MyBB Community Forums

In my logs there are a lot of urls such as

/forum/private.php?fid=999999.9+UNION+ALL+SELECT+0x31303235343830303536--
/forum/private.php?fid=999999.9+UNION+ALL+SELECT+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--

Is private.php ok for such things?

I was just (successfully) attacked and I am looking for get injections in logs (site has many other code except forum).
Just noticed that there a lot for of this for private.php

So, private.php has no problems with such things, yes?

None that the team is aware of. Security vulnerabilities are patched immediately.

Are you running the latest version?

Yes, the latest version.
The suspicion for MyBB is very small, because site had many "not good" code and inputs

Then there is no problem.

You should be fine on the MyBB side, there are no known security vulnerabilities. But if you find one, be sure to report it:

http://www.mybb.com/contact

The fid value from the URL is sanitized in ./inc/class_core.php, there's no vulnerability, just an idiot hacker trying to look for a vulnerability that doesn't exist. If you were to visit private.php with that URL, and echo out the fid value, it would just echo 999999, and ignore the rest.

Once again, MyBB is steps ahead of the hackers

Yep, MyBB is innocent.
I've found where the problem was.
It was "?id=x". Unescaped, uncasted, unprepared. With database user that has all privileges in all databases