We were hit last night. I forgot to remove the ability for the Apache server to be able to write some of the php files on the server. There is a problem in addpost_newpoll.php that allows execution of arbitrary code on the server.
I'm running 6.5.2. I don't believe I've skipped any security upgrades. I've included a couple log traces of the issue.

I restored my original files back. Changed everything to 444 and removed the addpost_newpoll.php and disabled polls on the machine. It's not much of an issue because it is basically an unused feature.

Thanks for the info on this. I've removed the logs just to safeguard other forum owners. I'm working on a fix for this as we speak and will get an update put out in the members area ASAP.

Ok, we're working on a 6.5.3 as I type this. The fix is fairly quick, it only requires 2 files to be changed. Anyone running a version between 6.4 and 6.5.2 will want to apply this:

At the top of addpost.php you'll see this:

require ("./includes/main.inc.php");

right before that, add this:

define('ADDPOST',1);


Then, in addpost_newpoll.php, at the top, you'll see this:

// ------------------------------------
// THIS FILE IS INCLUDED BY ADDPOST.PHP

Right after that, add this:

if (!defined('ADDPOST')) {
exit;
}

The hacker left a backdoor on my system. Shame on me that I realized this 24 hours after the attack.

Check your process list for "bindz".

If you have access to your server access logs scan through them for recent gets to addpost_newpoll.php. This will give you an idea of what all they may have done.

This is exactly how I learned about this backdoor. Thanks for the fix!

You're welcome. My apologies it was there in the first place. All of the other scripts include ubbt.inc.php at some pont which sanitizes some things to prevent this. This one particular script didn't because it was being included by one that did. The fix basically makes it so the only way the script can be called is if it's been included by another as it is under normal operation.

Scary stuff. We were hit this morning. Thanks for the quick fix Rick! I will sleep better tonight.

Thank you for being so quick. I'm thrilled to see such an easy fix. We continue to be very happy users of your products.

Yeah, this one has been a headache for me all day. Thanks for the quick fix.