MyBB Community Forums

Hey

Recently various hosting accounts on my server who use MyBB found a script called mshell.php which is a PHP Shell script and I do not know how it was uploaded but I am quite certain it was via MyBB however I am not 100% sure. All of the forums were using the latest version.

I was wondering if this may be a bug or is just a coincidence that it was in almost all the folders.

Not using latest MyBB? Then it may be this: http://community.mybboard.net/thread-52474.html

Otherwise check your access.log for the first occurance of such a mshell.php and requests made before that (possibly by the same IP), as a first pointer as to where it could've come from...

Nothing in the access log regarding mshell

If your hosting isn't setup correctly then it takes just one shell to exploit all hosting accounts.
Each account or user should be jailed to prevent this type of exploit.

All accounts have shell disabled and almost all commands are banned for a shell script to run in PHP

That's also a good solution. You can alter php.ini to disable certain commands and imho that's a wise move. I have many disabled on my server as well.

Here is a small list you should disable.

exec,system,filesystem,passthru,show_source,shell_exec,escapeshellarg,escapeshellcmd,proc_open

I'd keep escapeshellarg and escapeshellcmd - they're harmless. You might want to add popen.
You can also try safe mode.