MyBB Community Forums

Full Version: Bug
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3
Nice discussion,
Important for who have Dedicated/VPS server for their MyBB Wink
Periodically, my server checked by my friend's "hacker" for exploit (the server and MyBB itself).
You have to remember what is on your own server, the directory with files etc. Except, you're a hosting company.

Seeking for directory log as Labrocca said is simple way to detect intruder.
Some firewall software can do.

Ah, it's been long I never check my server logs :lol:
(04-11-2011, 04:47 PM)StefanT Wrote: [ -> ]
(04-11-2011, 04:04 PM)MasterZuFu Wrote: [ -> ]The devs can say how clean and clear MyBB is all day long, but until it's ruled out, in my book, it's not.
No member of the team said this?

Quote:Reporting MyBB security vulnerabilities

If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page.

Where is that located at?

(04-11-2011, 05:05 PM)grave Wrote: [ -> ]And yes, there is one plugin which I think is orange scary too, :- "missyouemail plugin", I dont remember where i found that, But I think someone must go through that plugin too and find if there is something wrong in it, or is it my mistake. About Exploit, Exploit doesn't just bump out from scratch, if any code open some error which can be handled by outside group than there you give hand to hackers to make some exploit, AS concerned with mybb, The devlopers code in such a way that there is no error at all.

I haven't seen or heard of that plugin. I might would think that it could be plugin that would be the problem. A few of them are from a previous version of mybb which still work in this version. I'm removing all of my plugins when I bring the site back up and putting in only a few that I need that are definitely the most up-to-date. A coder is human, humans make mistakes. I don't care how good a programmer is, they can still make a mistake (hence the reason most updates come out anyways)

(04-11-2011, 05:05 PM)grave Wrote: [ -> ]If you have not changed some files mannually, or if you have not used any such plugin which gives some error page, than your mybb is secured, but than this doesnt mean your site is secure, May be you could be victim of softwares being used by your host for your server.

So, Throwing some thread over here, like this its 10 time better to first,

1). check your plugin, & than
2). Match your mybb files in your cpanel with fresh mybb files after downloading only from here:- http://www.mybb.com/downloads, after matching all files,
3). Ask your host, what softwares they are using and what is the version-> well this should be on top and should be done while selecting your host.
4). Go through internet, verify the Version of software your host is using is latest and most important secured and is not having any exploit.

I'm not on a shared host, and the "host" that I do have is a personal server managed by a very good friend of mine who is an expert in linux server and security. The server wasn't the problem, we've already ruled that out via the logs. The skiddie never got to the server, only the website files. I'm looking at the software you mentioned, phpmyadmin is one, as well as piwik, mybb, all mybb plugins that were in stalled, i had absolutely no core changes to mybb. We're reviewing everything.

(04-11-2011, 05:05 PM)grave Wrote: [ -> ]About the error, and kind of files you are talking about is 75% similar to the exploit of phpmyadmin3.1.0 > Check that exploit properly and you will know the answer.
http://pastebin.com/qmDLER4h

I'll most certainly look at this exploit.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]Logs should be easily parsed with a couple grep commands.

Find shell.
Run grep for the shell command.
Run grep to search IP of shell user. Backtrack from there.

That's probably the best you can do given the fact they probably did their entry weeks ago.

We've done that over and over again, the problem is that he's accessed these files multiple times and it's impossible to find out which one he touched first. We know the date he uploaded the inc_inc.php file was more than two weeks ago though.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]
Quote: I'm not ruling anything out, and that's the stance I feel I should take.

Alarming the user base of MyBB is stupid. You might as well yell fire in the movie theater. What you're accomplishing with this thread is nothing. Your thread title says it all "Possible MyBB Exploit in 1.6 Version". You might as well say "Possible death of 2 billion people". Possible..sure. As the saying goes...anything is possible. You have no evidence of an exploit and the whole "I'm not ruling it out" is BS. You should first review all the plugins and your server. MyBB should be the last thing on your list to check. Seriously.

