MyBB Community Forums
[Security] My Forum Was Hacked! - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: 1.8 Support (https://community.mybb.com/forum-175.html)
+--- Forum: General Support (https://community.mybb.com/forum-176.html)
+--- Thread: [Security] My Forum Was Hacked! (/thread-231296.html)

Pages: 1 2


My Forum Was Hacked! - CucumberSalads - 2021-02-18

Hello,

In 2007 I setup a MyBB forum for my local football team. For many years this was successful and I was a proud user of MyBB. Unfortunate due to personal circumstances including health the site went into decline, taken over by bots and eventually became nothing more than a legacy site. 

This is the link to the website.

At some point within the past 2 years the site appears to have been hacked, with mysterious files added and changes on the root folder, where the MyBB installation lives. They had replaced index.php with something else. [FYI The Wordpress installation on /news/ appears not to be affected.] I have complained to my host but they appear useless at this stage.

I cannot check current version for MyBB but I believe it is MyBB 1.6.4 so immediately I downloaded the old index.php from GitHub (MyBB 1618) and uploaded via FTP to get the site "working" again. 

Of course, through file manager there are lots of suspicious files. Various code words within these files include "user_kuontol"" "IDBTE4M CODE87".

Suspicious files include: "ht.access.bak", "annilhilatingf.php", craftedir.php, esguvjpk.php, "solution.php".

Basically there are lots and lots on the root folder, and anything uploaded since 2019 is not me. 

I appreciate 1.6 is likely unsustainable and vulnerable so could anyone advise what to do now?

- I am thinking first step is to delete all of these files and upload new files from the MyBB 1618 copy I have.

Much appreciate help and advice. 

Mods - apologies if this is in the wrong space and if so pls kindly move as appropriate.


RE: My Forum Was Hacked! - dragonexpert - 2021-02-18

(2021-02-18, 05:18 PM)CucumberSalads Wrote: Hello,

In 2007 I setup a MyBB forum for my local football team. For many years this was successful and I was a proud user of MyBB. Unfortunate due to personal circumstances including health the site went into decline, taken over by bots and eventually became nothing more than a legacy site. 

This is the link to the website.

At some point within the past 2 years the site appears to have been hacked, with mysterious files added and changes on the root folder, where the MyBB installation lives. They had replaced index.php with something else. [FYI The Wordpress installation on /news/ appears not to be affected.] I have complained to my host but they appear useless at this stage.

I cannot check current version for MyBB but I believe it is MyBB 1.6.4 so immediately I downloaded the old index.php from GitHub (MyBB 1618) and uploaded via FTP to get the site "working" again. 

Of course, through file manager there are lots of suspicious files. Various code words within these files include "user_kuontol"" "IDBTE4M CODE87".

Suspicious files include: "ht.access.bak", "annilhilatingf.php", craftedir.php, esguvjpk.php, "solution.php".

MyBB does not use any of these files and yes I would be willing to bet they are malicious.

Quote:Basically there are lots and lots on the root folder, and anything uploaded since 2019 is not me. 

I appreciate 1.6 is likely unsustainable and vulnerable so could anyone advise what to do now?

- I am thinking first step is to delete all of these files and upload new files from the MyBB 1618 copy I have.

Much appreciate help and advice. 

Mods - apologies if this is in the wrong space and if so pls kindly move as appropriate.

Are you able to download MyBB 1.8.24? If so, upload all those files. Then go to /install/upgrade.php and it should automatically detect what old version you were on. It will then do all the upgrades, although it may take some time depending on how large your forum is.


RE: My Forum Was Hacked! - Matt - 2021-02-18

I mean, at this point the only thing to really do is get rid of all the files and upload everything fresh (just save things like the ./uploads/ folder and any plugins you've uploaded first - although, there could have been other files uploaded to these folders too). I suppose would be easiest to download the whole site, replace it with fresh files, and then restore the few bits you need like uploads and plugin files.

You can check what the old version was in ./inc/clss_core.php, and you can download old versions here: https://mybb.com/versions/ - then it can be upgraded if you wanted to do that.

There's probably not a lot the host can do about it though - if it was 1.6.4, this was released a few months short of a decade ago, so I can't imagine how many security vulnerabilities would have been fixed in that time (the same goes for WordPress too).


RE: My Forum Was Hacked! - Devilshakerz - 2021-02-18

For more detailed recovery instructions: https://docs.mybb.com/1.8/administration/security/recovery/ (some parts may not apply to MyBB 1.6.x)


RE: My Forum Was Hacked! - CucumberSalads - 2021-02-18

(2021-02-18, 05:53 PM)dragonexpert Wrote:
(2021-02-18, 05:18 PM)CucumberSalads Wrote: Hello,

In 2007 I setup a MyBB forum for my local football team. For many years this was successful and I was a proud user of MyBB. Unfortunate due to personal circumstances including health the site went into decline, taken over by bots and eventually became nothing more than a legacy site. 

