06-29-2009, 03:17 PM
It was a MyBB vulnerability (color me unimpressed, why is MyBB so shitty).
The guy used a public MyBB 1.4.6 exploit, gained admin privileges on the forum (strangely enough, the account he used didn't have admin privileges anymore when I checked), dropped some php exploits into the forums cache folder because he couldn't write anywhere else (he didn't get root, couldn't escalate privileges. He could only run things with the same permissions as the webserver. He also failed to backdoor the forum's code for the same reason)
Then he overwrote index.html, which is a cached file generated by tSR's update system (so the webserver must have permissions to write to it), which was promptly regenerated by Dazz when he hit the "Regenerate index" button.
Then I just had to clean up the exploits he dropped and upgraded the forums so this wouldn't happen again.
The guy used a public MyBB 1.4.6 exploit, gained admin privileges on the forum (strangely enough, the account he used didn't have admin privileges anymore when I checked), dropped some php exploits into the forums cache folder because he couldn't write anywhere else (he didn't get root, couldn't escalate privileges. He could only run things with the same permissions as the webserver. He also failed to backdoor the forum's code for the same reason)
Then he overwrote index.html, which is a cached file generated by tSR's update system (so the webserver must have permissions to write to it), which was promptly regenerated by Dazz when he hit the "Regenerate index" button.
Then I just had to clean up the exploits he dropped and upgraded the forums so this wouldn't happen again.