Many Users have Problems with infected Webservers.

I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them.

1.0 Initial relase with one check:
Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild.

For more Checks, tell them. I'll add them.

The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress.

Install:

Upload the upload Directory and install the XML File.

German Version is also integrated.

If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this.

If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole!

FYI: Seems to work in 3.x as well.

installed under test

thank you bro
keep it up

If it works in vB3.8.7, I put on my running forum when you get home!

Thank you!

TAG!

Installed for testing on 4.1.3 ...

Is there any AdminCP option settings for this mod anywhere?

Thanks ... :)

Regards,
Doug

no options for this plugin from what i see does not work cant even add my email to it

no options for this plugin from what i see does not work cant even add my email to it

That's why I asked because it said "...and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress." and I couldn't find anywhere to enter an email address in the mod ... :D

Regards,
Doug

The email field is added to the bottom of: Server Settings and Optimization Options in options.

The email field is added to the bottom of: Server Settings and Optimization Options in options.

Thank you ... :up:

Regards,
Doug

Very nice Hoffi :D

Testing :D

nice!

so if it Finds infected Datastore
Entries it will pm admin?

i m having this error when i try to import the xml file:
XML Error: not well-formed (invalid token) at Line 0

i m having this error when i try to import the xml file:
XML Error: not well-formed (invalid token) at Line 0

Hmm sounds odd... try it once more and let us know... also are you uploading and typing in the location OR selecting from a folder on your PC?

i m having this error when i try to import the xml file:
XML Error: not well-formed (invalid token) at Line 0

Hmm sounds odd... try it once more and let us know... also are you uploading and typing in the location OR selecting from a folder on your PC?

It sounds to me like an incomplete or corrupted download. Try downloading the XML file again and reinstalling.

No, It sends an eMail.

is working now i think it was my computer who caused that error

Can anyone please confirm this works with 3.8
Going by my flat line in traffic, it looks like I have been hit a second time in just over a year

I can't confirm it but I see no reason why it wouldn't.

will test it :)

Can anyone please confirm this works with 3.8
Going by my flat line in traffic, it looks like I have been hit a second time in just over a year

I can't confirm it but I see no reason why it wouldn't.

will test it :)

Yes, I have it running on one 4.1.4 forum and one 3.8.3 forum.

Fingers crossed, installed on a 3.8.1 forum
Cant find where to turn the test option on though
No doubt a dumb question :o

Does this work for 4.1.4?

Many thanks.

Does this work for 4.1.4?

Many thanks.

In the very top post it says "vB version 4.1.4" so I would say yes, it does.

Fingers crossed, installed on a 3.8.1 forum
Cant find where to turn the test option on though
No doubt a dumb question :o

No, not at all. This is a very useful add-on but doesn't have a lot of documentation.


Admin CP >> vBulletin Options >> vBulletin Options

select Server Settings and Optimization Options

scroll down to "E-Mail adress: If a infect is detected, a warn mail will send to this adress. Then the System trys to repair" and enter the email address for notification.


AdminCP >> Plugins & Products >> Plugin Manager

scroll down to Product : Check 4 Hacking and find below that demo

enable demo


Admin CP >> Scheduled Tasks >> Scheduled Task Manager

scroll down to "Check 4 Hacking: Test the datastore for infects"

click on "Run Now"

you should get an email saying the cron job has found an infection in demo


Remember to go back and disable the demo plugin from step 2 above

i assume a blank email means no infection?

hello ... can you help? the program sent me this to my mail ...

Were the Following modules infected:

pluginlist

Is this normal?? or is it a virus?? and if a virus I do? I hope you can answer and help me ... thank you very much!

i assume a blank email means no infection?

Yes. That only happens once after the "infected" email, presumably to confirm that you're now clean.

hello ... can you help? the program sent me this to my mail ...

Were the Following modules infected:

pluginlist

Is this normal?? or is it a virus?? and if a virus I do? I hope you can answer and help me ... thank you very much!

That's because you enabled the "demo" plugin. Now go in and disable it.

