MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Board hacked - help for prevention
Full Version: Board hacked - help for prevention
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Sheza

2011-05-24, 03:32 PM
Hello,

This morning my board was hacked. I was away all day so have just come back to a complete bombshell. Thankfully my site wasn't the most popular in the world and can easily be re-built, but I'd like to get some advice for the future and also if you are able to identify the specific exploit if you've seen this type of thing before.

I was running 1.6.2.

The board was closed, all of the users were made admins and a "you are banned" message was displayed for me on the board even though I was logged in and could access the ACP. The board was at some point re-opened, and this message was left in the offline note area (though not in the ACP notes area).

Quote:This board was put offline to show an example of how easy it is to get into boards.

Use better security.

~SecIllusions

That's about it. I haven't checked into files and the like to see if there's any malicious code, mainly because I don't know where to look.

In case it helps, I also received about 5 PM's with porn links in. I don't know if that is a part of it.

Thanks in advance.

EDIT: You know what, I actually know who did it now (well it could be anyone, it's just I know someone that lives at the IP I just traced). I knew it was through me (I am a secondary admin, the root admin's DP wasn't changed). Since I was targeted, I realise he must know me. Anyway the point is, was this a simple password breach (in which case I am screwed) or is there another MyBB exploit that he could have taken?

Tomm M

2011-05-24, 03:49 PM
The most important thing to start off with is to upgrade to MyBB 1.6.3 which was released well over a month ago. It does fix security vulnerabilities known in 1.6.2 which are well published on the internet by now.

If you have retaken the ACP, then take a look at the Admin Logs - it's surprising how many hackers don't remove this, yet, it leaves a complete footprint over what they did. You can also review the host server logs for activity.

kavin

2011-05-24, 03:52 PM
MyBB 1.6.2 did have a XSS vulnerability. But i don't think it can help him crack through your password.
Another thing is, your PC might have been compromised too with a Keylogger or RAT which might have helped him to get your login info. Make sure your PC isn't infected (Try scanning with malwarebytes).

Sheza

2011-05-24, 03:53 PM
Right I see. Well the logs are pretty basic. They're all from the same IP and he is STILL ON HERE changing settings. It actually happened just a while before I got home.

It's backwards - I regained ACP access by the root admin "admin". He is logged in to my account "Sheza" with the IP I traced.

He just added 4 IP bans, even banning the IP of the "admin" - although since I do not usually use this account he didn't ban me, just the other person (my site is a joint venture).

Thing is, he's still there. How do I shut him out?
Here are the entire logs.

PLEASE NOTE: Actions by ME are "admin". Actions by the HACKER are "Sheza".

