(2011-01-12, 09:42 AM)atnun Wrote: [ -> ]Hey Guys
I'm sorry to inform you that our webspace was hacked yesterday by using the contact form Sebastian posted here on page 2 of this thread.
My provider shut down my site and informed me that the attacker used the "myboardurl/misc.php$page=contact" link to upload his own .php files to the webserver and through his own .php files he sent hundreds of thousands of spam mails in the last hours. My provider left all the files in place so I could verify this myself and its true.
I recommend you to NOT use the contact page in this way.
Greetings
Atnun
Any details about this issue? Have you modified the page?
(2011-01-12, 10:07 AM)querschlaeger Wrote: [ -> ]Any details about this issue? Have you modified the page?
I thought I already provided many details
No I have not modified the code in any way, it is exactly as you posted it in the linked post.
Hm, I reviewed the code right now but I can't find anything to attack... Thats' strange, most of the code MyBB also uses in other places.
It is possible to send me a copy of your log files (PM me)?
(2011-01-12, 09:42 AM)atnun Wrote: [ -> ]Hey Guys
I'm sorry to inform you that our webspace was hacked yesterday by using the contact form Sebastian posted here on page 2 of this thread.
My provider shut down my site and informed me that the attacker used the "myboardurl/misc.php$page=contact" link to upload his own .php files to the webserver and through his own .php files he sent hundreds of thousands of spam mails in the last hours. My provider left all the files in place so I could verify this myself and its true.
I recommend you to NOT use the contact page in this way.
Greetings
Atnun
Hmm, if this is the case, what info do we need for Atnun to gather, so the vulnerability could be fixed?
I asked my provider for some logfiles and forwarded what I got to Sebastian as pm. It's not a root server just hosted webspace so my possibilities are very limited.
error:
Quote:Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/seriousr/public_html/inc/plugins/pagemanager.php(798) : eval()'d code on line 23
banlist.xml:
<?php
global $headerinclude, $header, $theme, $footer, $lang;
if(!$mybb->user['uid']) error_no_permission();
$lang->load('modcp');
$bannedquery = $db->simple_select("banned", "uid, admin, reason, dateline, lifted", "", array("order_by" => 'dateline', "order_dir" => 'DESC'));
if ($db->num_rows($bannedquery) > 0)
{
$bannedtablerows = "";
while ($ban = $db->fetch_array($bannedquery))
{
$banneduser = get_user($ban['uid']);
$banby = get_user($ban['admin']);
if ($ban['lifted'] > 0)
$unbandate = my_date($mybb->settings['dateformat'], $ban['lifted']);
else
$unbandate = $lang->never;
$bannedtablerows .= '<tr>
<td class="trow1">'. build_profile_link($banneduser['username'], $banneduser['uid']). '</td>
<td class="trow1">'. $ban['reason']. '</td>
<td class="trow1">'. build_profile_link($banby['username'], $banby['uid']). '</td>
<td class="trow1">'. my_date($mybb->settings['dateformat'], $ban['dateline']) .'</td>
<td class="trow1">'. $unbandate .'</td>
</tr>';
}
}
else
{
$bannedtablerows = '<tr><td class="trow1" colspan="5" align="center">'. $lang->no_banned .'</td></tr>';
}
$template='<html>
<head>
<title>'.$pages['name'].'</title>
{$headerinclude}
</head>
<body>
{$header}
<table border="0" cellspacing="1" cellpadding="4" class="tborder">
<tr><td class="thead" colspan="5"><strong>{$lang->ban_banned}</strong></td></tr>
<tr>
<td class="tcat"><span class="smalltext"><strong>{$lang->username}</strong></span></td>
<td class="tcat"><span class="smalltext"><strong>{$lang->reason}</strong></span></td>
<td class="tcat"><span class="smalltext"><strong>{$lang->ban_bannedby}</strong></span></td>
<td class="tcat"><span class="smalltext"><strong>{$lang->start_date}</strong></span></td>
<td class="tcat"><span class="smalltext"><strong>{$lang->end_date}</strong></span></td>
</tr>
{$bannedtablerows}
</table>
{$footer}
</body>
</html>';
$template=str_replace("\'", "'", addslashes($template));
add_breadcrumb($pages['name']);
eval("\$page=\"".$template."\";");
output_page($page);
?>
(2011-01-12, 01:26 PM)atnun Wrote: [ -> ]I asked my provider for some logfiles and forwarded what I got to Sebastian as pm. It's not a root server just hosted webspace so my possibilities are very limited.
OK forget everything I wrote, sorry that I blamed the contact page for the hack. It's what my provider said so I believed him
I had removed the contact page yesterday morning and in the evening the page got hacked again. It looks like the attacker somehow had FTP access. All accounts have been changed and I hope that it's done now.
Greetings
Atnun
The usermap is great and still works with MyBB 1.6. The only problem I got is that no user shows up in the usermap. I created a custom profile field and put in my location but nothing happens. I already forced the update using &update=1 and that seems to rebuild the cache-file but my location still doesn't show up.
(2011-01-15, 02:43 PM)Pechente Wrote: [ -> ]The usermap is great and still works with MyBB 1.6. The only problem I got is that no user shows up in the usermap. I created a custom profile field and put in my location but nothing happens. I already forced the update using &update=1 and that seems to rebuild the cache-file but my location still doesn't show up.
The usermap uses the default location field. I think it has to be field ID #1. It's mentioned in this thread -- probably search on "location" keyword.
$key = 'XXX';
$location = 'Germany';
$zoom = 6;
$fid = 4;
$datacache = './cache/coords';
My field has the ID 4 since I deleted the given "location", "sex" and wathevers fields when I created my forums. I put the in the top of the usermap page as you can see above. Instead of XXX I of course entered my API-Key. So it should theoratically work.
Ok, I think I found what was wrong. Some usergroups are ignored from the map, so I couldn't see my location as an admin. Regular (test)-users however, are shown on the map.