If an exploit in 1.6.2 existed we'd have seen a bunch of threads already. I normally get word fast about any known exploits. So unless whoever hacked you has a 0-day (which they don't) then no one should be concerned. With so many MyBB forums in the hacker genre..hacks get passed around fast as skids love to be malicious.
I do know that l33t coders was compromised this week but it's not the same exploit as yours.
Here is all answers... There is also phpmyadmin 3.1.0 vulnerability..
http://pastebin.com/qmDLER4h
This is the real site, and this exploit is way old...2 years approx.
http://hi.baidu.com/%D3%F0%E9%E4%C8%CA/blog/item/6dd8ddceb445a031b600c8b6.html
And all the threads i have seen so far are with same regards, SO i will also recommend to upgrade your software by asking host to do it as soon as possible.
MYBB 1.6.2 is clean and clear, except some small profile error. thats it.
Why do people keep posting possible security vulnerabilities in the public forums??? You should PM a developer, or post in Private Inquiries, not alarm numerous users that they can be at risk.
@labrocca, the point is that there is an exploit SOMEWHERE, someTHING is exploitable. I'm not too sure exactly what that thing is yet, I'm just asking for help identifying it. I know, understand, and agree that the large community of skiddie to professional hackers on your site catch wind of exploits quickly. I'd say just keep your eyes open, an exploit always starts from somewhere, this doesn't mean that my site could be the first of this attack, but it doesn't mean it couldn't be either. I'm not ruling anything out, and that's the stance I feel I should take. Right now everything on my site, including MyBB, has been compromised and is a potential exploitable product until otherwise ruled out. The devs can say how clean and clear MyBB is all day long, but until it's ruled out, in my book, it's not. You as a website and system administrator should know that there is no such thing as "innocent until proven guilty" when it comes to security. Verify, verify, verify, double check, triple check, quadruple check. Every day we're going through the logs to find the point of entry. I'm not going to post here what things we find to better protect the mybb community (as I've already asked staff to move this thread so that the general public can't see it).
I'll take a look at that phpmyadmin exploit as well. We're finding new stuff every day and to be honest this exploit is looking a lot like the last mybb exploit.
@Shukaku, numberous members should always assume they are at risk. Being comfortable with your security leads to apathy in security which will lead to the website's demise. I don't hold much faith in the pm system here (as is obvious, I still haven't been contacted by a single MyBB Developer or Security administrator). If it's really that big a problem for some people, then I suggest MyBB setup a security report section. Obviously that's not a priority of theirs and this section of the site remains undeveloped. They have a bug reporting system but nothing for reporting possible security risks.
As far as I'm able to see from the logs so far, mybb was what was attacked, not something else. But I'm not ruling anything out, we're scanning the whole site to see what was accessed. We have apache logs dating back to the inception of the site, so it might take a while (if MyBB insists we do all this ourselves, the purpose of this thread is to request assistance because none of us know how mybb is coded).
What we are willing to do:
1. We're willing to go through all of our logs and try to find the point of entry.
2. We're willing to track down and pursue each and every individual involved in this attack, who will be prosecuted to the fullest extent of the law.
3. We are willing to hand over all logs, databases, anything and everything the mybb team would need to assist in this investigation. Whatever you need, just ask.
If MyBB is NOT where the exploit is we will make note of it and make it very clear that it is secure. Our intention is NOT to hinder or damage the image or face of MyBB. Our intention is to get to the bottom of this attack.
The end point is that SOMETHING is exploitable and we're trying to find out what it is because (obviously) people either still use the software or just don't know it's exploitable.
(2011-04-11, 04:04 PM)MasterZuFu Wrote: [ -> ]The devs can say how clean and clear MyBB is all day long, but until it's ruled out, in my book, it's not.
No member of the team said this?
Quote:Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page.
And yes, there is one plugin which I think is orange scary too, :- "missyouemail plugin", I dont remember where i found that, But I think someone must go through that plugin too and find if there is something wrong in it, or is it my mistake. About Exploit, Exploit doesn't just bump out from scratch, if any code open some error which can be handled by outside group than there you give hand to hackers to make some exploit, AS concerned with mybb, The devlopers code in such a way that there is no error at all.
If you have not changed some files mannually, or if you have not used any such plugin which gives some error page, than your mybb is secured, but than this doesnt mean your site is secure, May be you could be victim of softwares being used by your host for your server.
