MyBB Community Forums

Hello

Upon trying to access my fully patched copy of Mybb 1.4.9 today , my site redirects to a page called gjdhrhee.php and i get the following message:-

Quote:MyBulletinBoard (MyBB) <= 1.1.5 'CLIENT-IP' SQL injection / create new admin exploit by rgod [email protected] site: http://retrogod.altervista.org dork, version specific: "Powered By MyBB" "2006 MyBB Group" Usage: php host path OPTIONS host: target server (ip/hostname) path: path to MyBB Options: -T[prefix] specify a table prefix different from default (mybb_) -u[number] specify a user id other than 1 (usually admin) -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy -d: disclose table prefix (reccomended) Example: php localhost /MyBB/ -d php localhost /MyBB/ -Tmy_

I realise ive been hacked , i just want to know whether you can determine what the problem is and release a patch for it!. My other forums are at risk too!

Regards
PC Drivers

Um...

MyBulletinBoard (MyBB) <= 1.1.5

Less than or equal to 1.1.5. Not sure how we can patch anything... that exploit was posted on milworm in mid 2006 so I don't think you were exploited by this... check to see if there's anything in your ./cache/themes/ folder that isn't default, reupload all new files, and check any edited templates for anything that shouldn't be there.

nope still a no go , i looked at the milworm post and it mentioned users.php functions.php class_session.php and index.php.

Ive replaced these files with backups but something still isnt quite right

Also , what ARE the defaults for the cache/themes/ folder?

Thanks for such a speedy response too

PC Drivers

I don't know why they mentioned that exploit but it won't be anything to do with that.

There should just be an index.html file in ./cache/themes/ and folders called themeX where X is a number.

What do you mean by 'something still isnt quite right'...?? Have you checked your templates too?? It'll be better to use freshly downloaded files rather than backed up ones, they might have something in them too.

but my templates have been edited in lots of ways! - adding plugins etc

I deleted everything except theme1 and index.html in the cache/themes folder

What else was in that folder??

As for the templates, I mean just check if there's anything there you know shouldn't be there. Sometimes people gte hacked and there's a big chunk of malicious javascript or something.

no ive just checked my headaer templates , global templates and index templates

I did delete the gjdhrhee.php from my server but the domain still redirects. There was also a string right at the top of index.php with "location:gjdhrhee.php" in it , which i compared with my working index.php and deleted the line.

---

interesting thing now is i can access admin panel and also can access all sub forums , the problem is just with index.php

PC Drivers

Have you just reuploaded a totally new one?? Then you'll know it's fine instead of having to edit stuff out of it, just upload a totally new copy...

putting new ones up now

---

restored from file backup - problem solved!

you can close this now

thanks
pc drivers

If your templates were modified and the cache's were updated then you were rooted. You should have your host upgrade all their software to the latest and you should change all your server and mysql passwords. The chances of that being related to MyBB are very small.