MyBB Forum Hacked and Re-taken. Trying to figure out exactly what happened.

Discussion in 'Security' started by cscott5288, Jun 3, 2009.

  1. #1
    So my mybb forum was recently hacked, and I am trying to find the exploit that was used. Is it possible this inactive plugin could have been used if it was not chmoded correctly?:

    <?php
    if(!defined("IN_MYBB"))
    {
    	die("Direct initialization of this file is not allowed.<br /><br />Please make sure IN_MYBB is defined.");
    }
    
    $plugins->add_hook("global_end", "missyouemail_global_end");
    
    function missyouemail_info() {
    	return array(
    		"name" 			=> "Miss You Email",
    		"description"	=> "Sends an email to each use that hasn't posted in X days.",
    		"website"		=> "http://mods.mybboard.net/view/we-miss-you-plugin",
    		"author"		=> "LegosJedi",
    		"authorsite"	=> "http://mods.mybboard.net/profile/6391",
    		"version"		=> "1.0.0",
        	"guid"			=> "582448d8377dd6d0c475612cdf3fb774",
    		"compatibility"	=> "14*",
    	);
    }
    
    function missyouemail_install() {
    	global $db;
    	
    	$query = $db->simple_select("settinggroups", "COUNT(*) as rows");
    	$rows = $db->fetch_field($query, "rows");
    	
    	$insertarray = array(
    		'name' => 'missyouemail', 
    		'title' => 'Miss You Email', 
    		'disporder' => $rows+1, 
    		'isdefault' => 0
    	);
    	$group['gid'] = $db->insert_query("settinggroups", $insertarray);
    	
    	$insertarray = array(
    		'name' => 'mye_onoff',
    		'title' => 'Miss You Email Switch',
    		'description' => 'Turns on or off Akismet.',
    		'optionscode' => 'onoff',
    		'value' => 1,
    		'disporder' => 0,
    		'gid' => $group['gid']
    	);
    	$db->insert_query("settings", $insertarray);
    	
    	$insertarray = array(
    		'name' => 'mye_days',
    		'title' => 'Day Limit',
    		'description' => 'How many days should a user be inactive before the email is sent?',
    		'optionscode' => 'text',
    		'value' => '30',
    		'disporder' => 0,
    		'gid' => $group['gid']
    	);
    	$db->insert_query("settings", $insertarray);
    	
    	$insertarray = array(
    		'name' => 'mye_subject',
    		'title' => 'Email Subject',
    		'description' => 'The Subject of the email to be sent out.',
    		'optionscode' => 'text',
    		'value' => 'Forum Inactivity - {bbname}',
    		'disporder' => 0,
    		'gid' => $group['gid']
    	);
    	$db->insert_query("settings", $insertarray);
    	
    	$insertarray = array(
    		'name' => 'mye_message',
    		'title' => 'Email Message',
    		'description' => 'The message that will be sent to the user. You can type {username} for the username, {bbname} for your board name, {bburl} for the url of your board, and {days} for the day limit entered above.',
    		'optionscode' => 'textarea',
    		'value' => $db->escape_string("Hi, {username}\n\nYou've been gone for a while. According to our records, you haven't visited {bbname} in the last {days} days. Why not stop by and start a new discussion, or contribute to an existing one? Come let people know you're still alive!\n\n{bbname}\n{bburl}\n\n--------\n\nThis is an automated message. Please do not reply to this message."),
    		'disporder' => 0,
    		'gid' => $group['gid']
    	);
    	$db->insert_query("settings", $insertarray);
    	
    	$db->write_query("ALTER TABLE ".TABLE_PREFIX."users ADD myesent int NOT NULL default 0");
    	
    	rebuild_settings();
    }
    
    function missyouemail_is_installed()
    {
    	global $db;
    	
    	if($db->field_exists('myesent', "users"))
    	{
    		return true;
    	}
    	
    	return false;
    }
    
    function missyouemail_activate()
    {
    	global $db;
    	
    	$insertarray = array(
    		'title' => 'Miss You Email',
    		'description' => 'Sends out emails to users who have been inactive for X amount of days',
    		'file' => 'dailymissyouemail',
    		'minute' => 0,
    		'hour' => 0,
    		'day' => '*',
    		'month' => '*',
    		'weekday' => '*',
    		'nextrun' => TIME_NOW, // Let's run it now, shall we?
    		'lastrun' => 0,
    		'enabled' => 1,
    		'logging' => 1,
    		'locked' => 0
    	);
    	
    	$db->insert_query("tasks", $insertarray);
    }
    
    function missyouemail_uninstall()
    {
    	global $db;
    	
    	if($db->field_exists('myesent', "users"))
    	{
    		$db->write_query("ALTER TABLE ".TABLE_PREFIX."users DROP myesent"); 
    	}
    	
    	// DELETE ALL SETTINGS TO AVOID DUPLICATES
    	$db->write_query("DELETE FROM ".TABLE_PREFIX."settings WHERE name IN(
    		'mye_onoff',
    		'mye_days',
    		'mye_subject',
    		'mye_message'
    	)");
    	$db->delete_query("settinggroups", "name = 'missyouemail'");
    }
    
    function missyouemail_deactivate()
    {
    	global $db;
    	
    	$db->delete_query("tasks", "title = 'Miss You Email'");
    }
    
    function missyouemail_global_end()
    {
    	global $mybb, $db;
    	
    	if($mybb->user['myesent'] == 1)
    	{
    		$db->update_query("user", "myesent=0", "uid='".intval($mybb->user['uid'])."'");
    	}
    }
    ?>
    PHP:
     
    cscott5288, Jun 3, 2009 IP
  2. SSANZ

    SSANZ Peon

    Messages:
    861
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #2
    yes, scripts which are not activated yet insecure permissions are set on them can be exploited.
     
    SSANZ, Jun 3, 2009 IP
  3. SteveWh

    SteveWh Member

    Messages:
    74
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    48
    #3
    SteveWh, Jun 4, 2009 IP
  4. blackpeace

    blackpeace Banned

    Messages:
    75
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Just replace hacked files with original files. And you could fix this problem.
     
    blackpeace, Jun 4, 2009 IP
  5. psyberweb

    psyberweb Peon

    Messages:
    585
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    0
    #5
    yeap exactly, or better get an updated version. it has better security patches than the one you are currently using. :)
     
    psyberweb, Jun 4, 2009 IP
  6. sadiqsaad

    sadiqsaad Peon

    Messages:
    405
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #6
    A question, were you using the latest version i.e 1.4.6?
     
    sadiqsaad, Jun 6, 2009 IP
  7. MH-Andy

    MH-Andy Peon

    Messages:
    30
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Please check your RAW access log's you will be able to find the exploit that was used.
     
    MH-Andy, Jun 7, 2009 IP
  8. bentink

    bentink Peon

    Messages:
    1,028
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Are you using SuPHP?
     
    bentink, Jun 7, 2009 IP
  9. SSANZ

    SSANZ Peon

    Messages:
    861
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #9

    Logically no, considering his script was exploited as a nobody user due to the incorrect permissions.
     
    SSANZ, Jun 8, 2009 IP