MyBroadband admin security issue, code injection in footer

[rpm]

Hi folks

MyBroadband’s forum recently experienced a security breach. The person accessed the Admin CP and according to our log files did the following:

• Insert an iFrame into the footer by changing the copyright text (done easily through the VB options section)
• Uploaded a plugin for potential later use through admin section
• Created two admin accounts

Thanks to HavocXphere who alerted us to the issue we removed the iFrame soon afterwards, and removed the plugin and admin accounts.

From the web and VB log files there is no evidence of any other actions by the person, and there is also no evidence that any user accounts were accessed or compromised.

We are currently uncertain how the person accesses the Admin CP, but initial indications point to a weak admin password. We strengthened this system by making a few changes (for security reasons we do not want to give specifics here).

Despite the fact that the problems have been solved and that there is no evidence of accounts being compromised, we would still urge you to monitor the forum and your account for anything strange.

If you see anything strange, please let us know immediately.

We see this is a serious problem, and will continue to look for ways to improve our security.

BTW: We could not find any evidence that this issue is linked to the editing or Tapatalk problem. We continue to monitor that as well.

 

[Seriously]

All I found lately is that when you want to "edit" or "reply with quote" the display ( Chrome) would be very slow not updating the page as if it doing something else with cursor flashing yet if I open the edit or quote links in new page it would work most of the times immediately and I could post the reply or edited changes still before the other original page updated. I then rather closed that page as it seems lost but sometimes if left open after quite a while it would recover. Sometimes I will get a chrome window saying the server is not available when posting. Maybe not related but maybe gives you a clue what happening on our sides.

 

[DrJohnZoidberg]

Is it possible that the "intruder" could have gained access to the forums database?

 

[Hamish McPanji]

You guys probably know best what you are doing, and am not entirely sure how the back end logging occurs on the forum, especially for the creation of admin users but is it possible to track this by the IP address that the changes were made from, and see if anyone posted to the forums at the same time with the same IP address?

I do hope password are not stored in clear text though.

Good luck with your fixes

 

[Tux]

If you see anything strange, please let us know immediately.

That statement covers quite a lot of MyBB users

 

[rpm]

Is it possible that the "intruder" could have gained access to the forums database?

There is no sign that there was any DB access in the logs.

I do hope password are not stored in clear text though

No - passwords are hashed.

 

[RichardG]

Also experiencing the same issue as @Seriously you cannot "Reply with Quote". This problem occurred about 3 - 5 days ago if not mistaken or even last week sometime on firefox. Also noticed that sometimes my browser keeps on freezing being on this website (not sure if it is the flash content).

Should we also monitor our email for anything suspicious.

 

[MagicDude4Eva]

@RPM - some years ago we experienced a similar issue on vBulletin. The issue was related to the VBSEO plugin which I believe still until recently had the vulnerability. It allowed via SQL injection to modify as you described the footer/theme to inject as you said an IFRAME. The IFRAME was used for ad-click-jacking (the content of the iframe was invisible, but it click-jacked ads what we believe was an attempt to generate ad-revenue). If it was the VBSEO plugin it would have also poisoned rewrite rules and in some instances when clicking via a SEO link result in advertising displayed - this was however not widely experienced.

We did have to clean up the VBulletin DB as this intrusion via the plugin resulted also in code modification and the placement of local php-files. If you do a Google search for "VBSEO iframe" or "VBSEO XSS" you will come across a number of reported incidents. VBulletin was at the time we experienced the issue of no great help either. Hope this helps, otherwise you have my contact details and I can get one of our tech ppl to give you more details.

 

[froot]

@RPM So If you read something about me taking your car for a spin last night, it wasn't me, it was the hacker

Is it possible that the "intruder" could have gained access to the forums database?

There's only two ways to gain access to the database: a) via Hetzner's KonsoleH and b)via remote if you manage to get the username and password from the site's config file. I don't know if vBulletin hashes or salts the password, but none of the bulletinboards or WP/Joomla installs I've seen does that. But there's no way you're going to get access to either of those.

 

[MickeyD]

There is no sign that there was any DB access in the logs.

No - passwords are hashed.

I changed my password. Edit function works (coincidence?).

Reply with quote still requires a double click to go to the Advanced panel. It also tries to generate a duplicate post.

 

[Necuno]

CoJ strikes back?

 

[froot]

CoJ strikes back?

The only thing they can do with strike is Toy Toy.

 

[creeper]

Make a case of hacking against CoJ.

 

[SirFooK'nG]

Were user contact emails compromised?

 

[rpm]

Were user contact emails compromised?

We found no evidence of that. The user section in the Admin CP was not not accessed - looks like he may have focused on injecting the iFrame and creating a system for later use.

We will continue to investigate today, and if we uncover anything else we will let you know.

 

[w1z4rd]

Passwords are probably md5 hashed which is not really a good layer of security Anyways, hectic someone got in. Lets hope it was just a weak password.

 

[froot]

Passwords are probably md5 hashed which is not really a good layer of security Anyways, hectic someone got in. Lets hope it was just a weak password.

vBulletin says they use a double md5 with a salt.

 

[w1z4rd]

vBulletin says they use a double md5 with a salt.

Ok, thats way betterer

 

[Maverick Jester]

Interesting that this happens after that horrendous Vodacom background was removed...

 

[koeksGHT]

Ok, thats way betterer

Unless they get the source code

Clever people(or not so clever) trying to take advantage of myBB's huge crowd

Seeing as you guys use Analytics how many people are on the site live average?