Thread Rating:
  • 4 Vote(s) - 2 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved Bug
#1
Not Solved
As the title states, there may be a possible exploit in MyBB 1.6. Now please keep in mind my website contained a great deal of plugins, so some of them may actually be the root of the attack. Either way I wanted to inform MyBB of a possible intrusion in this version.

In 1.4 we had a similar exploit:

http://community.mybb.com/thread-59853.html

I you'll read the informational documentation we have up as of right now you'll see the attacker used a file titled inc_inc.php to gain access to our apache server. He did not get access to the server itself, however within the website he had free reign to do as he pleased. Right now we're going through log files to discover what mayor may not be the initial point of entry to this particular hack.

I'd like to ask for some help to assist in removing MyBB as the potential cause. Again, my website contained a great deal of plugins, any one of which could have been the cause. The only reason I'm bringing up MyBB is because my research on the file inc_inc.php revealed an earlier exploit in MyBB.

In an attempt to keep the hacker from returning to the server to remove any log files, I shut the server down entirely. We have all data backed up on a disc, if you would prefer we can upload them and resubmit them for you to review. I would like to only see if we can't take MyBB off the list of possible exploited software. After that we intend to find out which plugin was exploitable (we're realistically getting rid of most of the plugins installed).

http://greyhat-security.com/ethical-hack...emporarily

You can contact me at masterzufu-at-gmail-dot-com
Owner of Slavery Report | Our mission is to collaborate information to make a massive forceful impact against Human Trafficking world wide
#2
Not Solved
You run too many plugins. You shouldn't alarm the user base without any evidence the penetration was part of MyBB. The uploading of a shell could have been done in a number of ways.

Quote:I would like to only see if we can't take MyBB off the list of possible exploited software.

Where is this list? Because as far as I'm aware 1.6.2 has no known security flaws and is not listed in any major vulnerability list.
#3
Not Solved
Labrocca, I understand an accept your statement and I agree with them. However I also remember there was no vulnerability list for the last exploit in mybb. You're right, there could be any number of ways this site was exploited. As I myself said, I run too many plugins and any one of them could have been the point of entry. I am not in any means saying with any absolute that this is mybb at fault, I'm trying to exclude it from the list. The sole reason I'm pointing it out is because a prior mybb version had a similar attack conducted with it. I would just like help excluding MyBB. Currently we're having a bit of difficulty finding the exact point of entry because this guy had his hands in our pot for over two weeks before initializing the attack.
Owner of Slavery Report | Our mission is to collaborate information to make a massive forceful impact against Human Trafficking world wide
#4
Not Solved
If we saw 5-10 sites hacked that's one thing. But it's your site. Which has been hacked before numerous times. MyBB should be last on any list of software you check.

Quote:Currently we're having a bit of difficulty finding the exact point of entry because this guy had his hands in our pot for over two weeks before initializing the attack.

Fact is he might have had that shell installed for months when there was the vulnerability. Have you checked old backups? Some people wait a month or more so that logs are cleared making it harder to find how it was installed.
#5
Not Solved
(04-10-2011, 10:47 PM)labrocca Wrote: If we saw 5-10 sites hacked that's one thing. But it's your site. Which has been hacked before numerous times. MyBB should be last on any list of software you check.

My website has been hacked one time before in the past that has been unresolved, and it wasn't the one I have up now, which is a lot more secure than the one before it. (actually, irony presides that it was hacked with the last major exploit of mybb)

But you're right, if there were more websites that had been hacked in a similar way then absolutely it would be a problem...which is why I would like to turn your attention to the google search of the hacked page....in fact the hacker even lists the last few site's he's hacked, all happen to have been running the newest version of mybb:

http://www.whitehats.it/
http://www.elhacker.org/
http://www.r3m3mb3r-hackerz.com/forum/

I'm unsure if these were also hacked or they belong to the hackers. They were also listed on the defacement pages.
www.underatthack.org
www.kinginfet.net
www.rbt-4.net
www.mirkocalabrese.com

I'm quite sure if you do a google search with the information provided on the defaced home page you'll see that these are all mybb forums being hacked.


(04-10-2011, 10:47 PM)labrocca Wrote:
Quote:Currently we're having a bit of difficulty finding the exact point of entry because this guy had his hands in our pot for over two weeks before initializing the attack.

Fact is he might have had that shell installed for months when there was the vulnerability. Have you checked old backups? Some people wait a month or more so that logs are cleared making it harder to find how it was installed.

We're going through logs right now. Currently my sysadmin is in Australia and he's asleep at the moment, but he's been going through logs and backups since the attack happened. If it's been months then there are three database backups a day for mysql and there are (I think) one backup a day maybe, i'm not sure how many times apache backs up. We will continue looking though.

I'm not saying this is mybb's fault, please understand that. I'm trying to rule out that possibility, that is all. This is, however, in fact the first time ethical-hackers.org has ever been hacked.
Owner of Slavery Report | Our mission is to collaborate information to make a massive forceful impact against Human Trafficking world wide
#6
Not Solved
Mysql logs won't help you find out how a shell was installed.
#7
Not Solved
I know that. I'll have to get with my sysadmin to see how often apache backs up.
Owner of Slavery Report | Our mission is to collaborate information to make a massive forceful impact against Human Trafficking world wide
#8
Not Solved
Can I make a suggestion?

There should be an email for submitting vulnerabilities. Or a forum whereby users can post them but only mods can see them.

I work for a fairly large Software vendor and have worked for others in the past. When it comes to vulnerabilities this is how we do it

- Have a place where users can submit them
- Have a security team check and verify whether they exist
- Release a statement saying "A vulnerability has been detected in the software, we are working to patch this and this should be fixed by a security patch by xxxxx date.

- It is important NEVER to reveal the actual vulnerability and usually security firms who specialize in finding vulnerabilities will only report the details to the vendor.

The reason for this is, that you don't want it as public knowledge for the entire world to see. Not everyone will update their forums and if the vulnerability is found and public then it exposes your entire user base who are slow on the uptake to upgrade. Not everyone has an instant upgrade cycle.

Hope this helps.

#9
Not Solved
You can post it here:
http://community.mybb.com/forum-135.html
#10
Not Solved
please move this thread to that forum and if possible allow me access to the thread for continued communications, if that's not possible at least send me emails.
Owner of Slavery Report | Our mission is to collaborate information to make a massive forceful impact against Human Trafficking world wide


Forum Jump:


Users browsing this thread: 1 Guest(s)