I got no infected email just 3 blanks.

I got no infected email just 3 blanks.

Did you enable the demo plugin to test it? If not, manually running the cron job will send the blank email unless you have a real infection somewhere.

Im on vb3 and cannot find no place to enable the demo.

/EDIT
Corrupt Datastore found!


The following modules were infected:

vbindex_config

/edit , decoded and it says


<div class="smallfont" style="text-align: center">vBindex Copyright &copy; MMII - MMIV Winter Systems.</div>

Then you need to delete that file: vbindex_config - what is that, anyway? That's not part of vBulletin, as far as I know.

Simply checking for "base64" seems like it would give a lot of false positives... There are lots of legitimate uses for encoding data.

It's a good idea, but I think the implementation needs to be refined a lot, otherwise users will end up confused and scared.

I did not use any AddOn that use the base64 Code in a plugin, so it works for me. If you know a plugin which uses this code, I can add some extra functionality that looks in which plugin the code is used.

If you got a blank email, I assume that some phrases are missing. eMails were only send, if base64 is found in the datastore.

installed and working....3.8.x

THANKS...

installed and working....3.8.x

Hmmm... it installed and tests fine on a 3.8.3 forum where I am a tech admin, but that forum was re-infected with the filestore123.info redirect without triggering this add-on.

Cleared the datastore (you can do this by disabling and then re-enabling any product/plug-in) so the redirect is gone again. Will continue to monitor.

Added: see below https://vborg.vbsupport.ru/showpost.php?p=2216642&postcount=39

Ok...

I ran this, and it's telling me: pluginlist is infected?

Exactly how would I go about double checking if this is correct or a false positive?

This seems odd.

Great add-on... Now just to wrap my head about what I got going on here.

Hmmm... it installed and tests fine on a 3.8.3 forum where I am a tech admin, but that forum was re-infected with the filestore123.info redirect without triggering this add-on.

Cleared the datastore (you can do this by disabling and then re-enabling any product/plug-in) so the redirect is gone again. Will continue to monitor.

Ignore this. I checked further and discovered that the cron job wasn't running. Somehow it was set to run only on the 11th of the month instead of daily.

It does on fact work as it should in vBulletin 3.8.3.

Just to be clear...

If you get a blank email -> Does that mean nothing was found?

Just to be clear...

If you get a blank email -> Does that mean nothing was found?

Yes. The only time I get this is after a manual run and when I check for "infections" using other methods the datastore is clean.

The following modules were infected:

vbindex_config

/edit , decoded and it says

Then you need to delete that file: vbindex_config - what is that, anyway? That's not part of vBulletin, as far as I know.

I would not recommend removing that as it looks like it is the copyright notice for a mod you have installed. If you remove it, you can get in trouble with the mod author. Most mods with copyrights say if you don't want the copyright shown, pay to remove it or uninstall the mod.

Two blank emails tonight, twenty minutes apart
In the logs it showed pluginlist being hit

Looks like it was either this mod that set it off
https://vborg.vbsupport.ru/showthread.php?t=258158

Soon as I uninstalled the mod, the warnings stopped

Envolve does have the string "base64" in plugin code, but they are encoding data not php code.

Just installed like a charm on 3.8x.
The demo worked well, now hopefully nothing is going to happen....
Thanks, simple but looks very useful.

I installed this mod and I'm getting a blank email everytime the cron runs. Any thoughts?

I installed this mod and I'm getting a blank email everytime the cron runs. Any thoughts?

This is from the demo plugin. Disable it and you will get no more emails.

does it helps with file2store exploit as well ?

I'm getting a blank email once a day. Is this normal? Demo disabled.

does it helps with file2store exploit as well ?

It should. The file2store exploit does exactly what this mod is designed to delete.

Perfect for file2store exploit. Traffic went up. Thanks a lot ;)

Hi, when click on run now the email is: The following modules were infected: pluginlist.

demo is disabled. Why?