You're right, absolutely right and i apologize about that. I've already asked for the thread to be moved...still waiting.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]
Quote:You as a website and system administrator should know that there is no such thing as "innocent until proven guilty" when it comes to security.

BS too. I don't waste my time with stuff that's improbable if I get hacked. I start reviewing the most likely scenario and situation.

If I'm hacked and certain files are looked at, I'm going to look at them too. I'm certainly not going to overpass a file just because I "think" it's secure. Heck, I THOUGHT the site was secure when I had it set up, and that's obviously not true. So why would I just pass over web software just because I 'think' it's secure? I'm not, I'm going to take the time to properly investigate this attack.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]
Quote:and to be honest this exploit is looking a lot like the last mybb exploit.

As I suspected immediately. There are still people getting shelled from 1.6.1 and 1.6.0 even though they are on 1.6.2. I've seen this multiple times in the past few weeks. I get contacted a lot when MyBB forums are in trouble. So I see the trends and have a good idea of what's going on.

Why didn't you say this to start with? If this is the case, then it's obvious to me the patch isn't 'patched' and there's still a security vulnerability. If you've been contacted by people in trouble from this, then you already know it's a problem. No point in making it seem like my problem stands alone when you just said it doesn't...

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]I think you're wasting your own time trying to find the entry now. If you know it happened weeks ago then getting more data is unlikely. You should concentrate on securing everything. If you get penetrated again you'll have fresh logs and a better idea of entry. I'd make damn sure all your MyBB files are 1.6.2 then carefully check plugins. Look for ones poorly written, have upload capability, or not widely used. Widely used plugins are less likely to be a problem because you'd see more sites getting pwnd.

You're probably right. We're going to spend the next few days continuing to try to detect the point of entry. The site's down right now so there aren't any extra logs to sift through. But you're right, being that he's had access to all these files for so long, without reviewing the actual code of every single file he accessed or viewed and WHY he would access and view them, it's going to be hard to find that entry point.

The point is that either mybb or one of the plugins I used were vulnerable and we're just trying to find out what happened. If it would be better, we can just reinstall everything from scratch, upload the database from before he should have had access, and install only couple of plugins required for the site to maintain it's purpose and submit all the logs and files to mybb for review on their own. There's really no point in me doing all this or for my sys admin to. We didn't write MyBB, we didn't write this software, and we don't really know what we're looking for or where to look.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]When you do upgrades do you manually patch or use upgraded files package?

Most of the time i just upload the patches and rewrite over the old files as the instructions say to do. I don't reinstall mybb altogether unless it requires it.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]
Quote:I don't hold much faith in the pm system here (as is obvious, I still haven't been contacted by a single MyBB Developer or Security administrator).

To say what? You're going to put people on a wild goose chase.

Alright. No problem then. I'd like to ask the lead developer of mybb to just ignore this thread and continue to let his software be attacked. No problem. No labrocca, I expect a respond when I tell a dev there's a possible problem with his software. i don't expect to be ignored and shut down by the community because they have so much faith in their precious software. Nothing is perfect, no not even the godly mybb. So I've asked twice now, I'll ask again for good measure:

MyBB admin: please move this thread to private sector. Thank you.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]
Quote:They have a bug reporting system but nothing for reporting possible security risks.

When I've found actual vulns I've PMed the lead developer (currently Tomm M) and have always gotten a fast response and quick action if indeed a real vuln is found. One time it was patched and they released a security update in under 2 hours of contact.

Well, I'm certainly glad they listen to you Smile seems unless you're a well known coder they don't pay much attention. If an admin WERE reading this thread, they seem to have not read it well as they missed the part where I asked for it to be moved.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]
Quote:2. We're willing to track down and pursue each and every individual involved in this attack, who will be prosecuted to the fullest extent of the law.

Given the terrible english I saw in his messages to you. That's a waste of your time as well. 99% of these clowns are in some country with either no cyberlaws or don't give a crap.

