MyBB Community Forums

So today my forum was defaced, luckily i had just gotten online so i was able to lockdown the site, fix the index, and find the shell in less then 5mins of the hack.
(not saying url for now)

But the shell was in a very unusual place
\forum\inc\3rdparty\diff\Diff\Engine\

Now my guess was that the person uploaded it somewhere else and then moved a shell to that dir.
Im using the latest version of MyBB and was just wondering if people could list ways they think this shell was uploaded. And then tell me how i could prevent it.

Thanks in advance.

There could be any number of reasons, there's no known security issues in MyBB. Can you see if there's any useful info in the server access logs??

The hacker could have stolen your passwords, so I recommend changing them ASAP.

(2010-04-08, 11:10 PM)Joshua Mayer Wrote: [ -> ]The hacker could have stolen your passwords, so I recommend changing them ASAP.

No, my account wasnt compromised.

But in the future how could i prevent being shelled again.

Even if there was a security issue in MyBB or one of the plugins you are using, it should not be possible to place a shell in the directory you mentioned, because usually PHP does not have write access there. Writable directories, such as cache/ or uploads/ are much more likely places for strange files to appear due to a security issue. Check your directory permissions. If the directory is not writable, if you didn't carelessly chmod 777 your entire folder, it's much more likely that your FTP account was compromised.