Sheza 	24th May 2011, 8:50 	Viewed IP addresses associated with user #3 (Sheza) 	194.83.191.3
Sheza 	24th May 2011, 8:49 	Added IP ban #1 (194.83.191.3) 	194.83.191.3
Sheza 	24th May 2011, 8:46 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 8:44 	Deleted user #88 (humpdabump) 	194.83.191.3
Sheza 	24th May 2011, 8:43 	Deleted user #89 (FAPSTORM) 	194.83.191.3
Sheza 	24th May 2011, 8:43 	Deleted user #87 (cumpilation) 	194.83.191.3
Sheza 	24th May 2011, 8:42 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 8:42 	Deleted theme #2 (Default) 	194.83.191.3
Sheza 	24th May 2011, 8:42 	Deleted theme #4 (dark) 	194.83.191.3
Sheza 	24th May 2011, 9:09 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 9:08 	Deleted theme #7 (wegft) 	194.83.191.3
Sheza 	24th May 2011, 9:03 	Set theme #7 (wegft) as default 	194.83.191.3
Sheza 	24th May 2011, 9:03 	Edited theme #7 (wegft) 	194.83.191.3
Sheza 	24th May 2011, 9:02 	Created theme #7 (wegft) 	194.83.191.3
Sheza 	24th May 2011, 9:01 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 8:58 	Removed IP ban #1 (194.83.191.3) 	194.83.191.3
Sheza 	24th May 2011, 8:54 	Edited 6 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 8:54 	Edited 20 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 8:54 	Edited 20 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 8:54 	Edited 20 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 8:54 	Edited 19 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 8:53 	Lifted ban for user #86 (3sMi5g615E) 	194.83.191.3
Sheza 	24th May 2011, 8:53 	Lifted ban for user #83 (BillyN220H624B) 	194.83.191.3
Sheza 	24th May 2011, 8:53 	Lifted ban for user #76 (jasdimner7595) 	194.83.191.3
Sheza 	24th May 2011, 8:53 	Lifted ban for user #81 (KirkHerb) 	194.83.191.3
Sheza 	24th May 2011, 8:53 	Lifted ban for user #75 (jasdimner551D) 	194.83.191.3
Sheza 	24th May 2011, 8:53 	Lifted ban for user #66 (minnadebnam) 	194.83.191.3
Sheza 	24th May 2011, 8:53 	Lifted ban for user #41 (burch2011) 	194.83.191.3
Sheza 	24th May 2011, 8:50 	Added IP ban #2 (82.3.247.18) 	194.83.191.3
Sheza 	24th May 2011, 9:24 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 9:23 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 9:23 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 9:23 	Changed board settings 	194.83.191.3
admin 	24th May 2011, 9:23 	Edited 1 user(s) primary / additional / display usergroup 	82.3.247.18
Sheza 	24th May 2011, 9:23 	Changed board settings 	194.83.191.3
admin 	24th May 2011, 9:23 	Edited 14 user(s) primary / additional / display usergroup 	82.3.247.18
Sheza 	24th May 2011, 9:23 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 9:23 	Changed board settings 	194.83.191.3
admin 	24th May 2011, 9:22 	Edited user #57 (alvertaAD21) 	82.3.247.18
admin 	24th May 2011, 9:22 	Edited user #86 (3sMi5g615E) 	82.3.247.18
admin 	24th May 2011, 9:21 	Edited user #18 (badfeels) 	82.3.247.18
admin 	24th May 2011, 9:20 	Deleted user #48 (baaadfbA4E3) 	82.3.247.18
admin 	24th May 2011, 9:20 	Deleted user #52 (abbie9140) 	82.3.247.18
Sheza 	24th May 2011, 9:20 	Added IP ban #3 (82.3.247.18) 	194.83.191.3
Sheza 	24th May 2011, 9:20 	Viewed IP addresses associated with user #3 (Sheza) 	194.83.191.3
admin 	24th May 2011, 9:20 	Deleted user #67 (AOD_TheBrettman) 	82.3.247.18
Sheza 	24th May 2011, 9:20 	Changed board settings 	194.83.191.3
admin 	24th May 2011, 9:13 	Changed board settings 	82.3.247.18
Sheza 	24th May 2011, 9:11 	Disabled task #9 (Mass Mail) 	194.83.191.3
admin 	24th May 2011, 9:54 	Removed IP ban #4 (64.56.225.188) 	82.3.247.18
admin 	24th May 2011, 9:54 	Removed IP ban #5 (64.56.248.206) 	82.3.247.18
admin 	24th May 2011, 9:54 	Removed IP ban #6 (207.112.44.225) 	82.3.247.18
admin 	24th May 2011, 9:54 	Removed IP ban #3 (82.3.247.18) 	82.3.247.18
admin 	24th May 2011, 9:54 	Removed IP ban #2 (82.3.247.18) 	82.3.247.18
admin 	24th May 2011, 9:54 	Added IP ban #7 (194.83.191.3) 	82.3.247.18
admin 	24th May 2011, 9:47 	Changed board settings 	82.3.247.18
admin 	24th May 2011, 9:44 	Viewed IP addresses associated with user #1 (admin) 	82.3.247.18
admin 	24th May 2011, 9:43 	Edited 19 user(s) primary / additional / display usergroup 	82.3.247.18
Sheza 	24th May 2011, 9:37 	Edited 20 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 9:37 	Edited 20 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 9:37 	Edited 19 user(s) primary / additional / display usergroup 	194.83.191.3
Sheza 	24th May 2011, 9:36 	Optimized database tables: mybb_adminlog, mybb_adminoptions, mybb_adminsessions, mybb_adminviews, mybb_announcements, mybb_attachments, mybb_attachtypes, mybb_awaitingactivation, mybb_badwords, mybb_banfilters, mybb_banned, mybb_calendarpermissions, mybb_calendars, mybb_captcha, mybb_datacache, mybb_delayedmoderation, mybb_events, mybb_forumpermissions, mybb_forums, mybb_forumsread, mybb_forumsubscriptions, mybb_groupleaders, mybb_helpdocs, mybb_helpsections, mybb_icons, mybb_joinrequests, mybb_mailerrors, mybb_maillogs, mybb_mailqueue, mybb_massemails, mybb_moderatorlog, mybb_moderators, mybb_modtools, mybb_mycode, mybb_polls, mybb_pollvotes, mybb_posts, mybb_privatemessages, mybb_profilefields, mybb_promotionlogs, mybb_promotions, mybb_reportedposts, mybb_reputation, mybb_searchlog, mybb_sessions, mybb_settinggroups, mybb_settings, mybb_smilies, mybb_spiders, mybb_stats, mybb_tasklog, mybb_tasks, mybb_templategroups, mybb_templates, mybb_templatesets, mybb_themes, mybb_themestylesheets, mybb_threadprefixes, mybb_threadratings, mybb_threads, mybb_threadsread, mybb_threadsubscriptions, mybb_threadviews, mybb_userfields, mybb_usergroups, mybb_users, mybb_usertitles, mybb_warninglevels, mybb_warnings, mybb_warningtypes 	194.83.191.3
Sheza 	24th May 2011, 9:32 	Changed board settings 	194.83.191.3
Sheza 	24th May 2011, 9:31 	Added IP ban #6 (207.112.44.225) 	194.83.191.3
Sheza 	24th May 2011, 9:31 	Added IP ban #5 (64.56.248.206) 	194.83.191.3
Sheza 	24th May 2011, 9:30 	Added IP ban #4 (64.56.225.188) 	194.83.191.3
Sheza 	24th May 2011, 9:30 	Viewed IP addresses associated with user #1 (admin) 	194.83.191.3
admin 	24th May 2011, 9:25 	Edited 19 user(s) primary / additional / display usergroup 	82.3.247.18
admin 	24th May 2011, 9:24 	Edited 20 user(s) primary / additional / display usergroup 	82.3.247.18