We know who the attacker is, and we know what team he works with. It's all over the internet. He's italian, lives in italy, is a minor who registered his site under his mother's name. Italy has very strict cyber laws in case you didn't know. His english is also very well, the text he was using and the font style was known as "l33t" talk, which you've seen on your own site. And just because english isn't your first language it doesn't disqualify you from being a skilled hacker...tell that to the chinese who hacked the pentagon, i'm sure their english sucks too.

(04-11-2011, 05:33 PM)labrocca Wrote: [ -> ]
Quote:If MyBB is NOT where the exploit is we will make note of it and make it very clear that it is secure.

Should be the other way around. You should contact MYBB if you find evidence it's MyBB. MyBB team should not waste their time every time a site is hacked and admin doesn't know why.
[/quote]

I know WHY the site was hacked, I know what files he used to hack the site, I know he uploaded a shell, I know that shell is extremely similar to the one in a previous exploit of mybb, I'm not just a site admin who's site was hacked and doesn't know why. I'm a site admin who's site was hacked and everything at the moment is pointing towards a previous exploit in MyBB. I AM, as I've said several times, researching ALL software on my server. It's just too ironic that this exploit is so similar to the last one, which draws my attention to MyBB, naturally.







ADMIN, PLEASE MOVE THIS THREAD TO A PRIVATE SECTOR. THANK YOU.
If you find something important than use this link,
http://www.mybb.com/contact
and let developer and support team talk about this in public, they know better way to discuss such topics in public.

and end this topic.
Just clearing up Labrocca's quote of

Quote:As I suspected immediately. There are still people getting shelled from 1.6.1 and 1.6.0 even though they are on 1.6.2. I've seen this multiple times in the past few weeks. I get contacted a lot when MyBB forums are in trouble. So I see the trends and have a good idea of what's going on.

I'm fairly sure that he means that a lot of people are still "getting attacked" when in actual fact, the exploit was exploited before they actually upgraded to version 1.6.2 - if the released patch did not actually work, we'd all know about it by now and a new patch would be here.
(04-11-2011, 06:35 PM)euantor Wrote: [ -> ]Just clearing up Labrocca's quote of

Quote:As I suspected immediately. There are still people getting shelled from 1.6.1 and 1.6.0 even though they are on 1.6.2. I've seen this multiple times in the past few weeks. I get contacted a lot when MyBB forums are in trouble. So I see the trends and have a good idea of what's going on.

I'm fairly sure that he means that a lot of people are still "getting attacked" when in actual fact, the exploit was exploited before they actually upgraded to version 1.6.2 - if the released patch did not actually work, we'd all know about it by now and a new patch would be here.

that does clear it up, thanks.
Also, on the point of getting your thread moved, PM a staff member. This place gets a lot of activity and it's extremely easy to miss one post among the million others. PMing a staff member will have much more effect.
Already done. I reported the first post so a mod will see it. I also changed the title of the post to make it less likely to get seen.
Quote:Why didn't you say this to start with?

I did. Look on page 1 my second post. And patching only secures the current version. If you've already got a shell uploaded there is nothing MyBB can do to stop that.

Quote:If this is the case, then it's obvious to me the patch isn't 'patched' and there's still a security vulnerability.

Your lack of understanding basics is frustrating beyond all belief.

Quote:We're going to spend the next few days continuing to try to detect the point of entry.

You are wasting your time. Seriously. All you have to do is upload a fresh MyBB 1.6.2 and overwrite all files except /inc/settings.php and inc/config.php. Do a recursive grep for "exec" in your http root to make sure no shells are in your system.

Just clean up for F*CKS sake! You're so worried about "prosecuting to the fullest extent of the law" that you're blinded by the fact you'll never be secure as long as you don't have any idea of what you're talking about. For years now it's the same story with you. You think you know things and you don't. Get a sys admin or a decent host and do regular backups. Accept the fact you're not good at security or server administration. Fall back onto something else because computer security...you suck at. You can't even do decent forensics.

