(2011-04-11, 04:47 PM)StefanT Wrote: [ -> ] (2011-04-11, 04:04 PM)MasterZuFu Wrote: [ -> ]The devs can say how clean and clear MyBB is all day long, but until it's ruled out, in my book, it's not.
No member of the team said this?
Quote:Reporting MyBB security vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.
As always, you can send through security related messages on the MyBB website from the Contact Us page.
Where is that located at?
(2011-04-11, 05:05 PM)grave Wrote: [ -> ]And yes, there is one plugin which I think is orange scary too, :- "missyouemail plugin", I dont remember where i found that, But I think someone must go through that plugin too and find if there is something wrong in it, or is it my mistake. About Exploit, Exploit doesn't just bump out from scratch, if any code open some error which can be handled by outside group than there you give hand to hackers to make some exploit, AS concerned with mybb, The devlopers code in such a way that there is no error at all.
I haven't seen or heard of that plugin. I might would think that it could be plugin that would be the problem. A few of them are from a previous version of mybb which still work in this version. I'm removing all of my plugins when I bring the site back up and putting in only a few that I need that are definitely the most up-to-date. A coder is human, humans make mistakes. I don't care how good a programmer is, they can still make a mistake (hence the reason most updates come out anyways)
(2011-04-11, 05:05 PM)grave Wrote: [ -> ]If you have not changed some files mannually, or if you have not used any such plugin which gives some error page, than your mybb is secured, but than this doesnt mean your site is secure, May be you could be victim of softwares being used by your host for your server.
So, Throwing some thread over here, like this its 10 time better to first,
1). check your plugin, & than
2). Match your mybb files in your cpanel with fresh mybb files after downloading only from here:- http://www.mybb.com/downloads, after matching all files,
3). Ask your host, what softwares they are using and what is the version-> well this should be on top and should be done while selecting your host.
4). Go through internet, verify the Version of software your host is using is latest and most important secured and is not having any exploit.
I'm not on a shared host, and the "host" that I do have is a personal server managed by a very good friend of mine who is an expert in linux server and security. The server wasn't the problem, we've already ruled that out via the logs. The skiddie never got to the server, only the website files. I'm looking at the software you mentioned, phpmyadmin is one, as well as piwik, mybb, all mybb plugins that were in stalled, i had absolutely no core changes to mybb. We're reviewing everything.
(2011-04-11, 05:05 PM)grave Wrote: [ -> ]About the error, and kind of files you are talking about is 75% similar to the exploit of phpmyadmin3.1.0 > Check that exploit properly and you will know the answer.
http://pastebin.com/qmDLER4h
I'll most certainly look at this exploit.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Logs should be easily parsed with a couple grep commands.
Find shell.
Run grep for the shell command.
Run grep to search IP of shell user. Backtrack from there.
That's probably the best you can do given the fact they probably did their entry weeks ago.
We've done that over and over again, the problem is that he's accessed these files multiple times and it's impossible to find out which one he touched first. We know the date he uploaded the inc_inc.php file was more than two weeks ago though.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Quote: I'm not ruling anything out, and that's the stance I feel I should take.
Alarming the user base of MyBB is stupid. You might as well yell fire in the movie theater. What you're accomplishing with this thread is nothing. Your thread title says it all "Possible MyBB Exploit in 1.6 Version". You might as well say "Possible death of 2 billion people". Possible..sure. As the saying goes...anything is possible. You have no evidence of an exploit and the whole "I'm not ruling it out" is BS. You should first review all the plugins and your server. MyBB should be the last thing on your list to check. Seriously.
You're right, absolutely right and i apologize about that. I've already asked for the thread to be moved...still waiting.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Quote:You as a website and system administrator should know that there is no such thing as "innocent until proven guilty" when it comes to security.
BS too. I don't waste my time with stuff that's improbable if I get hacked. I start reviewing the most likely scenario and situation.
If I'm hacked and certain files are looked at, I'm going to look at them too. I'm certainly not going to overpass a file just because I "think" it's secure. Heck, I THOUGHT the site was secure when I had it set up, and that's obviously not true. So why would I just pass over web software just because I 'think' it's secure? I'm not, I'm going to take the time to properly investigate this attack.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Quote:and to be honest this exploit is looking a lot like the last mybb exploit.
