Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
I have been hacked
#1
Please don't post the link to the 7 pages of code, because I have already read through it, downloaded the MyBB 1604 patch and went to my site's ftp.

I have looked high and low for the " ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
•Remove the ./install/ folder " and have not found either.

The instructions say if you don't find them, you don't have it. But, something has happened as I have had numerous people write and tell me that their virus is alerting them or they are being redirected to other pages.

PLEASE help as I have 3 instances of MyBB running and this is my work and not a livelihood.

http://bransonmo65616.com/forum
http://mrhermancain.com/forum
http://tablerocksound.com/forum

The first is the only forum I have been notified about. If I need to take the others offline to protect them, please let me know.

I am really lost here and need some help.

Thank you, Mike
#2
Ignore the "./". On Unix systems that refers to the current working directory, i.e. where MyBB is installed.
No longer involved in the MyBB project.
#3
Malcolm,

I have just replaced the index.php with the downloaded file (last mod date 7-28) and deleted the install folder. Is that all there is to it?

(Trust me, I am literally flipping out at this moment....)
#4
Follow the steps in this thread to check for other issues: http://community.mybb.com/thread-105780.html

No longer involved in the MyBB project.
#5
you need to run the File Verification Tool from the tools and Maintenance tab. then manually review your /inc/config.php and then delete /inc/settings.php
Lost interest, sold my sites, will browse here once in a while. It's been fun.
#6
I will try but honestly have no idea what any of this means. Am I literally the only person out here that is clueless about the steps mentioned?

(And yes, I see that all 3 of my forums have been hit with the same Oct. 12th file modification)

Man, what a catastrophe....
Also, another thing. Since I am seeing the file index.php was changed on the 12th of Oct. wouldn't I be able to restore from a previous backup and then install the latest index.php file and delete the install folder without looking through all of these other files?

The reason I am asking is because I don't know how to perform the other minutia review steps outlined on the hack thread.
So I ran the file verification tool and it listed a ton of files that have been changed, most notably the install folder (which is now deleted and understandable) as well as these 4

archive/index.php

Changed



inc/functions.php

Changed



admin/modules/home/index.php

Changed



admin/index.php

Changed



showthread.php

Changed
#7
Go to your ACP, the click Tools and Maintenance tab at the top, then click File Verification on the left menu. Click Yes and wait for the output. If anything is listed as Changed and you have not edited the file, then download the latest MyBB and upload those files.

Then open your FTP client and go to where your forum is installed and go to the 'inc" folder and find settings.php and then delete it. the find config.php and "edit" it and scan the code for anything that does not look like the example at http://wiki.mybb.com/index.php/Inc/config.php
Lost interest, sold my sites, will browse here once in a while. It's been fun.
#8
THANK YOU!!!!!!!

I sincerely hope my thread will help others with this.

THANK YOU AGAIN AND AGAIN!!!

God, this is going to sound egregously stupid, but I am looking at the sample and my config.php and they look nothing alike.

Even the sample length is wildly different.

Is it possible for me just to copy the example config.php file and upload it? Quite literally, the entire file is a mishmash
#9
do you have Google SEO installed? If not, then just upload the files from a new download. The reason you can not use a backup for the files is that the original files are compromised and the latest download is clean.
Lost interest, sold my sites, will browse here once in a while. It's been fun.
#10
Ahh got it.

Yes, I have Google SEO installed (Honestly, wouldn't matter to me if it was or wasn't - doesn't appear to be doing anything for my site whatsoever)

If I uninstall GSEO - would I then be able to upload the config.php and get back into operation?

I notice my config (the one that is compromised) has my user name (wrong) and password (wrong) in the config file. Plus a TON of javascript code attached at the bottom. That is why I would just like to upload the clean one.


Forum Jump:


Users browsing this thread: 1 Guest(s)