This is the link to the website.

At some point within the past 2 years the site appears to have been hacked, with mysterious files added and changes on the root folder, where the MyBB installation lives. They had replaced index.php with something else. [FYI The Wordpress installation on /news/ appears not to be affected.] I have complained to my host but they appear useless at this stage.

I cannot check current version for MyBB but I believe it is MyBB 1.6.4 so immediately I downloaded the old index.php from GitHub (MyBB 1618) and uploaded via FTP to get the site "working" again. 

Of course, through file manager there are lots of suspicious files. Various code words within these files include "user_kuontol"" "IDBTE4M CODE87".

Suspicious files include: "ht.access.bak", "annilhilatingf.php", craftedir.php, esguvjpk.php, "solution.php".

MyBB does not use any of these files and yes I would be willing to bet they are malicious.

Quote:Basically there are lots and lots on the root folder, and anything uploaded since 2019 is not me. 

I appreciate 1.6 is likely unsustainable and vulnerable so could anyone advise what to do now?

- I am thinking first step is to delete all of these files and upload new files from the MyBB 1618 copy I have.

Much appreciate help and advice. 

Mods - apologies if this is in the wrong space and if so pls kindly move as appropriate.

Are you able to download MyBB 1.8.24?  If so, upload all those files.  Then go to /install/upgrade.php and it should automatically detect what old version you were on.  It will then do all the upgrades, although it may take some time depending on how large your forum is.



Thank you for your response (and others). Hosting support was useless - I need SSL and firewalls etc moving forward to prevent these types of attacks in future.

In terms of restoring this site to one that is "safe" and free from the dodgy files, If I download 1.8.24... to clarify, is it a case of uploading this to the server (and overwriting everything else) and then going to install/upgrade. 

Would it save my theme and all the other information connected such as users, database etc. I am no longer familiar with the technicalities of upgrading but of course I am trying to retain the design and legacy aspects of the site, whilst ridding this horrible hack.

BW


RE: My Forum Was Hacked! - dragonexpert - 2021-02-18

You would overwrite the files. Your theme, posts, users, etc. is stored in the database. You probably will have to get a new theme though for it to be compatible because 1.6 uses a different javascript library than 1.8. There are some good free themes in the extend section. Emerald is fairly popular.

If you want me to do the update for you I can, but I am going to eat lunch first so it would be an hour or so before I'd be able to start. If you want me to do so, you'll need to PM me ftp details and if you want a specific theme from the extend section installed.


RE: My Forum Was Hacked! - Omar G. - 2021-02-18

You could probably use your old theme in 1.8 if you keep the site on reading mode only (or only admins to login, etc), while you get your theme updated to 1.8 somehow for it to fully work.

Staying with 1.6 should be avoided at this point.


RE: My Forum Was Hacked! - CucumberSalads - 2021-02-19

Sorry for super slow reply.

So basically I was advised to move hosting. Was using a really old version of hosting with GoDaddy and so I have taken out a new hosting package with them which has PHP 7.

Sadly with that comes the major ball ache of migrating this site amongst others. Which is further complicated by the fact this site was built on older MyBB.

I've tried to backup the database through MyBB but it doesn't work successfully - just downloads a 4KB file.

I've been able to export the theme... tried uploading this to a test MyBB setup on the new hosting (before I migrate the old site) and it says spotted a security issue and can't use it. I think at this stage I am effectively screwed and will lose all the database / theme.

I am not so bothered about the theme but would want to keep the users/posts so it can be reopened in the future.

I also have to do wordpress migration for this site and a couple others. Not fun!


RE: My Forum Was Hacked! - dragonexpert - 2021-02-19

You should be able to backup the database using PHPMyAdmin from your hosting panel.


RE: My Forum Was Hacked! - censor_deeznutz - 2021-02-19

your concerns are genuine: Wink  perhaps a target of say: "hacked by Idbte4m Team" @ https://www.facebook.com/fp.idbte4m/


user_kuontol => "user_control"  & IDBTE4M CODE87 => "IDBTE4M CodeMurder/Kill" are kinda are a dead ringer, the rest like: "ht.access.bak (ooh, be touching your .htaccess.bak)", "annilhilatingf.php" (annihilating forum), craftedir.php (craft e directory), esguvjpk.php, "solution.php" (eventual ransom solution?) etc, etc, are say such as potential secondary identifiers.... just a few thoughts on such and just sayin...