REGISTER or LOGIN to have the annoying ads removed.
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
My Mybb 1.6 Forum hacked?
#1
I was browsing my fourms yesterday when I recieved a pm from some random username. Firstly his group was Administrator, and he was mocking me.

I'm really starting to doubt secureness of Mybb 1.6.

On further google search i found some xss exploit for mybb 1.6. It was from august so might be its patched now.

Could it be mybb or the Host server?

PS: Sorry wrong forum i guess. Staff please move it to support.
Reply
#2
Anything is hackable. Just get his ip and block it. Best you can do. Then get a plugin to block known spammers / vpn's.
Reply
#3
I haven't got hack since the day I used MyBB. Maybe it was your host or you are using a guessable password
Reply
#4
(Dec 05, 2010, 03:21 PM)Naix Wrote: I'm really starting to doubt secureness of Mybb 1.6.

Doubt away, there are no known issues that would enable somebody to do this. You realise plugins can be insecure?? You realise hosts could be insecure?? I assume you're on a shared host, if any one of the potentially hundreds of sites that are hosted on your server get hacked, the hacker could potentially root the server and get access to all of them.

(Dec 05, 2010, 03:21 PM)Naix Wrote: On further google search i found some xss exploit for mybb 1.6. It was from august so might be its patched now.

That vulnerability is bogus. There's a check for the post key for every post request anyway. One of the examples there is no check for adding a forum, but have you tried editing or removing the post key and then trying to submit the form?? Still comes back with an error and won't add the forum.

Until you can provide a PoC that proves MyBB is at fault, saying MyBB 1.6 is insecure is a completely hollow claim, as you have zero evidence of that.
Reply
#5
Exactly I do realise that plugins can be insecure and fortunately i do not have any plugins installed other than labrocca's Sidebox and fIcons. Since there was a gray hat trying to intrude he told me there was a 0-day for the newest version, and the webhost had nothing to do with it. He didn't give much information regarding the vulnerability, he told me he could use the mybb exploit to upload pretty much any file to the root.

Not meaning to sound rude but perhaps instead of trying to claim that the person asking for support is faking it, or has no proof and being a rude dick, you should look into for possible vulnerabilities.

Just trying to make the so called "mybb support team" alert there are 0day available for new versions.
Reply
#6
(Dec 09, 2010, 01:36 PM)Naix Wrote: Since there was a gray hat trying to intrude he told me there was a 0-day for the newest version, and the webhost had nothing to do with it. He didn't give much information regarding the vulnerability, he told me he could use the mybb exploit to upload pretty much any file to the root.

And if I tell you there's a vulnerability on your server that allows me to gain root access, does it mean I'm definitely telling you the truth?? No. There have been many times when someone has been hacked, they've come to us saying the hacker told us it was MyBB, and then after a while the hacker says that they were bullshitting and it was nothing to do with MyBB after all, or they find out some other way that it wasn't MyBB.

(Dec 09, 2010, 01:36 PM)Naix Wrote: Not meaning to sound rude but perhaps instead of trying to claim that the person asking for support is faking it, or has no proof and being a rude dick, you should look into for possible vulnerabilities.

Just trying to make the so called "mybb support team" alert there are 0day available for new versions.

So you're saying I'm rude and you're the one calling me a dick. I see.

Also, if it's an exploit that can allow you to upload an arbitrary file, it's highly unlikely it'd only be used on small sites (which would only expose it, thus removing the 0day-ness of the vulnerability), when there's much more high profile sites out there, and we've not had any reports of people getting hacked for a while. Plus if there is zero information on it we can't exactly look through every line of code in the entire software for what could be causing it, assuming it is even actually a valid claim.

If you have actual credible information, then yeah, send it our way, but I've been doing this for a while now and a lot of the time when a hacker tells the forum owner they got hacked via MyBB, it's just a scare tactic.

