OK, it's very weird, but some attachments indeed disappeared. I compared the files on the server and in my backup, and the difference is huge. I haven't checked the database yet - currently I'm backing up the latest changes and uploading what is missing.
I hate when such things happen... Who does not...
Sooooo... It happened between Dec 16 and Dec 20. More than 3000 images were deleted from both the database and the disk. I do not know how to do this without knowing the admin password. So, it's either me (e.g. by installing a wrongly written plugin) or a hack.
All files and database entries are being restored from the backup at the moment.
It was a hack via a remote xmlhttp.php vulnerability. I'm not sure if this bug is fixed yet. At least 5000 files were removed.
I'm reporting the security vulnerability to MyBB admins and installing patches with some related security fixes.
BTW, the user from whose computer the site was "hacked" is well-known dan2010. I'm not saying that it was him directly, possibly it was a virus.
Latest update - it was a plugin that was uploading multiple files. Deleted for the time being ...
More than 10,000 images have been reuploaded. Please let me know if some links to the images are still broken.
I'm always asking myself for the motivation for such a "hack"...I mean, I know the theory how to do an sql injection and so on, but why on earth does someone hack a forum like this and simply deletes some pics? Really strange.
Good, you have a backup! 😊
Looks like you had some fun...
Good job finding it out, keeping you backups in good shape, restoring all the shizzle.
Thanks.
I think it was not a hack, but more a coincidence. The plugin may contain a bug but shouldn't the forum access control prevent deleting attachments uploaded by other users?
This is what I send to the MyBB developers:
I think this is what happened - the user was ripping the site with a software that supports javascript and "clicks" on all buttons in all possible combinations. We had this issue before when a user with admin rights was backing up all attachments uploaded to the production inventory database. And wget "clicked" on the "delete" button as well.
But in this case the user does not have elevated rights and that shouldn't have happened.
Yes, backup rules! 😁
BTW, about the amount of affected files. Every uploaded image "consists of" two files and one database record. Hence 10,000+ uploaded files (5,000 real images). Some attachments were removed by the users during all the years, so they are not in the database backup, but still in the attachment backup. The difference between two DB backups was more than 3,000 lines, what means the amount of the live files is between 3,000 and 5,000.
Just for the record, this is the current statistics:
No. Uploaded Attachments 12,880
Attachment Space Used 2.87 GB
Estimated Bandwidth Usage 634.63 GB
Average Attachment Size 233.35 KB