2009-07-06, 09:02 PM
Due to the recent levels of people being compromised with an exploit present in MyBB <= 1.4.6, this thread will tell you what to do about it.
What to do if you get hacked
If you were on a MyBB release BEFORE OR EQUAL TO 1.4.6
-- Make sure that no new admin accounts have been made, delete them immediately if there are any.
-- Look in your ./cache/themes/ folder, if you see a files called themes.php, please delete it.
---- One user here http://community.mybboard.net/thread-522...#pid368623 reported that the themes.php backdoor was used to create additional php files in the cache/theme folders. Since no such file belongs there they should all be deleted - frostschutz
-- Reupload your ./index.php file and revert your index template to default.
-- Follow the rest of the general post-hack steps below.
If you were on a MyBB release AFTER 1.4.6
Upgrade to most recent release
Upgrading to the most recent release won't solve the results of you being hacked, but it will make sure your forum is secure. [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead)
Reset passwords
Once you are able to, you should immediately change your forum password, and also the password to your database. This is to make sure that the hacker can’t just login to anything again; new passwords mean they’re back to where they were before. If you change your database password you will need to update it in ./inc/config.php too.
Check for new users
Check all new users registered after the time the hacker gained access to the forum; there may be a chance one of them has been added to a group with ModCP or ACP access, or they may have even created a new usergroup for a user. If you see anything like this, delete it.
Reupload all files
Download the MyBB package, and upload all of the MyBB files, except ./inc/settings.php. This will make sure that all of your files are clean, and there isn’t any malicious code in any of them. Make a note of any file changes you have made before doing this, though, so you can make them again after. This process will also make sure you have all the most recent files; you may have missed an important file in a security upgrade which contained the exploit that was used to hack you.
Check your CHMOD permissions
Check your CHMOD permissions after you have reuploaded the files. Make sure you’re not giving files or folders extra permissions that they don’t need. [Wiki: CHMOD_Files] (Broken link, head over to docs.mybb.com instead)
Delete settings.php
Head to your ./inc/ folder and download your copy of settings.php… and then delete it from your server. It will be generated again, with the correct values from the database, and then we’ll know it’s a clean copy of the file, with no malicious code. You may need to click around on the forum a bit to get it to regenerate; the downloaded file is there so you can upload it again should it fail to regenerate automatically.
Rebuild config.php
You can manually remake your config.php to make sure it’s clean. Use this code ([wiki]Inc/config.php[/wiki]) to rebuild the file, and enter in your database details. Also make sure you change any other settings you need to, for example, the admin directory, hiding ACP links, or super admins.
Check your templates for malicious code
A common result of being hacked is having malicious code added to your templates, meaning it’s executed whenever a page is loaded. A common place for code to be added is the header, headerinclude, index, and footer template, as these templates are loaded the most. Check all templates, however, that aren’t default (have their name in green) and remove any code that isn’t supposed to be there. It’s usually in <script> tags and is usually a load of random numbers and letters. This should be removed as soon as possible.
If anyone has anything else to add, post it here and it will be added.
What to do if you get hacked
If you were on a MyBB release BEFORE OR EQUAL TO 1.4.6
-- Make sure that no new admin accounts have been made, delete them immediately if there are any.
-- Look in your ./cache/themes/ folder, if you see a files called themes.php, please delete it.
---- One user here http://community.mybboard.net/thread-522...#pid368623 reported that the themes.php backdoor was used to create additional php files in the cache/theme folders. Since no such file belongs there they should all be deleted - frostschutz
-- Reupload your ./index.php file and revert your index template to default.
-- Follow the rest of the general post-hack steps below.
If you were on a MyBB release AFTER 1.4.6
Upgrade to most recent release
Upgrading to the most recent release won't solve the results of you being hacked, but it will make sure your forum is secure. [Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead)
Reset passwords
Once you are able to, you should immediately change your forum password, and also the password to your database. This is to make sure that the hacker can’t just login to anything again; new passwords mean they’re back to where they were before. If you change your database password you will need to update it in ./inc/config.php too.
Check for new users
Check all new users registered after the time the hacker gained access to the forum; there may be a chance one of them has been added to a group with ModCP or ACP access, or they may have even created a new usergroup for a user. If you see anything like this, delete it.
Reupload all files
Download the MyBB package, and upload all of the MyBB files, except ./inc/settings.php. This will make sure that all of your files are clean, and there isn’t any malicious code in any of them. Make a note of any file changes you have made before doing this, though, so you can make them again after. This process will also make sure you have all the most recent files; you may have missed an important file in a security upgrade which contained the exploit that was used to hack you.
Check your CHMOD permissions
Check your CHMOD permissions after you have reuploaded the files. Make sure you’re not giving files or folders extra permissions that they don’t need. [Wiki: CHMOD_Files] (Broken link, head over to docs.mybb.com instead)
Delete settings.php
Head to your ./inc/ folder and download your copy of settings.php… and then delete it from your server. It will be generated again, with the correct values from the database, and then we’ll know it’s a clean copy of the file, with no malicious code. You may need to click around on the forum a bit to get it to regenerate; the downloaded file is there so you can upload it again should it fail to regenerate automatically.
Rebuild config.php
You can manually remake your config.php to make sure it’s clean. Use this code ([wiki]Inc/config.php[/wiki]) to rebuild the file, and enter in your database details. Also make sure you change any other settings you need to, for example, the admin directory, hiding ACP links, or super admins.
Check your templates for malicious code
A common result of being hacked is having malicious code added to your templates, meaning it’s executed whenever a page is loaded. A common place for code to be added is the header, headerinclude, index, and footer template, as these templates are loaded the most. Check all templates, however, that aren’t default (have their name in green) and remove any code that isn’t supposed to be there. It’s usually in <script> tags and is usually a load of random numbers and letters. This should be removed as soon as possible.
If anyone has anything else to add, post it here and it will be added.