Now, I may be getting paranoid here, but...
#1
Putting on my black hat for a second, assuming I got ftp or server access to a forum, I would edit config.php and add my uid as the new superadmin. Then I'd remove any other superadmins and log in to the forum ACP. All admins deleted, and I am in full control. Time to sit back and stroke my white cat.

Putting on my white hat, I'd  want to be prepared for this, so I would have one or two 'sleeper' accounts in the database. Regular users, a few posts, nothing to attract attention.

So I come to log in as admin to find I've been hacked and locked out. I log in as one of my 'sleepers' and add a post. A bit like the /slap and /me functions, I have added something to /inc/class_parser.php so when I post "/super" on a line of it's own, it writes my uid to the list of superadmins in config.php.

Anything wrong with this as a backdoor? I'm a php noob, so any clues or pointers gratefully received.

I know I could do the same thing via FTP, but wearing my black hat, I'd delete all FTP accounts bar my own...
Reply
#2
Super admins cannot be edited or deleted by other admins. Being a super admin doesn't automatically make you an admin, you still need to be a part of the admin usergroup.

If a hacker is smart they'll gain access without making any significant noise. If your forum does get hacked you should ask your webhost to disable your account and work with them to discover the source of the breach. Fix the issue, make sure they haven't added any backdoors, and alert your members to the breach.
No longer involved in the MyBB project.
Reply
#3
(2016-05-16, 04:07 PM)Nathan Malcolm Wrote: Super admins cannot be edited or deleted by other admins. Being a super admin doesn't automatically make you an admin, you still need to be a part of the admin usergroup.

If a hacker is smart they'll gain access without making any significant noise. If your forum does get hacked you should ask your webhost to disable your account and work with them to discover the source of the breach. Fix the issue, make sure they haven't added any backdoors, and alert your members to the breach.

Exactly. Especially the "alert your members to the breach" part - I've seen too many sites try to cover up and act natural, which is stupid.
Reply
#4
No way we'd try to cover up, I'm just looking for a fast way to get control back. Three admins, different parts of the country and the one with the ISP/hosting contract is the most technically challenged.

Right now, I'm trying to hack the /me code, but with limited success, but that's me being lousy at php. I can get it to pick up my UID, but I'm damned if |I can make it write that to a test file for now...
Reply
#5
(2016-05-16, 06:27 PM)Wiggo Wrote: Right now, I'm trying to hack the /me code, but with limited success, but that's me being lousy at php. I can get it to pick up my UID, but I'm damned if |I can make it write that to a test file for now...

Feel free to tinker, but it's not recommended to leave such backdoors in the source code - it would cause problems with updates if it's the core that's being modified; additionally, it would create another way of intrusion when somebody learns how it works (you're building a system that relies on obscurity).
You should focus on choosing a secure and trusted hosting provider and domain registrar, taking care of infrastructure management properly (up to date software, secure passwords/keys and so on, depending on whether you're running servers on your own) and monitoring.

When a third party gains access to your FTP account, taking care of a MyBB installation is not really a priority - you should rather deactivate channels that might have been compromised, disable web access to your websites and begin the recovery process.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#6
(2016-05-16, 06:55 PM)Devilshakerz Wrote: When a third party gains access to your FTP account, taking care of a MyBB installation is not really a priority - you should rather deactivate channels that might have been compromised, disable web access to your websites and begin the recovery process.


This a hundred times over. If a hacker gains FTP or shell access, all bets are off.
Reply
#7
Why not just make frequent backups? I have backups automated for every 15 minutes beyond several other strict security measures including (but not limited to):

* SSH Locked to Specific IP
* HTTPS/HTTP only connectable by CloudFlare
* No Publically Available Ports
(These measures are enforced by an external firewall.)

The backups are sent offsite.

You shouldn't need a backdoor. You should only need frequent backups. Also use secure passwords. It'll save you a lot of time.
Software Engineer specializing in C# Program Development
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)