SECURITY FIX! Users using any version prior to 1.5.1

[Jeff Lewis]

It's amazing how rude people can be...I went to a site that was hacked suggested to upgrade to fix it and got this reply:

"Your logic = screwed the f up"

Yes, lovely

[Omar Bazavilvazo]

It's amazing how rude people can be...I went to a site that was hacked suggested to upgrade to fix it and got this reply:

"Your logic = screwed the f up"

Yes, lovely

Remember is OUR fault, they didn't came here after receiving 10 emails, and never applied the fix....

* Omar Bazavilvazo is being sarcastic...

[ax2graphics]

I blame no one but myself....!

Just to make sure THIS was the problem.. is it possible that through this hole, the hacker could replace my index page? Now, keep in mind, none of my MySQL passwords OR usernames are duplicated throughout my site configuration.

[Jeff Lewis]

Yes they could and that's how they replaced our index page here before we fixed it here  

[Alex Rolko]

Were really annoyed with these people who are hacking these forums.

[Spaceman-Spiff]

I run 1.41 with the  • Expand • Collapse
mod that yipsir (I thinks thats his name)
wrote. How long should I wait b4 upgrading??

wait no more: http://www.yabbse.org/community/index.php?board=158;action=display;threadid=12045

[luisr]

Hi there!  I just got this e-mail from my web host:

Hello,

Recently we have become aware of a security risk to your hosting account and web site.  Your site is using a bulletin board system called YaBB SE.
This software causes your web site to become vulnerable to outside attack and would allow a malicious user access to the server to modify or even erase all content on your site, including email and log files.  Some of our customers have already been attacked.
We are aware that the publisher has recently released an updated script for this program, however we are not sure that this new release has resolved the security issue.  Therefore, we strongly recommend that you take down your bulletin board system until this security issue has been resolved.

For more information regarding this issue, please visit:
http://online.securityfocus.com/bid/6663/info/

To go to the publisher's site, visit:
http://www.yabbse.org/

Please let us know if you have any further questions or problems.


Sincerely,

Justin
TierraNet Support
[email protected]
---------------------

They say that they are not sure that this vulnerability has been fixed by the patch.  And they are suggesting me to take down my board.  I replied telling that I can not take it down just like that but I removed the Packages.php script as a temporary solution.

I have never dealt with this packages thing and the board seems to run normally without this script.  Is this temporary solution good enough?  I am waiting for the official 1.5.1 release before I update.  My board currently runs 1.3.1.

By the way, the suggestion way many message ago about using the XML file for this kind of announcement in the admin area won't necessarily work for everyone.  I don't visit my admin area often.  The e-mails did the job quite well.

Finally, I will suggest something that may offer some degree of protection, at least from hackers using search engines from finding your board.  There is a way to tell search engine spiders and robots what places in your site are off-limits and should not be indexed.  This is done by putting a file called "robots.txt" in your root web directory.  This file contains a series of instructions that tell spiders and robots not to look at specified directories within your web site.  It looks like this:

User-agent: *
Disallow: /cgi-bin/

The first line means that this robots.txt file is means for all user agents (hence the *).  The second line means not to look into the contents of directory cgi-bin.  You add one of those for every single directory you wish to prevent from being indexed by spiders and robots.  My sites have these disallowing folder containing information that can be harvested by spammers such as e-mail addresses from guestbooks and discussion boards.

Just put your YaBB SE directory into one of those and this will at least make it harder for hackers to find your board by just using a search engine.

Of course, this has a cost.  If you DO REALLY WANT that your board appear in search engines, then this is not a solution.  In my case, having the root site URL appear in most search engines is enough for me.

[firewired]

Yup, I'm expecting a similar message from my host soon regarding YaBB SE. PinoyDVD.com was hacked yesterday and it felt like we were playing ping-pong with the "invaders" before we learned about and were able to upload the patched file. The front page was changing every 5 minutes! Everytime we'd correct it, they'd immediately hack it.

My host ended up having to reboot the server to keep them out. They were as worried as we were, probably more so because they weren't familiar with YaBB SE.

[mikkom]

I have been studying my logs and it seems obvoius that these crackers are using a mass deface program that automatically searches for yabb boards and defaces them.

Visit http://www.vulnerabilidades.hpg.ig.com.br/index.html
I haven't unpacked those packages but you can propably find the code that attackers used there.

Also, a php terminal and another backdoor was installed to my computer after an attack,  for more information visit http://www.madmonkey.net/page.cgi/index?areaID=100&newsID=439

the attacks came from dialup of brazilian web operator, I sent them notification about attack but no replies..

[Michele]

At this point, I'm backing up my site everyday, including the database. My logs show someone's been trying to get in for the last 4 days, but so far, so good... don't think it's' the Brazilians though.

[PioneeR]

I have had a few weird errors in my logs also... someone seems to be trying to get access to the admin account. I just ban the IP just in case.

Have applied the fix last week.

[Jeff Lewis]

People really should be repairing their installs or there is a very strong possibility of being hacked, this is why we announced this several times aready.

I guess we have to thank Matt Siegman for this hole

[gingerfire]

I'm a registered user of YaBB SE, but I never received an email about the security fix.  Fortunately, I was still trying to get the board up and running, so there was no link to it from my website and I was checking the forum often (1st board).  

But please be aware that not all registered users received an email for whatever reason.

[oldford]

Should this fix maybe be implemented in all the files in the download section? I just upgraded to 1.4 and still had to make this fix by hand. Wasn't a big deal and only took a second, but I almost didn't check because I assumed that it would have been fixed.

Just a thought.

[Spaceman-Spiff]

a better way is to upgrade to 1.5.1RC1