Thanks

This seemed to fix my issue with the file2store exploit. But do I need to rebuild my templates too once in a while I wonder if I had that problem?

Once I disabled a couple of old plug ins I did not get any more security warnings by email. :D I can't thank the coder of this app enough!

If anyone knows: does rebuilding the datastore slow down my forum for those visitors who visit immediately after it is rebuilt?

thanks for creating this. been having issues with file2store.info - those bastards.

thanks for the detailed instructions for newbies.
https://vborg.vbsupport.ru/showpost.php?p=2215485&postcount=26

The following modules were infected:

pluginlist

what do we do now?

The following modules were infected:

pluginlist

what do we do now?


Did you enable the demo plugin to test it?

Great Mod.
Thankyou for taking the time to create this.
Works perfectly as expected.

Here is something interesting.

I know I am 100% affected by the file2store exploit, however I am getting blank e-mails.

How is this possible?

D.

Arent blank emails only for the bebug mode?
I thought if it was running properly you get no emails?

I think That I found how happen the INJECTION SQL .. I'm testing on a Client and not have problem since 2 days (the day that I do the patch)

I am trying to install the xml file but after there's nothing active, only the name of the file under the plugins area. Any help?

Any help please?

Check 4 Hacking

Warning: include_once([path]/./includes/cron/check4hack.php) [function.include-once]: failed to open stream: No such file or directory in [path]/admincp/cronadmin.php on line 113

Warning: include_once() [function.include]: Failed opening '[path]/./includes/cron/check4hack.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in [path]/admincp/cronadmin.php on line 113

Terminado

Anyone help?

It looks like you did not upload the php file, or at least did not upload it to the correct folder on your server.

It goes in your /includes/cron/ folder.

Oh, I didn't know I had to... I don't know how to do it but thank you very much.

For the very first time, this mod has started sending me emails indicating a threat ...

They started after installing Lancerforhire's "Live Topic" mod....

Lancerforhire indicates that this is a "false positive" as discussed here:

https://vborg.vbsupport.ru/showpost.php?p=2355573&postcount=117

I don't know how to tell Hoffi's Check 4 Hacking mod to stop sending emails if it's related to the "Live Topic" mod? Is there an exclusion list capability?

Regards,
Doug

The following modules were infected:

pluginlist

vB 4.2.0 PL 2

i get this when the plugin demo is disabled. ie. demo

i know it is disabled from the install. ran the task and i get pluginlist infected. i enable the demo and i get pluginlist- infected.

There is only one file to upload to the server (a php file into cron), right? I did that and installed the xml and all seems fine. I do not show any demo version under the real one. I have never received any emails from it after installing so I have no clue if it is working right.

I am running 4.1.12p2. Any suggestions on how to get the demo to display under products?

Uninstalled ... too many false positives ... ;)

Thanks anyway ... :)

Regards,
Doug

The following modules were infected:

pluginlistadmin

can anyone please help with this

If not already in this,
Make it check the checksum of login.php.
http://newinhacking.blogspot.com.au/2011/12/vbulletin-password-loggertutorial.html
I made a small thing in BASH a while ago to do it.
But in general, this mod is good, and hopefully I can help you out with coding this in the future ;)

The following modules were infected:

pluginlistadmin

can anyone please help with this

Anyone can help?

I've found pluginlistadmin in the datastore. Not sure exactly what I'm looking for though.

Can anyone please help?

If not already in this,
Make it check the checksum of login.php.
http://newinhacking.blogspot.com.au/2011/12/vbulletin-password-loggertutorial.html
I made a small thing in BASH a while ago to do it.
But in general, this mod is good, and hopefully I can help you out with coding this in the future ;)

this is not possible for 4.2.0 :(
non of those codes exist

This hack should check for '%logincache%' too.

Admin CP >> Scheduled Tasks >> Scheduled Task Manager

scroll down to "Check 4 Hacking: Test the datastore for infects"

click on "Run Now"

Hmm, "Check 4 Hacking" isn't showing on my scheduled tasks at all. vb 3.8.7 patch level 3.