Quote: and submit all the logs and files to mybb for review on their own. There's really no point in me doing all this or for my sys admin to. We didn't write MyBB, we didn't write this software, and we don't really know what we're looking for or where to look.

Wow. You just love the idea that it's someone else to blame don't you. It's someone else that must clean up your mess.

Quote:Most of the time i just upload the patches and rewrite over the old files as the instructions say to do.

You're saying 2 different things. The "patch" is not the "upgrade package". The patch is a file for manual edit or for running the actual patch command in shell. It's either one or the other.

Example patch file for 1.6.2: http://www.mybb.com/download/135

Quote:I'd like to ask the lead developer of mybb to just ignore this thread and continue to let his software be attacked.

SMACK..that's the sound of me whacking you from 10,000 miles away.

Quote:. i don't expect to be ignored and shut down by the community because they have so much faith in their precious software.

You have a strong reputation of being a bad admin. I wouldn't trust anything you say about MyBB or any software. You still don't have one shred of evidence it was MyBB core or even a plugin for that matter was exploited. The only thing you know is that weeks ago some shell was uploaded to your server. btw the inc_inc.php leads me to believe it was RFI. It's an ominous name.

Quote:seems unless you're a well known coder they don't pay much attention.

Seems if you're a BLANK they ignore you. You fill in the blank.

How fast do you upgrade when a security release is given? And before you upgraded did you review the changes to security and run any audits on your server/site to make sure it wasn't already exploited?

I'm so glad not to be on the MyBB team. I got $10 says I'm saying exactly what they wish they could but can't. Maybe I'm wrong about that but I have a feeling I'm not. I'm ticked off and I'm not even on the team. I can just imagine how they feel about this crap.
(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote:Why didn't you say this to start with?

I did. Look on page 1 my second post. And patching only secures the current version. If you've already got a shell uploaded there is nothing MyBB can do to stop that.

Alright, my bad.

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote:If this is the case, then it's obvious to me the patch isn't 'patched' and there's still a security vulnerability.

Your lack of understanding basics is frustrating beyond all belief.

Well I understand it now.

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote:We're going to spend the next few days continuing to try to detect the point of entry.

You are wasting your time. Seriously. All you have to do is upload a fresh MyBB 1.6.2 and overwrite all files except /inc/settings.php and inc/config.php. Do a recursive grep for "exec" in your http root to make sure no shells are in your system.

Maybe you misunderstood me. We're going to re-install the whole thing from scratch and drop a bunch of plugin's etc. It doesn't mean we're not going to stop investigating the attack. Because obviously a vulnerability was exploited somewhere.

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]Just clean up for F*CKS sake! You're so worried about "prosecuting to the fullest extent of the law" that you're blinded by the fact you'll never be secure as long as you don't have any idea of what you're talking about. For years now it's the same story with you. You think you know things and you don't. Get a sys admin or a decent host and do regular backups. Accept the fact you're not good at security or server administration. Fall back onto something else because computer security...you suck at. You can't even do decent forensics.

It has nothing to do with the law. I've already got enough evidence to incriminate the kid and I've already contacted my lawyer. What I'm doing know has to do with making sure no one else is attacked with the same problem.

I'm sure at one time you couldn't do decent forensics either. I'm not even going to comment further on that, that was just a bunch of of jerkish comments you made. I suggest you calm the f*** down.

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote: and submit all the logs and files to mybb for review on their own. There's really no point in me doing all this or for my sys admin to. We didn't write MyBB, we didn't write this software, and we don't really know what we're looking for or where to look.

Wow. You just love the idea that it's someone else to blame don't you. It's someone else that must clean up your mess.