As I suspected immediately. There are still people getting shelled from 1.6.1 and 1.6.0 even though they are on 1.6.2. I've seen this multiple times in the past few weeks. I get contacted a lot when MyBB forums are in trouble. So I see the trends and have a good idea of what's going on.
Why didn't you say this to start with? If this is the case, then it's obvious to me the patch isn't 'patched' and there's still a security vulnerability. If you've been contacted by people in trouble from this, then you already know it's a problem. No point in making it seem like my problem stands alone when you just said it doesn't...
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]I think you're wasting your own time trying to find the entry now. If you know it happened weeks ago then getting more data is unlikely. You should concentrate on securing everything. If you get penetrated again you'll have fresh logs and a better idea of entry. I'd make damn sure all your MyBB files are 1.6.2 then carefully check plugins. Look for ones poorly written, have upload capability, or not widely used. Widely used plugins are less likely to be a problem because you'd see more sites getting pwnd.
You're probably right. We're going to spend the next few days continuing to try to detect the point of entry. The site's down right now so there aren't any extra logs to sift through. But you're right, being that he's had access to all these files for so long, without reviewing the actual code of every single file he accessed or viewed and WHY he would access and view them, it's going to be hard to find that entry point.
The point is that either mybb or one of the plugins I used were vulnerable and we're just trying to find out what happened. If it would be better, we can just reinstall everything from scratch, upload the database from before he should have had access, and install only couple of plugins required for the site to maintain it's purpose and submit all the logs and files to mybb for review on their own. There's really no point in me doing all this or for my sys admin to. We didn't write MyBB, we didn't write this software, and we don't really know what we're looking for or where to look.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]When you do upgrades do you manually patch or use upgraded files package?
Most of the time i just upload the patches and rewrite over the old files as the instructions say to do. I don't reinstall mybb altogether unless it requires it.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Quote:I don't hold much faith in the pm system here (as is obvious, I still haven't been contacted by a single MyBB Developer or Security administrator).
To say what? You're going to put people on a wild goose chase.
Alright. No problem then. I'd like to ask the lead developer of mybb to just ignore this thread and continue to let his software be attacked. No problem. No labrocca, I expect a respond when I tell a dev there's a possible problem with his software. i don't expect to be ignored and shut down by the community because they have so much faith in their precious software. Nothing is perfect, no not even the godly mybb. So I've asked twice now, I'll ask again for good measure:
MyBB admin: please move this thread to private sector. Thank you.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Quote:They have a bug reporting system but nothing for reporting possible security risks.
When I've found actual vulns I've PMed the lead developer (currently Tomm M) and have always gotten a fast response and quick action if indeed a real vuln is found. One time it was patched and they released a security update in under 2 hours of contact.
Well, I'm certainly glad they listen to you
seems unless you're a well known coder they don't pay much attention. If an admin WERE reading this thread, they seem to have not read it well as they missed the part where I asked for it to be moved.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Quote:2. We're willing to track down and pursue each and every individual involved in this attack, who will be prosecuted to the fullest extent of the law.
Given the terrible english I saw in his messages to you. That's a waste of your time as well. 99% of these clowns are in some country with either no cyberlaws or don't give a crap.
We know who the attacker is, and we know what team he works with. It's all over the internet. He's italian, lives in italy, is a minor who registered his site under his mother's name. Italy has very strict cyber laws in case you didn't know. His english is also very well, the text he was using and the font style was known as "l33t" talk, which you've seen on your own site. And just because english isn't your first language it doesn't disqualify you from being a skilled hacker...tell that to the chinese who hacked the pentagon, i'm sure their english sucks too.
(2011-04-11, 05:33 PM)labrocca Wrote: [ -> ]Quote:If MyBB is NOT where the exploit is we will make note of it and make it very clear that it is secure.
Should be the other way around. You should contact MYBB if you find evidence it's MyBB. MyBB team should not waste their time every time a site is hacked and admin doesn't know why.
[/quote]
I know WHY the site was hacked, I know what files he used to hack the site, I know he uploaded a shell, I know that shell is extremely similar to the one in a previous exploit of mybb, I'm not just a site admin who's site was hacked and doesn't know why. I'm a site admin who's site was hacked and everything at the moment is pointing towards a previous exploit in MyBB. I AM, as I've said several times, researching ALL software on my server. It's just too ironic that this exploit is so similar to the last one, which draws my attention to MyBB, naturally.
ADMIN, PLEASE MOVE THIS THREAD TO A PRIVATE SECTOR. THANK YOU.