Things are locked down and cleaned up and I’ve been going over the access logs and don’t see any indication that the script kiddie got anything useful but from 3/30 through 4/2 he had a back door on the system that let him execute arbitrary php code.
There is nothing in the logs that shows he got around to doing anything useful or that he managed to grab the database but it would be safer if you assume that he managed to grab a full database dump which would have everyone’s account name, email address and encrypted password.
It looks like MyBB salts the md5 hashes for the passwords so even with a full database dump it would be very unlikely that they would be able to crack the password (they would have to brute-force individual passwords since rainbow tables would be useless) but in an abundance of caution it wouldn’t be a bad idea to change them (particularly if you use the same password elsewhere).
I will post a full timeline of events and hack details to my blog later this afternoon.
I take security as seriously as I can but with a constant stream of attacks every now and then the script kiddies get lucky.
I came across another breach in the past where the kiddie uploaded shell.php , a very interesting script which almost allowed shell access (sandboxed by the privileges of the webserver user)
Yep - sent out of band. The jpeg actually allowed shell access (that was the only thing it could do) - the PHP was a full console - they’re getting fancy.
If you could send all files you have from the hack I’d appreciate it. As a developer I’m into security as well (you’re not a developer unless you are imo), and the PHP code within the jpeg file is something I haven’t seen before. I’d like to take a look at that to make sure none of the systems I’ve programmed are vulnerable to such an attack.
The PHP interpreter will apparently execute anything inside of a <?php ?> pair of tags, even if it is a binary file so the problem isn’t unique to images. Jpegs have a fun feature that lets you include arbitrary data in header tags (like the exif data) so it is easy to build an image that looks normal but has executable code within it.
Stripping out all tags or recompressing (without maintaining tags) all user-uploaded images is probably the safest way to secure them (besides making sure php won’t be called to execute an image file).
There is nothing in the logs that shows he got around to doing anything useful or that he managed to grab the database but it would be safer if you assume that he managed to grab a full database dump which would have everyone’s account name, email address and encrypted password.
Yep (though that was 5 years back). MyBB salts all of the hashes so at least back in the day it was hard enough to make the database useless though these days not so much.
It looks like MyBB moved to a new architecture recently so I’ll either have to move the forums to the newer version or to a new platform. I might take a look at vbulletin since I’m going to have to move anyway though keeping accounts intact would be preferred. Moving to OAuth and not storing any credentials at all would be even better.