Not Solved Mybb security issue!
#1
Not Solved
Dear folks, 

Actually Im getting attack on mybb 1.8.19
Here how things appears: 

Member is offline, (user Cpanel) but he is online less than one min.
If i search logs of the same member, I see he is hitting unreadPosts:
this in the last few hrs for unreaded posts: 48876 55.93% 1215 4.39%    4.58 MiB GET  HTTP/1.1 /xmlhttp.php?action=unreadPosts_getUnreads&fid0

Over 500 members are effected with being offline and showing online less than one min.
Note that, there IP's still showing the original one!

Now, If I change any of these members password, he will not able to keep showing online less than a minute.

Also I would like to ask about task.php 
what is this file used for and is it normal for it to be accessed by forum visitors directly (I see it in access.log).

Kindly advice.
https://mhhauto.com
World's most trustworthy automotive forum!
Reply
#2
Not Solved
task.php should not be used by forum visitors, they won't be able to access it.

You are probably using unread posts plugin by Lucas. It might be possible that plugin may be vulnerable, can you try disabling the plugin for time being and see if you are getting same attack ? This seems like a case of DDOS to me.
Reply
#3
Not Solved
I disabled/uninstall this plugin but no change!

URI /xmlhttp.php?action=unreadPosts_getUnreads&fid0

Still under attack!

Best regards.
https://mhhauto.com
World's most trustworthy automotive forum!
Reply
#4
Not Solved
This user has been denied support. This user has been denied support.
(2019-01-30, 02:57 PM)mhh_rabih Wrote: Also I would like to ask about task.php 
what is this file used for and is it normal for it to be accessed by forum visitors directly (I see it in access.log).

It's normal, it's how PHP task systems work in lieu of a real cron functionality. Tasks are run by piggy-backing on user visit requests. If nobody visits your site (or you remove task.php from the user templates), tasks will not run.


(2019-01-30, 06:50 PM)mhh_rabih Wrote: I disabled/uninstall this plugin but no change!

URI /xmlhttp.php?action=unreadPosts_getUnreads&fid0

Still under attack!

Best regards.

You can't stop people from sending requests to your webserver.

If you don't like it you have to start banning IP (on firewall or webserver level, not just in the admin cp).
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)