So, Throwing some thread over here, like this its 10 time better to first,
1). check your plugin, & than
2). Match your mybb files in your cpanel with fresh mybb files after downloading only from here:-
http://www.mybb.com/downloads, after matching all files,
3). Ask your host, what softwares they are using and what is the version-> well this should be on top and should be done while selecting your host.
4). Go through internet, verify the Version of software your host is using is latest and most important secured and is not having any exploit.
About the error, and kind of files you are talking about is 75% similar to the exploit of phpmyadmin3.1.0 > Check that exploit properly and you will know the answer.
http://pastebin.com/qmDLER4h
Logs should be easily parsed with a couple grep commands.
Find shell.
Run grep for the shell command.
Run grep to search IP of shell user. Backtrack from there.
That's probably the best you can do given the fact they probably did their entry weeks ago.
Quote: I'm not ruling anything out, and that's the stance I feel I should take.
Alarming the user base of MyBB is stupid. You might as well yell fire in the movie theater. What you're accomplishing with this thread is nothing. Your thread title says it all "Possible MyBB Exploit in 1.6 Version". You might as well say "Possible death of 2 billion people". Possible..sure. As the saying goes...anything is possible. You have no evidence of an exploit and the whole "I'm not ruling it out" is BS. You should first review all the plugins and your server. MyBB should be the last thing on your list to check. Seriously.
Quote:You as a website and system administrator should know that there is no such thing as "innocent until proven guilty" when it comes to security.
BS too. I don't waste my time with stuff that's improbable if I get hacked. I start reviewing the most likely scenario and situation.
Quote:and to be honest this exploit is looking a lot like the last mybb exploit.
As I suspected immediately. There are still people getting shelled from 1.6.1 and 1.6.0 even though they are on 1.6.2. I've seen this multiple times in the past few weeks. I get contacted a lot when MyBB forums are in trouble. So I see the trends and have a good idea of what's going on.
I think you're wasting your own time trying to find the entry now. If you know it happened weeks ago then getting more data is unlikely. You should concentrate on securing everything. If you get penetrated again you'll have fresh logs and a better idea of entry. I'd make damn sure all your MyBB files are 1.6.2 then carefully check plugins. Look for ones poorly written, have upload capability, or not widely used. Widely used plugins are less likely to be a problem because you'd see more sites getting pwnd.
When you do upgrades do you manually patch or use upgraded files package?
Quote:I don't hold much faith in the pm system here (as is obvious, I still haven't been contacted by a single MyBB Developer or Security administrator).
To say what? You're going to put people on a wild goose chase.
Quote:They have a bug reporting system but nothing for reporting possible security risks.
When I've found actual vulns I've PMed the lead developer (currently Tomm M) and have always gotten a fast response and quick action if indeed a real vuln is found. One time it was patched and they released a security update in under 2 hours of contact.
Quote:2. We're willing to track down and pursue each and every individual involved in this attack, who will be prosecuted to the fullest extent of the law.
Given the terrible english I saw in his messages to you. That's a waste of your time as well. 99% of these clowns are in some country with either no cyberlaws or don't give a crap.
Quote:If MyBB is NOT where the exploit is we will make note of it and make it very clear that it is secure.
Should be the other way around. You should contact MYBB if you find evidence it's MyBB. MyBB team should not waste their time every time a site is hacked and admin doesn't know why.
Quote:I don't hold much faith in the pm system here (as is obvious, I still haven't been contacted by a single MyBB Developer or Security administrator).
To say what? You're going to put people on a wild goose chase.
100% agree > You're going to put people on a wild goose chase.
Well, Can i request one thing can you please define this more, so that I can learn something today.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Logs should be easily parsed with a couple grep commands.
Find shell.
Run grep for the shell command.
Run grep to search IP of shell user. Backtrack from there.
What kind of command and what is grep.
regards
grave
grep is a regular expression search tool for unix. Powerful and fairly easy to use. You can do a whole directory search of logs in seconds.
Example:
grep -rn 'keyword'
I normally can find a shell by searching for "exec". All php shells will contain that line. Exec should be disabled btw in php.ini if you want a more secure server.
Once you find the shell name search apache logs for it.
grep -rn 'shellname'
When you find the IP of the user then search that in your logs and with MyBB.
grep -rn 'ipaddress'
Very basic forensics but it will do the trick in many circumstances. 5 mins of work at most and anyone with shell access can do it.
(2011-04-11, 05:53 PM)labrocca Wrote: [ -> ]@others> click green arrow beside wrote for this post.
Thanks, Thanks and lots of thanks, I will research more, thank you so much.