I expect you'll reply in a similar vein to your last post, which is cool, but if you were in my position you'd be saying the same thing. If we have a credible threat, we fix it, but someone saying you got hacked via MyBB with no evidence to support it, from you or anybody else, or saying that there's a 0day vulnerability but giving no information about it, is not a credible threat, anybody could say that if they wanted to, and there is no way to check the validity of it or do anything about it.
Reply
#7
chill down guys,Yes shared hosts are most dangerous part,and I never saw such cases in myBB,I love mybb<vbulletin,vbulletin just sucks for me !
Reply
#8
I think you have to fix your < signs glenvarun. MyBB<vBulletin means that vBulletin is greater than MyBB. Yet you said that vB sucks for you.
Reply
#9
oops sorry,fast typing lol Tongue
Reply
#10
I remember a vulnerability like this on a previous version of MyBB. My forum was hacked because I neglected to upgrade my forum to the newest security release. The vulnerability has been corrected already.

If he gained access to your site there are a thousand ways he could have done it. He could just be telling you that he uploaded a file to your site just to scare you and put you through more problems.

Did you go through the security protection ideas posted in MyBB? Do you know anything about .htaccess? Why was your admin directory not password protected with .htaccess? If it was, even if he had access to upload files with somekind of exploit to mybb, he wouldn't have access to the admin directory at all and would require a username and password to even go to the directory. Why don't you use .htaccess to block all IP's but your IP in the admin section? why didn't you rename your admin directory? Granted there's software out there that can list what directories you have on your site and they can most likely find the admin directory, but most of your hackers are just skiddies who don't know anything about hacking and if it poses a challenge to hack your site they're more likely to go way because of their lack of knowledge.

Since no one else is really giving you the information you need I suppose I will. It really is a shame though that you post for support and the only thing one of the MyBB dev team members can say is "It's not our fault!". >_> honestly that kind of pisses me off. If everyone just said it's not their fault nothing would ever get done and everything would be broken, so I kindly ask you to pull your foot out of your butt and give support or just don't comment at all, your choice, and yes, you were being a dick because you just wanted to argue about who's freaking fault it was rather than give the guy some help.

I've been in your shoes before, and I know what it feels like to not really understand MyBB and how to properly protect it and not have much support behind you. I've found the great majority of MyBB to be a "find it out on your own" kind of thing.

Now here's something kind of blows me away and really does make me want to call matt a dick:

http://mattrogowski.co.uk/2009/06/24/myb...en-hacked/

Look who wrote that...oh...it was matt...how cute. See Matt, if you had just posted this link instead of saying "It's not my fault!" you wouldn't be called a dick, simple. Aside from that, you shouldn't be putting down any thought that MyBB might have an exploit that hasn't been made public yet. You tell me the last hacker who found and exploit and wanted to tell the world so it could be patched....why do that when you can have fun fun fun all day long and not have anyone know what's wrong? If there really is an exploit for 1.6 you're a dumbass for not looking at it seriosly.

Look, Naix, you're a dumbass too for not making sure your crap was secure. you wouldn't have this problem if you would just have googled about mybb security guidelines. But here it is, found it in less than five minutes:

http://mattrogowski.co.uk/2009/06/24/myb...en-hacked/

Learn your lesson though, ok? Not everyone's nice out there and they want what you got because for them it's free. My best bet for you would be to look at the "last modified" date and see what files were modified or changed on your site. That might could lead to where the exploit originated. It's quite possible that there's no exploit at all againt mybb and it could be that you got your password swiped from you by some skiddie. Go to a known clean computer and change all your passwords, go to http://malwareremoval.com/ and ask them to help make sure your computer is clean from viruses and malware. A keylogger could easily steal your passwords.

And for crying out loud secure your crap!

I hope this helped Tongue
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  mybb change forum date - time RPG 3 3,988 Apr 19, 2017, 12:53 AM
Last Post: Barbarjreusser
  How to stop forum spam in MyBB forums WallBB 5 3,001 May 08, 2014, 10:32 PM
Last Post: Rebel
  MyBB Mobile Forum – How to make your forum work best on portable Devices WallBB 0 1,330 Sep 21, 2013, 02:49 AM
Last Post: WallBB
  myBB Forum Permission Errors CruciasNZ 1 1,696 Apr 17, 2013, 03:56 PM
Last Post: gamor
  Mybb forum header attempted editing and messed my forums up help please leen12 2 2,386 Mar 29, 2013, 01:15 PM
Last Post: leen12

Forum Jump:


Users browsing this thread: 1 Guest(s)