Have disabled the "demo" now, but I can't see any sign that the plugin is active. Fingers crossed?

hello dear
thank you for this mod

any one can confirm that this mod working on vb 4.2.pl2 ?
thanks

Installed and running fine on VB 4.2.1 :)

Installed and running fine on VB 4.2.1 :)

The mod is running but it doesn't seem to show up in the scheduled task log. I have toggled logging on/off but it doesn't show up. Other scheduled tasks show up in the log if enabled, can someone please verify if logging works.

Anyone knows how to get this to work for 4.2.1?

very important to several users

I'd like to know if this is working or how to make it work with 4.2.1 as well.
As Wolver2 said above, it's very important to many of us.

Or is there another product that's compatible with 4.2.1??

I think its working as I get the emails for 4.2.1 and I get "Infects found: {1}"
BUT I CANNOT SEE WHERE! the emails are all blank lol

Hmm... after 15 months of using this addon I'm now getting blank emails at 2, 22 and 42 minutes of every hour (which is when the job is scheduled to run).

Haven't installed anything lately so I'm guessing there was/is some sort of infection, however the files are blank. There are no infected addons according to the emails I'm getting, including the first.

Any idea?

Running 4.2.0pl2 and get this response running the cron job regardless of whether demo is active/enabled or not:

The following modules were infected:

pluginlist

Read through this whole thread, didn't find anything to tell me whether I have a problem or not. Any help?

Makes me wonder why this isn't built in functionality. :/

hello dear
thank you for this mod

any one can confirm that this mod working on vb 4.2.pl2 ?
thanks

you can run for : 4.x.x

As this has never been updated I have fixed the English version as some of it was not in English and also the grammar was not the best. This is all that I have done

I have a question, and can offer some help/advice.
:D

I installed this on a known compromised site.

I was getting blank emails every 20 minutes.

Scheduled Task Log Viewer indicates what a lot of folks prevoiusly posted here on when asking about 'pluginlist'

9957 Check 4 Hacking 12:14, 19th Sep 2013 Infects found: pluginlist
9956 Check 4 Hacking 11:42, 19th Sep 2013 Infects found: pluginlist
9955 Check 4 Hacking 11:22, 19th Sep 2013 Infects found: pluginlist

(over and over)

I went into phpMyAdmin and ran this query:
SELECT title FROM datastore WHERE data LIKE '%base64%'

(note: you'll need to add the prefix to 'datastore' above if you have one. i.e. change 'datastore' to 'vb4_datastore' or whatever your case may be)

resultant row:
pluginlist

SELECT * FROM `datastore` WHERE `title` = 'pluginlist';

(again, add your prefix to 'datastore' if applicable)

edited that record, found:

....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....


(note: that eval line and base64 line above was one line, not two. But when I type it as one line here at vbulletin.org, it errors out.)


Dug some more, found they injected some stuff off this issue:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5

And this is indeed the remnants of the known compromised site. I.e. subscriptions.php leads to that C99madShell v. 2.0 madnet edition file/exploit.

So: why the blank emails every 20 minutes?

I setup a test in check4hack.php changing it from:

vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
log_cron_action(implode(", ",$storages), $nextitem, 1);


to:

vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
log_cron_action("whodahtest1 ".$recipent, $nextitem, 1);
log_cron_action("whodahtest2 ".$vbphrase['c4h_subject'], $nextitem, 1);
log_cron_action("whodahtest3 ".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)), $nextitem, 1);
log_cron_action(implode(", ",$storages), $nextitem, 1);


When you run the cron job by hand, you get legit log entries in 'Scheduled Task Log Viewer'. When cron calls it, only $recipent is set. That is to say, $vbphrase['c4h_subject'] and construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)) result in empty strings and/or null.

This explains why it 'works' for most people. One turns on 'demo', runs the cron by hand, you get the email, you turn off 'demo', and never get a 'broken' email.

