MyBB Forum HACKED!

N

NeoCHI

Active member
One of my older forums just got officially hacked...

Here's a screenshot of what it shows when I go to the domain:

Screen Shot 2017-11-15 at 2.03.06 PM.webp


Has anyone see this before?!?!

TBH though this forum was built using mybb and not Xenforo.
 
It was on something other than xenforo. I would suggest contacting your host provider and ask them if they are able to help.
 
We've seen similar defacements before. So far none of them have been exploited via XenForo itself. It can be through weak server credentials, poor security on shared hosts, exploits via other software, that kind of thing.

The most important thing to do right now is to change every password and liaise with your host and/or server support people to ascertain the point of entry and close it.
 
If it was an exploit via the forum software (mybb) could they have actually gotten root access to my whole server? If so I'd think they would've hacked all my sites but they didn't. So if they only had access to that 1 account, if I just terminate that 1 account I should be ok right?
 
I somehow missed you mentioned that this isn't even an XF site.

My general advice still stands, and this thread is fine for general discussion about it, but we're not really able to offer any support directly.
 
This is why I use 2fa for everything and changed default ports and set strong passwords like stated contact your host and work with them to investigate hoebthey gained entry
 
Anonymous hacking group calls for 'lulz and resistance' in 2017's Million Mask March Anonymous pledged to march in Trafalgar Square, Westminster, on 5 Novemberl

Tons of info on this group
 
See if you can get your host to block those hackers and if you can get their ip address and their email address report it to your country's e crime unit as they will be able to catch them out.
 
You can't really call a site defacement 'hacking' any more. People aren't really hacking, they're just exploiting bad configs with freely available scripts. We see tons of attempts in our logs by these scripts to find known paths to software that could be installed on a server somewhere. They aren't even targeting a forum package except the last group that went after vB sites. We saw a metric ton of requests trying to load that shell script on servers where vB wasn't even running.

Nonetheless... a change of host or complete wipe and restore is in order to assure no nasty surprises were left behind to pop up later.
 
carntheroos4eva said:
See if you can get your host to block those hackers and if you can get their ip address and their email address report it to your country's e crime unit as they will be able to catch them out.
Click to expand...
They'll usually do it through a chain of IP's, at least if they're smart.

Some of these are also automated through botnets.
 
NeoCHI said:
If it was an exploit via the forum software (mybb) could they have actually gotten root access to my whole server? If so I'd think they would've hacked all my sites but they didn't. So if they only had access to that 1 account, if I just terminate that 1 account I should be ok right?
Click to expand...

Without a forensic analysis, it's hard to say one way or another.
 
NeoCHI said:
I use Knownhost which has been great until this...I'd be worried if they can do this to xenforo forums!
Click to expand...

Knownhost is a mighty good service provider! Easier to blame a host, but keeping redundant or obsolete applications on the server is our own folly...

ŽivaAkcija said:
hacking any forum script is not easy, hacking bad host its very easy, so allways blame a hosting
Click to expand...

:rolleyes:
 
Last edited:
NeoCHI said:
I use Knownhost which has been great until this...I'd be worried if they can do this to xenforo forums!
Click to expand...

Hi NeoCHI, if you haven't already, please make sure to open a support ticket with our staff. To be honest, we see this kind of thing all the time. If you had an outdated MyBB install then I can almost guarantee this is how they defaced the website.

ENF said:
You can't really call a site defacement 'hacking' any more. People aren't really hacking, they're just exploiting bad configs with freely available scripts. ..... Nonetheless... a change of host or complete wipe and restore is in order to assure no nasty surprises were left behind to pop up later.
Click to expand...

I'd say this is a little extreme. No need to wipe an entire server if it's simply a single account compromised. Wipe/Reinstall/Restore from backup that account sure, but without further evidence of it going past the user level that could be a lot of work for no real reason. If evidence of a root compromise then yes, 100% the only way to guarantee a clean server is to burn it with fire :).

ŽivaAkcija said:
hacking any forum script is not easy, hacking bad host its very easy, so allways blame a hosting
Click to expand...

My apologies, but I'll 100% disagree here. Defacing a website or finding un-sanitized input in code is far easier than trying to exploit base services almost every time.

Neutral Singh said:
Knownhost is mighty good service provider! Easier to blame a host, but keeping redundant or obsolete applications on the server is our own folly...
Click to expand...

Thanks for the positive feedback, we appreciate it!
 
ENF said:
You can't really call a site defacement 'hacking' any more. People aren't really hacking, they're just exploiting bad configs with freely available scripts. We see tons of attempts in our logs by these scripts to find known paths to software that could be installed on a server somewhere. They aren't even targeting a forum package except the last group that went after vB sites. We saw a metric ton of requests trying to load that shell script on servers where vB wasn't even running.

Nonetheless... a change of host or complete wipe and restore is in order to assure no nasty surprises were left behind to pop up later.
Click to expand...
You can if you record their ip addresses and then report them to your host. Better still give the ip address list to police and they will block those people pretty quickly.
 

Similar threads

KhanTastic
  • Question Question
XF 2.2 My new forum got hacked, what I should do please?
2
Replies
25
Views
1K
Suzanne O
Suzanne O
R
paying someone to fix my broken xenforo forum (which was hacked)
Replies
10
Views
952
TPerry
TPerry
S
  • Question Question
XF 2.2 Site Hacked, Users Downgraded, Trying to Fix
Replies
9
Views
1K
Mike
Mike
Ladegro
  • Question Question
XF 2.1 Forum hacked?
Replies
7
Views
2K
Ladegro
Ladegro
I
  • Question Question
XF 2.1 someone hacked my forum
2
Replies
37
Views
4K
Blatchy
B
Back
Top Bottom