported that someone hacked into my forums:
"The account, however, was exploited via the forum. A php shell located in /home/mysite/public_html/forums/cache/themes named inc.php was file used."
This enable the hacker to revise all the other index.php and html files (WordPress, Moodle etc.) on my shared host.
I upgraded to 1.48 and this replaces the index.php with a new file.
The problem is if you look at the code the new file looks fine. If you load the page you get this Iranian propaganda.
http://forums.alphaplus.ca/index148.php
Any idea how the standard 1.48 index.php file can callup this other stuff?
Thank you.
Alan
I don't know if it is allowed to reply members who need help, but how could this happen? maybe you had the CHMODs not correct? folders should be 755, files 644, some files need special CHMOD read the wikki here :
http://wiki.mybboard.net/index.php/CHMOD_Files
I think accidentally deleted the other person's reply when I tried to reply. Thank you both for your responses.
I rename the index.php file for demonstrations/troubleshoot purposes. I've simple "temporarily off line" message while trying to troubleshoot the problem. If I use the new index.php (not renamed) from the most resent MyBB version the affect is the same.
I don't think the problem is permissions - they look correct.
It looks like the hacker was able to change some file that is not updated or replaced in the upgrade process. The 1.48 index.php file still references this hacked file - somehow.
Again my apology for accidentally removing/reporting the other response.
well I didn't really understand fully, you mean that the latest version of mybb has still bug or problems against beig hacked?
or maybe the hacker new some usful password, with which he had some access?(if you had a weak password)
I will review this treat many times until I get more information,
thank you
Hi Torrent,
I am not suggesting that the current distributed version has a problem and I don't think the hacker is still accessing or changing my installation or files.
I think the whatever changes were made earlier to version 1.42 are still affecting my upgraded install of 1.48.
I place the new correct index.php file in the home directory. This file remains 100% perfectly fine, but if you call up the site the hacked code is displayed. The file is still fine.
Some how the default index.php (up-to-date unaltered) redirects to the earlier hacked IRAN page.
I hope that is clearer. Thank you for your attention and help.
If you can't alert members here how about sticky at least to answer all the coming questions about this hack.
Hello labrocca,
I don't understand your reply, but I think you are suggesting that I am not using the correct Community forum or proper Netiquette or proper feature.?? Please if it is important try restating your reply.
A
Sorry this was more of a general response as the daily "got hacked" threads roll in. So far no staff member has posted in this thread.
I been rallying for a notice to be sent via PM or email to all Mybboard members to alert them of the exploit. I think we also need a very strong sticky explaining the situation and methods to resolve it. No sense in having new threads everyday with the same type of replies. People also need quick help.
I feel bad that sites are still getting hacked. You been a member here since 2008. Are you part of the mailing list?
Thanks labrocca,
I did search for other similar problem, but did see anything exactly the same.
I've had to replace my MyBB installation completely. When I import the database back I get the hack. I had thought the problem was a file, but it appears to be within the db.
I thought I was on the mailing list, but will do so now.
I know my script installation is very clean, because sadly my Shared Host (HostGator) accidentally deleted my entire server and account yesterday afternoon. They hadn't been backing it up because of the large number of files.
Talk about from bad to worse....
Any suggestions on how to look for or correct the problem/hack (IRAN) in the database?
Conclusion.
The reason replacing the index.php file didn't solve the problem or replacing all the scripts didn't correct the problem was that the hacker inserted template "index" into the database.
They had also created a few admin accounts.
Cleaning this up on the upgraded version appears to have correct the problem.
Thank for the help.