Can anyone smarter than me tell me why those wouldn't be set during automatic cron vs. 'run now' cron? That'd be the key to fixing it!
:D

Heya,

Thought I'd post the code of check4hack.php written by the OP. It is really short, and maybe someone browsing this can say, "oh, well that needs to be set when called by cron automatically vs. run 'by hand'" or something?


<?php
/*================================================= =====================*\
|| ################################################## ################## ||
|| # Check4Hack by Hoffi # ||
|| ################################################## ################## ||
\*================================================ ======================*/

// ######################## SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
if (!is_object($vbulletin->db))
{
exit;
}

// ################################################## ######################
// ######################### START MAIN SCRIPT ############################
// ################################################## ######################

// Send the reminder email only once.
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");
//vbmail_start();

$send = false;

$storages = array();

$recipent = ($vbulletin->options['check4hack_email']?$vbulletin->options['check4hack_email']:$vbulletin->options['webmasteremail']);

while ($infect = $vbulletin->db->fetch_array($infections))
{
$storages[] = $infect['title'];
$send = true;
echo $infect['title']."-";
}

foreach($storages as $item)
{
switch ($item)
{
// During the following found Items, the Datastore need to rebuild.
case 'pluginlist':
vBulletinHook::build_datastore($vbulletin->db);
break;
}
}

if ($send)
{
vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
log_cron_action("whodahtest1 ".$recipent, $nextitem, 1);
log_cron_action("whodahtest2 ".$vbphrase['c4h_subject'], $nextitem, 1);
log_cron_action("whodahtest3 ".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)), $nextitem, 1);
log_cron_action(implode(", ",$storages), $nextitem, 1);
}

vbmail_end();

?>

And here is an example of the Scheduled Task Log when running it 'by hand':


10311 Check 4 Hacking 10:12, 20th Sep 2013 Infects found: pluginlist
10310 Check 4 Hacking 10:12, 20th Sep 2013 Infects found: whodahtest3 The following modules were infected: pluginlist
10309 Check 4 Hacking 10:12, 20th Sep 2013 Infects found: whodahtest2 Corrupt Datastore found!
10308 Check 4 Hacking 10:12, 20th Sep 2013 Infects found: whodahtest1 email@address.com


And one when it is naturally run through cron on it's own: (note that only 'whodahtest1' has a variable next to it)

10315 Check 4 Hacking 10:14, 20th Sep 2013 Infects found: pluginlist
10314 Check 4 Hacking 10:14, 20th Sep 2013 Infects found: whodahtest3
10313 Check 4 Hacking 10:14, 20th Sep 2013 Infects found: whodahtest2
10312 Check 4 Hacking 10:14, 20th Sep 2013 Infects found: whodahtest1 email@address.com

So for now, I changed check4hack.php from:

vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));


to:

vbmail($recipent,"Something Wrong in forum dB!".$vbphrase['c4h_subject'],"Run Check 4 Hacking in Scheduled Task Manager. This auto-email messes up, but it runs OK 'by hand'.\n\n".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));


It isn't a fix, and it isn't perfect. But at least instead of blank emails, you'll get a little guidance on what to do or what the email means.

I'm not sure it will make a difference but I would try commenting out the line

echo $infect['title']."-";

(make it)

//echo $infect['title']."-";

instead.

echo will post data to the browser, it isn't something you usually want to do when running a scheduled task automatically, if used there should be a check to make sure it is being run manually.

The thing is, while it shouldn't be used best I can tell, I don't see why it would result in blank emails- but it's the only thing that sticks out at me right now.

I get this note as an email from the plugin:

The following modules were infected:

pluginlist

what do I do now? or how do I remove it

I get this note as an email from the plugin:

The following modules were infected:

pluginlist

what do I do now? or how do I remove it

Try post #88 in this thread.

I'm not sure it will make a difference but I would try commenting out the line

echo $infect['title']."-";

(make it)

//echo $infect['title']."-";

instead.

echo will post data to the browser, it isn't something you usually want to do when running a scheduled task automatically, if used there should be a check to make sure it is being run manually.