EDIT 2: The "You are banned" message was a custom theme.I have since restored the theme.

shovenose

2011-05-24, 03:58 PM
Um, put an IP ban on him, remove all other accounts from the admin group, change your password, scan your computer for viruses or keyloggers, and upgrade to the latest version on MyBB.

Sheza

2011-05-24, 04:02 PM
I have IP banned him, but am not sure is this has actually helped.

I am pretty darn sure I don't have a keylogger. As I said, I'm pretty sure I know who this person is and have had no correspondence that involved anything more than text chat with him for a long time.
Related question that you may not know the answer to: Could there be any sanctions against this person. The hack was done on his college campus network.
Well he confessed pretty quick, I'm just trying to get the "why" out of him now.

And you were right - it was an exploit in the outdated MyBB.

Euan T

2011-05-24, 04:31 PM
Wait, so you have an admin user with the username "admin"? Sounds like you were almost asking to be hacked.

As stated above, upgrade to the newest version of MyBB, IP ban the attacker (do it via .htaccess if you have to), then set your board offline and undo all of the changes. Now, set about securing your site using one of the countless tutorials on doing so. I have one on my own site that will help (not advertising or anything): http://www.mypurebb.com/110-simple-steps...our-forum/

Sheza

2011-05-24, 05:06 PM
(2011-05-24, 04:31 PM)euantor Wrote: [ -> ]Wait, so you have an admin user with the username "admin"? Sounds like you were almost asking to be hacked.

As stated above, upgrade to the newest version of MyBB, IP ban the attacker (do it via .htaccess if you have to), then set your board offline and undo all of the changes. Now, set about securing your site using one of the countless tutorials on doing so. I have one on my own site that will help (not advertising or anything): http://www.mypurebb.com/110-simple-steps...our-forum/
All is back to normal and changes reversed. Apparently he was just messing around.

The breach was done with the admin account "Sheza" though. Not "admin".

I'll use your guide. Thanks.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Board hacked - help for prevention