Security Hole in MyBB 1.4.6 Forum Software – Many Forums Hacked and Deleted

Posted by Webmaster Blog 22 July, 2009

This is just a heads up for all the people out their who run MyBB forums on their websites to watch out. Quite a few technology websites and more have all been hacked through their forums.

It has apparently been known that there was a hole in MyBB but until now, no one has really taken advantage of the hole. Now they have in some sort of synchronized hack.

Many websites seemed to be target by Iranian hackers who made comments on Barack Obama and George Bush.

Most of the people’s websites were completely deleted, some have backups and some don’t.

MyBB have released an update so if you run a MyBB forum, UPDATE NOW!

They have also posted some tips on their website for what you should do if you have been hacked:

What to do if you get hacked

If you were on a MyBB release BEFORE OR EQUAL TO 1.4.6
– Make sure that no new admin accounts have been made, delete them immediately if there are any.
– Look in your ./cache/themes/ folder, if you see a files called themes.php, please delete it.
—- One user reported that the themes.php backdoor was used to create additional php files in the cache/theme folders. Since no such file belongs there they should all be deleted – frostschutz
– Reupload your ./index.php file and revert your index template to default.
– Follow the rest of the general post-hack steps below.

If you were on a MyBB release AFTER 1.4.6

Upgrade to most recent release
Upgrading to the most recent release won’t solve the results of you being hacked, but it will make sure your forum is secure. [Wiki: Upgrading]

Reset passwords
Once you are able to, you should immediately change your forum password, and also the password to your database. This is to make sure that the hacker can’t just login to anything again, new passwords mean they’re back to where they were before. If you change your database password you will need to update it in ./inc/config.php too.

Check for new users
Check all new users registered after the time the hacker gained access to the forum; there may be a chance one of them has been added to a group with ModCP or ACP access, or they may have even created a new usergroup for a user. If you see anything like this, delete it.

Reupload all files
Download the MyBB package, and upload all of the MyBB files, except ./inc/settings.php. This will make sure that all of your files are clean, and there isn’t any malicious code in any of them. Make a note of any file changes you have made before doing this, though, so you can make them again after. This process will also make sure you have all the most recent files; you may have missed an important file in a security upgrade which contained the exploit that was used to hack you.

Check your CHMOD permissions
Check your CHMOD permissions after you have reuploaded the files. Make sure you’re not giving files or folders extra permissions that they don’t need. [Wiki: CHMOD_Files]

Delete settings.php
Head to your ./inc/ folder and download your copy of settings.php… and then delete it from your server. It will be generated again, with the correct values from the database, and then we’ll know it’s a clean copy of the file, with no malicious code. You may need to click around on the forum a bit to get it to regenerate; the downloaded file is there so you can upload it again should it fail to regenerate automatically.

Rebuild config.php
You can manually remake your config.php to make sure it’s clean. Use this code ([Wiki: Inc/config.php]) to rebuild the file, and enter in your database details. Also make sure you change any other settings you need to, for example, the admin directory, hiding ACP links, or super admins.

Check your templates for malicious code
A common result of being hacked is having malicious code added to your templates, meaning it’s executed whenever a page is loaded. A common place for code to be added is the header, headerinclude, index, and footer template, as these templates are loaded the most. Check all templates, however, that aren’t default (have their name in green) and remove any code that isn’t supposed to be there. It’s usually in <script> tags and is usually a load of random numbers and letters. This should be removed as soon as possible.

This is just a warning people! Take head to it! For all the website owners that I have hacked, I sympathize with you and hope you all get it working again!

© 2009, Webmaster Blog. All rights reserved. On republishing this post you must provide link to original post.

Blog Widget by LinkWithin
Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • BlinkList
  • Blogosphere News
  • Diigo
  • Live
  • MySpace
  • Reddit
  • StumbleUpon
  • Technorati
  • Twitter


Check Out Similar Topics
Categories : Chit-Chat,Programming and Technical Discussions Tags :

Comments

Silent gratitude isnt much use to anyone - G B Stern
Encourage our posters by saying Thank You!


Leave a comment

Register to post comments

Registration is Free, Simple | Already a Member ? Log in | Forgotten your password ?