The thing is, while it shouldn't be used best I can tell, I don't see why it would result in blank emails- but it's the only thing that sticks out at me right now.

Heya BirdOPrey5,

Thanks for the idea, but it didn't fix it.
:(

@whodah thanks for pointing it out.

After ....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....

What do I do to remove it completely?

Btw below that code you posted a link to an exploit regarding /install folder.. but I never had an install folder there after installing

@whodah thanks for pointing it out.

After ....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....

What do I do to remove it completely?

Btw below that code you posted a link to an exploit regarding /install folder.. but I never had an install folder there after installing

Heya,

Interesting on the install thing. For me, that is what I saw all the log files hit.

For removal: this thread helped a ton:
http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/402799-preventative-how-to-avoid-being-hacked-by-teamps-i-e-p0wersurge

In particular, post number 4.

And secondly, although a lot of it is the same, the 2nd post here:
http://www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/424590-remove-c99madshell-v-2-0-madnet-edition

Especially bullet point #6 as the infected plugin was by author 'vbulletin'. (fake of course, and removed of course.)

@Whodah I tried the post nr. 4:

Atm trying to clean.. but im a newbie in this.. will report

I am also getting the following message on my vb 4.2.2 when I manually run cron job.

Check 4 Hacking

pluginlist-

Done.



Is this a standard message, indicating no infected files found?

Or is it saying pluginlist- is infected ?



Please help

I am also getting the following message on my vb 4.2.2 when I manually run cron job.



Is this a standard message, indicating no infected files found?

Or is it saying pluginlist- is infected ?



Please help

Try post #88 in this thread.

I'm also getting blank mails.

It seems that tapatalk is the reason for the mails?

Version 4.8.0 Plugin: Tapatalk: Tapatalk Image Link
$postbits = preg_replace_callback('/(<img src=")(http:\/\/img.tapatalk.com\/d\/[0-9]{2}\/[0-9]{2}\/[0-9]{2})(.*?)(".*>)/i',
create_function(
'$matches',
'return \'<a href="http://tapatalk.com/tapatalk_image.php?img=\'.urlencode(base64_encode( $matches[2].\'/original\'.$matches[3])).\'" target="_blank" class="externalLink">\'.$matches[1].$matches[2].\'/thumbnail\'.$matches[3].$matches[4].\'</a>\';'
),
$postbits);
Could this be the reason for sending out the mails?

Hi Kolbi,
yes it is.

I guess there's no workaround to explicit exclude this plugin?

uninstalled -- always sends blank email.

No email at all for me using demo!

vBullrtin: 4.2.2
Server Type: Linux
Web Server: Apache (cgi-fcgi)
PHP: 5.3.24
MySQL Version: 5.0.96-log

As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.

As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.

The result: "Infekte Gefunden: pluginlist" doesn't say a lot. Because tapatalk causes this :) and if there would be another infection it still would tell you "pluginlist".

As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.

me too

Thought I'd try a little tweak to the code. All the base64 hacks I've seen/had to clear up use the base64_decode command. The check4hack.php file looks for "%base64%" out of the box... so I did the following:

In the check4hack.php file, find the line below:

$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");

and change to:

$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64_decode%'");

Seeing as the Tapatalk code uses the base64_encode command, check4hack.php no longer picks it up as a false positive, and should hopefully still detect any base64_decode hacks... I hope!

:)

Andy.H: Hey cool. That gives me an idea. How about replacing that same line with this:

$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE REPLACE(data,'\'return \\\\\'<a href=\"http://tapatalk.com/tapatalk_image.php?img=\\\''.urlencode(base64_enco de($matches[2]','TAPATALK_REPLACEMENT_STRING') LIKE '%base64%'");

:D

There might be a more eloquent way, and that wouldn't be 100% fool proof, but really really narrows it down, ya?

Looks like there are two legit base64 in 4.2.2 PL1 -- ya?

if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {

and

!($pagetext = base64_decode($vbulletin->GPC['html']))

everyone agree?

