MyBB Community Forums
Now, I may be getting paranoid here, but... - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: 1.8 Support (https://community.mybb.com/forum-175.html)
+--- Forum: Security Management and Support (https://community.mybb.com/forum-179.html)
+--- Thread: Now, I may be getting paranoid here, but... (/thread-193102.html)



Now, I may be getting paranoid here, but... - Wiggo - 2016-05-16

Putting on my black hat for a second, assuming I got ftp or server access to a forum, I would edit config.php and add my uid as the new superadmin. Then I'd remove any other superadmins and log in to the forum ACP. All admins deleted, and I am in full control. Time to sit back and stroke my white cat.

Putting on my white hat, I'd  want to be prepared for this, so I would have one or two 'sleeper' accounts in the database. Regular users, a few posts, nothing to attract attention.

So I come to log in as admin to find I've been hacked and locked out. I log in as one of my 'sleepers' and add a post. A bit like the /slap and /me functions, I have added something to /inc/class_parser.php so when I post "/super" on a line of it's own, it writes my uid to the list of superadmins in config.php.

Anything wrong with this as a backdoor? I'm a php noob, so any clues or pointers gratefully received.

I know I could do the same thing via FTP, but wearing my black hat, I'd delete all FTP accounts bar my own...


RE: Now, I may be getting paranoid here, but... - Nathan Malcolm - 2016-05-16

Super admins cannot be edited or deleted by other admins. Being a super admin doesn't automatically make you an admin, you still need to be a part of the admin usergroup.

If a hacker is smart they'll gain access without making any significant noise. If your forum does get hacked you should ask your webhost to disable your account and work with them to discover the source of the breach. Fix the issue, make sure they haven't added any backdoors, and alert your members to the breach.


RE: Now, I may be getting paranoid here, but... - Euan T - 2016-05-16

(2016-05-16, 04:07 PM)Nathan Malcolm Wrote: Super admins cannot be edited or deleted by other admins. Being a super admin doesn't automatically make you an admin, you still need to be a part of the admin usergroup.

If a hacker is smart they'll gain access without making any significant noise. If your forum does get hacked you should ask your webhost to disable your account and work with them to discover the source of the breach. Fix the issue, make sure they haven't added any backdoors, and alert your members to the breach.

Exactly. Especially the "alert your members to the breach" part - I've seen too many sites try to cover up and act natural, which is stupid.


RE: Now, I may be getting paranoid here, but... - Wiggo - 2016-05-16

No way we'd try to cover up, I'm just looking for a fast way to get control back. Three admins, different parts of the country and the one with the ISP/hosting contract is the most technically challenged.

Right now, I'm trying to hack the /me code, but with limited success, but that's me being lousy at php. I can get it to pick up my UID, but I'm damned if |I can make it write that to a test file for now...


RE: Now, I may be getting paranoid here, but... - Devilshakerz - 2016-05-16

(2016-05-16, 06:27 PM)Wiggo Wrote: Right now, I'm trying to hack the /me code, but with limited success, but that's me being lousy at php. I can get it to pick up my UID, but I'm damned if |I can make it write that to a test file for now...

Feel free to tinker, but it's not recommended to leave such backdoors in the source code - it would cause problems with updates if it's the core that's being modified; additionally, it would create another way of intrusion when somebody learns how it works (you're building a system that relies on obscurity).
You should focus on choosing a secure and trusted hosting provider and domain registrar, taking care of infrastructure management properly (up to date software, secure passwords/keys and so on, depending on whether you're running servers on your own) and monitoring.

When a third party gains access to your FTP account, taking care of a MyBB installation is not really a priority - you should rather deactivate channels that might have been compromised, disable web access to your websites and begin the recovery process.


RE: Now, I may be getting paranoid here, but... - laie_techie - 2016-05-17

(2016-05-16, 06:55 PM)Devilshakerz Wrote: When a third party gains access to your FTP account, taking care of a MyBB installation is not really a priority - you should rather deactivate channels that might have been compromised, disable web access to your websites and begin the recovery process.


This a hundred times over. If a hacker gains FTP or shell access, all bets are off.


RE: Now, I may be getting paranoid here, but... - Lunorian - 2016-05-22

Why not just make frequent backups? I have backups automated for every 15 minutes beyond several other strict security measures including (but not limited to):

* SSH Locked to Specific IP
* HTTPS/HTTP only connectable by CloudFlare
* No Publically Available Ports
(These measures are enforced by an external firewall.)

The backups are sent offsite.

You shouldn't need a backdoor. You should only need frequent backups. Also use secure passwords. It'll save you a lot of time.