Forum recovery after hacked
#1
Hi, my forum has been hacked, all index.php had been replaced by hacker.

Unfortunately i run mybb 1.6, and i want to clean all files with new ones, can i just replace all files with mybb 1.8 ? can i just delete the 1.6 files, and replace with 1.8? how about config.php ? 


Quote:To ensure that your MyBB installation is clean and no extra files have been added, you should delete all your files and upload a fresh copy of the latest version of MyBB. You only really need to backup your inc/config.php file. And even that should be double checked against the default structure of the file. Pay attention to your database details specifically, as well as your admin directory, super admins, etc.
If you have a lot of plugins, images, language packs or custom modifications, you should create a full backup and upload these things later on. Note that it is possible that a vulnerability lies within these files, so make sure to review them carefully. In the future consider using the Patchesplugin to edit all of the core files. This makes it incredibly easy to restore patches when you’re upgrading or replacing files.
Deleting the files and re-uploading a fresh copy of MyBB also has the benefit of updating to the latest code. If you were running an older version of MyBB - which is why most forums get hacked - you will now be running on code free of any known vulnerabilities. To upgrade your forum, if it wasn’t the latest version, follow the Upgrade documentation.
Reply
#2
You can replace all the files with 1.8 versions and run the upgrade script, but make sure you're prepared to find an upgraded theme and plugin versions that will run on 1.8.

Leave config.php as it is right now (make sure to change DB credentials though - assume they're compromised). The upgrader should(?) handle making any necessary changes (though I don't think any are needed until the upcoming 1.8.8 release any time now).
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
Reply
#3
Some advice for the future:

Use an ACP pin. (A LONG ONE WITH RANDOM CHARACTERS)

Use security log plugin to check if someone is trying to crack your board.

Don't use 1.6 ever. Ever!

Change your max password length to 255 characters and use randomly typed passwords stored in a cryptographically secure password wallet.

That way you can use a not so hard to remember string of letters and numbers you can use in a 12 character password that will give your passwords 2048 bit strength protection, making them nearly impossible to brute force.

You could also use a password generator too using JavaScript, just add your own salt to it and make sure it's exactly 255 characters using notepad or something.
Reply
#4
(2016-09-19, 05:00 AM)Josh H. Wrote: You can replace all the files with 1.8 versions and run the upgrade script, but make sure you're prepared to find an upgraded theme and plugin versions that will run on 1.8.

Leave config.php as it is right now (make sure to change DB credentials though - assume they're compromised). The upgrader should(?) handle making any necessary changes (though I don't think any are needed until the upcoming 1.8.8 release any time now).

how about /uploads folder? I want to retain attachments.

edit: well, i have another problem, i can't login to ACP, will it be okay? can i login latter when upgrading?
Reply
#5
(2016-09-19, 07:45 AM)zukro Wrote:
(2016-09-19, 05:00 AM)Josh H. Wrote: You can replace all the files with 1.8 versions and run the upgrade script, but make sure you're prepared to find an upgraded theme and plugin versions that will run on 1.8.

Leave config.php as it is right now (make sure to change DB credentials though - assume they're compromised). The upgrader should(?) handle making any necessary changes (though I don't think any are needed until the upcoming 1.8.8 release any time now).

how about /uploads folder? I want to retain attachments.

edit: well, i have another problem, i can't login to ACP, will it be okay? can i login latter when upgrading?

WTF do you mean you can't login to ACP?

Change your ACP pin and admin password!!!!
Reply
#6
Update:  Successfully upgrade to 1.8, all threads, posts, attachments are intact.

I am doing File Verification, and found two problems. Two files have been changed, but I never do that, I was do fresh upgrade download directly from https://mybb.com/download

inc/functions_upload.php

inc/class_feedparser.php


Does it mean someone (hacker) has changed this two files?

   

another problem is, there are still plugins settings from previous installation, although all of plugin files have been removed.

How can I remove this plugins settings?
Reply
#7
Quote:Does it mean someone (hacker) has changed this two files?

It just means the files don't match what they are suppose to be. You can reupload individual files by finding the file on Github.

Functions Upload: https://github.com/mybb/mybb/blob/featur...upload.php
Class Feedparser: https://github.com/mybb/mybb/blob/featur...parser.php
Reply
#8
(2016-09-19, 09:26 PM)dragonexpert Wrote:
Quote:Does it mean someone (hacker) has changed this two files?

It just means the files don't match what they are suppose to be. You can reupload individual files by finding the file on Github.

Functions Upload: https://github.com/mybb/mybb/blob/featur...upload.php
Class Feedparser: https://github.com/mybb/mybb/blob/featur...parser.php

So, do I have to reupload files from those links? Or, files from https://resources.mybb.com/downloads/mybb_1807.zip ?

(2016-09-19, 09:46 AM)alfred702 Wrote: WTF do you mean you can't login to ACP?

Change your ACP pin and admin password!!!!

well, hacker replaced index.php in my ADMIN acp folder too.

Now  I can login.
Reply
#9
(2016-09-19, 09:50 PM)zukro Wrote: well, hacker replaced index.php in my ADMIN acp folder too.

Now  I can login.

Reset your passwords for cPanel (if applicable), server passwords (if applicable), all admin users, and any database users ASAP. If they had file access to modify it after you uploaded files, it seems that something is still compromised.

If you have access to a bash/zsh/anything-not-Windows CLI, run a grep -inR forum_path/ "base64_decode" and the same thing for "eval" and see if there are any lines that look oddly obfuscated and not like normal MyBB code. These two things will most likely help you identify any web shells if you find anomalies. Feel free to post here or PM me if you have any questions.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
Reply
#10
(2016-09-19, 10:12 PM)Josh H. Wrote: Reset your passwords for cPanel (if applicable), server passwords (if applicable), all admin users, and any database users ASAP. If they had file access to modify it after you uploaded files, it seems that something is still compromised.

If you have access to a bash/zsh/anything-not-Windows CLI, run a grep -inR forum_path/ "base64_decode" and the same thing for "eval" and see if there are any lines that look oddly obfuscated and not like normal MyBB code. These two things will most likely help you identify any web shells if you find anomalies. Feel free to post here or PM me if you have any questions.

Unfortunately I only have FTP access, I'll tell that to our server admin.


inc/functions_upload.php 
inc/functions.php 
inc/class_feedparser.php

I am doing file verification again, and now there're 3 files changed.

What I've done, is installing plugins. Does installing plugins change inc/functions.php ?

Note: Now my forum is in OFFLine mode, I restrict access using .htaccess
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)