MyBB Community Forums

So, me and my staff had our forum hacked today.

This caused major disruption as due to our host's limits we are not able to take a backup everyday.

Our last hack was done on the 25th of January, and also today. The hacker found must have found a possible exploit in the software. All staff have random strong passwords and our systems are assumed clean. Even if the hacker had our passwords, they would not be able to use our accounts as we are using Restrict IP. which works pretty well on our board.

Although the hacker pruned the logs of our board, it seems they found a way to hijack an administrator's account, they knew the hidden (changed) directory of our admin panel on both occasions.

We use Cpanel to access ftp but there was no logs of any foreign ip addresses using it and our staff (except me) had not been on that day since my ip address was on last.

I strongly believe it might be a new exploit in the software.

My real question is, once a mybb admin account has been hacked and has banned all the other accounts, is it possible for admins to regain access through ftp to avoid loss of posts?

Thank you.

sorry to hear about your problem.

first off find a new host if you cant make a simple backup once a day

second, is this a shared hosting account, VPS or ???

third, you are assuming your and your staff's computers are clean. bad idea.. you should check

fourth, is there anything other than a default mybb installation on your account? if so then it may not be mybb at all.

fifth, have you secured your cpanel? the hacker maybe coming in through the server that way. if shared hosting, any other sites on the server exploited?

You sure RestrictIP isn't causing any problems? Last Updated: 11th August 2010

Also are you sure the hacker didn't edit or add any files on his last visit, ie: plugins modifying AdminCP or the database?

Quote:My real question is, once a mybb admin account has been hacked and has banned all the other accounts, is it possible for admins to regain access through ftp to avoid loss of posts?

Yes, but with PHPMyAdmin, not FTP. Depending on how the admins had their access removed, you could either manually change the usergroup or the ban lists.

(2011-02-05, 01:47 AM)fizz Wrote: [ -> ]Also are you sure the hacker didn't edit or add any files on his last visit, ie: plugins modifying AdminCP or the database?

Yeah, try running the file verification.

Quote:global.php Changed
inc/class_parser.php Changed
inc/languages/english/global.lang.php Changed
admin/modules/config/plugins.php Changed

Also, I changed the admin access through mysql through a VERY helpful guide on the internet:
http://twigstechtips.blogspot.com/2010/0...ccess.html

Thanks for the suggestions guys, but it definitely wasn't through our file manager or mysql. It is all logged. Plus the hacker cleared mybb logs which shows something.

Quote:admin/modules/config/plugins.php Changed

0.o

Because he cleared the logs most likely means he logged in using one of your admins' accounts. You and your admins all need to scan your computers for viruses, because most likely at least one of you has a keylogger.

If your host doesn't allow you to take a daily backup, they are a terrible host.

If you've renamed your ACP folder, have you change the setting to hide the link in the header?? Otherwise, if they get access to your account, they'll just be able to click the link...

Look in the server access_log file too. That logs everybody who accessed the site, this will give you the IP of whoever did this, and every page they visited. In cPanel, click Raw Access Logs on the homepage, then click your domain, it'll download a file, open this in notepad or something. This will give you a list of the IP, time, and action of all visits.

ah,

it's not MyBB related issue.
It's host issue.
Better to move another host company.

And, you have to change or limit your computer access.
If your forum in medium size, you can use built-in MyBB Backup database

With the changed files, they obviously have entered via ftp at some point as well. Unless you yourself have modified those files.

We've got the security in check for now, and we're looking to move.

However do you guys know of a way to get rid of the pruning feature? Perhaps make it query-only?