No, not at all. I posted here for help, I wasn't pointing fingers at anyone. I'm sorry you misundestood my being here in the first place, but you've misunderstood it. Stop reading this thread if you can't understand why I'm here. People change over years, just because you stay the same doesn't mean someone can't grow up. I got hacked, so what. Nothing of mine was damaged. I'm doing everything within the law that I can or should do. My primary concern now is to help out this community and find the vulnerability and secure it. It's not about putting some kid behind bars, it's about trying to help. I might not be as skilled at being a sys admin as you, or know as much about php or mybb as you, but you've been hacked WAY more times than I have, but you've also had a heck of a lot more experience than I have and you know a lot more.

I went about this the wrong way, I'm sorry, forgive me, whatever, ok? Back off will you? I'm just trying to do the right thing. At this point, the way everyone's reacted to this, screw it. Screw MyBB. Screw this whole team. I'm just trying to help and this is how I get treated? And screw you labrocca. Instead of calling names and being a jerk you could just freaking help people or just shut up. There's no point in crossing the line like you just did. >_>

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote:Most of the time i just upload the patches and rewrite over the old files as the instructions say to do.

You're saying 2 different things. The "patch" is not the "upgrade package". The patch is a file for manual edit or for running the actual patch command in shell. It's either one or the other.

Example patch file for 1.6.2: http://www.mybb.com/download/135

Alright, thanks.

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote:I'd like to ask the lead developer of mybb to just ignore this thread and continue to let his software be attacked.

SMACK..that's the sound of me whacking you from 10,000 miles away.

It's obvious we're both frustrated. I suggest we take a cool down and just stop, ok?

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote:. i don't expect to be ignored and shut down by the community because they have so much faith in their precious software.

You have a strong reputation of being a bad admin. I wouldn't trust anything you say about MyBB or any software. You still don't have one shred of evidence it was MyBB core or even a plugin for that matter was exploited. The only thing you know is that weeks ago some shell was uploaded to your server. btw the inc_inc.php leads me to believe it was RFI. It's an ominous name.

And I'm trying to get better at being a better admin. I don't care what you trust me with or what you don't trust me with. It's your system, trust whomever you want. I'm not attacking your admin skills or sysadmin skills, I don't understand why you have to go to the point of attacking me. I'm just trying to help here...for crying out loud >_>

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]
Quote:seems unless you're a well known coder they don't pay much attention.

Seems if you're a BLANK they ignore you. You fill in the blank.

Yeah, I've heard that from several previous members of the MyBB team....has something to say about the team now doesn't it?

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]How fast do you upgrade when a security release is given?


Since my last incident I've made it a point to upgrade as soon as I can, usually within 2-48 hours, no longer.

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]And before you upgraded did you review the changes to security and run any audits on your server/site to make sure it wasn't already exploited?

No, I didn't do that. I've never seen anywhere HOW to scan for what's exploited. I look on the upgrades and it doesn't tell me how to do that, so I just assume that unless my site is exploited already,then it hasn't been. Obviously that's a new lesson I've had to learn. Would you happen to have any specific techniques to detect if an exploit has been made? For example, I didn't know about greb searching for that particular code.

(04-11-2011, 06:51 PM)labrocca Wrote: [ -> ]I'm so glad not to be on the MyBB team. I got $10 says I'm saying exactly what they wish they could but can't. Maybe I'm wrong about that but I have a feeling I'm not. I'm ticked off and I'm not even on the team. I can just imagine how they feel about this crap.

To be honest I don't care how you feel about this. I'm sorry that you're so arrogant that you feel that you've got to degrade other people just because you are better than they are. I admit and know your skill. You're good at what you do. It took you YEARS to get there. I haven't had that chance OR that opportunity. It's going to take me time to learn all the ins and outs of this, and attacks just happen. Pardon me for giving a crap and trying to do my best to help the rest of the community. Seems all I've done is screw it up anyways. But you can kindly go screw yourself sir, just go screw yourself. I don't care how pissed off you are, but it doesn't call for that kind of behavior. Go work on your f***ing professionalism mr. admin guru and SCREW YOU.
(04-11-2011, 07:17 PM)MasterZuFu Wrote: [ -> ]Screw MyBB. Screw this whole team.

Nice.
Pages: 1 2 3