[Help] Mybb 1.8.6 Deface
#1
please, I hit deface MyBB. how to remove the backdoor? I've tried searching but not met.
url mybb: http://forum.idbackbox.org/~kakiten1/51.htm


[Image: Screenshot_021015_13_27_14.png]
Reply
#2
given forum url is not a regular page of MyBB. the forum itself is looking fine.
can you elaborate the issue .. did the defacer contact you and given that specific url ?
Reply
#3
(2015-10-02, 06:43 AM).m. Wrote: given forum url is not a regular page of MyBB. the forum itself is looking fine.
can you elaborate the issue .. did the defacer contact you and given that specific url ?

This is html injection technique?
Reply
#4
Quote:did the defacer contact you and given that specific url ?
if it was a regular forum page then what exactly you had at that url ? (forum/~kakiten1/51.htm)
Reply
#5
I do not know at Defacer given, and I do not have the url. sorry if my English bad.
Reply
#6
I would reset the hosting account, export the database, reinstall mybb, reupload themes and plugins, import the database and make sure that nobody else has admin access besides me (make sure that for example the banned user group didn't get admin access). You can't re-use any of the old php files and if you have to reuse custom images I'd scan them before reuploading.
[Image: axolis.png]

Project, Portfolio and Product management for freelancers.
Reply
#7
This is a technique fake root, so the shell is not on my server but other servers.

(2015-10-02, 08:33 AM)SentoWeb Wrote: I would reset the hosting account, export the database, reinstall mybb, reupload themes and plugins, import the database and make sure that nobody else has admin access besides me (make sure that for example the banned user group didn't get admin access). You can't re-use any of the old php files and if you have to reuse custom images I'd scan them before reuploading.

I've been doing it that way but I can not. http://forum.idbackbox.org/~kakiten1/
Reply
#8
(2015-10-03, 12:37 AM)idbackbox Wrote: This is a technique fake root, so the shell is not on my server but other servers.

(2015-10-02, 08:33 AM)SentoWeb Wrote: I would reset the hosting account, export the database, reinstall mybb, reupload themes and plugins, import the database and make sure that nobody else has admin access besides me (make sure that for example the banned user group didn't get admin access). You can't re-use any of the old php files and if you have to reuse custom images I'd scan them before reuploading.

I've been doing it that way but I can not. http://forum.idbackbox.org/~kakiten1/

Fake root really sounds like just another fancy word for backdoor.

Can you describe why you can't reupload the site? Are you not able to start the setup?

http://forum.idbackbox.org/~kakiten1/

kakiten1 seems like an account on this server which doesn't have a working domain at the moment. Is it yours? Is it legitimate?

Is http://forum.idbackbox.org your website (I think not), is http://forum.idbackbox.org hosted on the same server with your website?

There are many missing pieces and you are not providing too much information.

You have to get rid of the hosting account, any leftover configuration can prevent you from properly reinstalling MyBB, or give the attacker access. If you haven't used potentially unsafe 3rd party extensions you are better off moving to a different host, for all we know it might be something with their system (misconfigured guest ftp, leftover account, easily bruteforcable ssh access and so on)

I would also advise you to check your own OS, the attacker could have stolen the login details via a keylogger. I'd advise you to run Malwarebytes and AVG to see if anything is found.
[Image: axolis.png]

Project, Portfolio and Product management for freelancers.
Reply
#9
If you are on cpanel shared hosting, then you have nothing to worry about because if 2 sites are on the cpanel server, then you can put /~TheirCpanelUsername at the end of any site on the shared hosting and it will show the content they have hosted. They probably bought shared hosting where you have it and then it got put on the same server as your site.

Don't let script kiddies like them scare you with stuff like this
Reply
#10
http://docs.mybb.com/1.8/administration/.../recovery/

A good start.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)