Posts: 44
Threads: 13
Joined: Jun 2018
Reputation:
0
Last night, my forum was compromised by a group I only know to be called ./Payload.sh. They gained access to both my own and my moderators account, although how I do not know. I do not know yet what else they have managed to do.
Can anyone assist me on how this happened and what I can do to prevent it? I've never had this happen before so I'm really panicked.
https://universalgaming.net/index.php
Posts: 37,500
Threads: 399
Joined: Apr 2008
Reputation:
773
2021-08-04, 12:46 PM
(This post was last modified: 2021-08-04, 12:46 PM by Matt. Edited 1 time in total.)
You would need to work with your host to see if there are any logs that may give some insight as to how they got in. Assuming you're on the latest version of MyBB, there's no known vulnerabilities. It would also be worth checking all your plugins are up to date and seeing if any have had security fixes if they're not.
Would also be worth following these steps: https://docs.mybb.com/1.8/administration.../recovery/
Posts: 44
Threads: 13
Joined: Jun 2018
Reputation:
0
According to my wife Payload is a script so I guess they used that and went from there.
Posts: 37,500
Threads: 399
Joined: Apr 2008
Reputation:
773
There would still need to be some sort of entry point to the forum that they've used, and server logs may have information that points to what they actually did to get access.
Posts: 44
Threads: 13
Joined: Jun 2018
Reputation:
0
Okay. I tried finding logs myself but so far haven't had much luck so I contacted my host. Thank you.
Posts: 9,370
Threads: 376
Joined: Jan 2010
Reputation:
489
If you want drop a list of your plugins here, it is not uncommon for private/non-public plugins to be found vulnerable.
Posts: 44
Threads: 13
Joined: Jun 2018
Reputation:
0
As far as I know they're all up to date now, but this is what I have:
MentionMe (3.2.12)
MyAlerts (2.0.4)
NewPoints (2.1.1)
Online Today (2.0.4)
OUGC Awards (1.8.22)
Page Manager (2.1.3)
Warn about new posts (1.0)
Spoiler MyCode (1.8.2)
Thread Description (1.3)
Upcoming Events (1.2)
Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user. 
Posts: 9,370
Threads: 376
Joined: Jan 2010
Reputation:
489
2021-08-04, 08:55 PM
(This post was last modified: 2021-08-04, 08:56 PM by Omar G..)
Which Newpoints plugins do you use ? Could you share all your Page Manager pages ?
I fixed the following in my OUGC Awards plugin : (should be fixed in 1.8.22)
https://github.com/Sama34/OUGC-Awards/co...26b92c3432
But this would only be a treat if you don't trust your moderators, as they are the only ones that can assign a custom "reason" for awards.
Posts: 9,370
Threads: 376
Joined: Jan 2010
Reputation:
489
2021-08-04, 08:58 PM
(This post was last modified: 2021-08-04, 08:59 PM by Omar G..)
(2021-08-04, 08:34 PM)Moonface Wrote: Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user.
Could you share the DB rows for awards granted to that user? It might be possible this plugin is what caused the "backdoor".
But please note, for the moderator to exploit this the moderator account should had been compromised first or the moderator should have been untrustworthy from the beginning, no bug up to today found in the plugin would grant access to accounts in any way.
Posts: 44
Threads: 13
Joined: Jun 2018
Reputation:
0
(2021-08-04, 08:55 PM)Omar G. Wrote: Which Newpoints plugins do you use ? Could you share all your Page Manager pages ?
I fixed the following in my OUGC Awards plugin : (should be fixed in 1.8.22)
https://github.com/Sama34/OUGC-Awards/co...26b92c3432
But this would only be a treat if you don't trust your moderators, as they are the only ones that can assign a custom "reason" for awards. I only use the standard currency for Newpoints. It doesn't have any other plugins in use on the Newpoints Plugins page.
(2021-08-04, 08:58 PM)Omar G. Wrote: (2021-08-04, 08:34 PM)Moonface Wrote: Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user.
Could you share the DB rows for awards granted to that user? It might be possible this plugin is what caused the "backdoor".
But please note, for the moderator to exploit this the moderator account should had been compromised first or the moderator should have been untrustworthy from the beginning, no bug up to today found in the plugin would grant access to accounts in any way.
Well, my moderator is my wife so I can definitely attest she is trustworthy, plus she was not online when her account was compromised. Where can I find the DB rows exactly (I'm still not very tech savvy with looking inside databases), and would the ones they had prior to the attack suffice? I removed all the extra awards they were granted during the attack.
If it's of any help, this was the website linked back to during the attack: https://payload.sh/
|