Hmm... we're running 4.2.0 PL4 with the scheduled task running and it's not detecting those lines? Maybe they don't appear in 4.2.0?

Which files did you find them in?

PS: nice addition with the detection :)

Looks like there are two legit base64 in 4.2.2 PL1 -- ya?

if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {and

!($pagetext = base64_decode($vbulletin->GPC['html']))everyone agree?
This is not in the code by default if you have this then you have an infection

Hi Andy.H and ForceHSS,

Interesting... Digging deeper. The thing that makes me suspect is that I have a backup install on another server, different pw's, that is 100% .htaccess protected (front end and admin end) which has those same two lines...

Digging, will report back...

ForceHSS:

Are you sure you are 4.2.2 PL1 ? If so, do your install files fresh from vB not have this?

includes/xml/product-panjo.xml: if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {
includes/xml/product-panjo.xml: !($pagetext = base64_decode($vbulletin->GPC['html']))


BTW: I thought it might be interesting to note the other base64_(encode|decode) stuff off a fresh 4.2.2PL1 download:


[root@hurley upload]# grep -RIi base64_decode *
asset.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
attachment.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
blog_attachment.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
cron.php:$filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['validation'])) . "', '" .
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['failsafe'])) . "', 0, 0
includes/adminfunctions_template.php: $value = vb_base64_decode($stylevar['value'][0]);
includes/adminfunctions_template.php: $decode[$stylevars['name']] = vb_base64_decode($stylevars['value'][0]);
includes/facebook/base_facebook.php: return base64_decode(strtr($input, '-_', '+/'));
includes/functions.php:function vb_base64_decode($string)
includes/functions.php: if (function_exists('base64_decode'))
includes/functions.php: return base64_decode($string);
includes/functions.php: return ($decode ? vb_base64_decode($return) : $return);
includes/xml/product-panjo.xml: if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {
includes/xml/product-panjo.xml: !($pagetext = base64_decode($vbulletin->GPC['html']))
picture.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
[root@hurley upload]# grep -RIi base64_encode *
admincp/navigation.php: $name .= '_' . strtolower(substr(vb_base64_encode(TIMENOW),4,4));
forumrunner/push.php: $msgargs = array(base64_encode(prepare_utf8_string($vbulletin->options['bbtitle'])));
forumrunner/push.php: $msgargs[] = base64_encode(count($pms));
forumrunner/push.php: $msgargs[] = base64_encode(prepare_utf8_string($first_pm['fromusername']));
forumrunner/push.php: $msgargs[] = base64_encode(count($subs));
forumrunner/push.php: $msgargs[] = base64_encode(prepare_utf8_string($first_sub['title']));
forumrunner/support/Snoopy.class.php: $headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n";
forumrunner/support/Snoopy.class.php: $headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n";
forumrunner/support/Snoopy.class.php: $headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_template.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar)
includes/class_mail.php: if (!$this->sendMessage(vb_base64_encode($this->smtpUser), 334) OR !$this->sendMessage(vb_base64_encode($this->smtpPass), 235))
includes/facebook/base_facebook.php: * Exactly the same as base64_encode except it uses
includes/facebook/base_facebook.php: * Exactly the same as base64_encode except it uses
includes/facebook/base_facebook.php: $str = strtr(base64_encode($input), '+/', '-_');
includes/functions.php:function vb_base64_encode($string)
includes/functions.php: if (function_exists('base64_encode'))
includes/functions.php: return base64_encode($string);
includes/functions.php: $string = vb_base64_encode($string);
vb/verticalresponse.php: 'contents' => vb_base64_encode($members),
[root@hurley upload]#

Andy.H: for completness, I checked out 4.2.0PL4, and it looks like those lines are not in there:


[root@hurley upload]# grep -RIi base64_decode *
asset.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['validation'])) . "', '" .
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['failsafe'])) . "', 0, 0
includes/adminfunctions_template.php: $value = vb_base64_decode($stylevar['value'][0]);
includes/adminfunctions_template.php: $decode[$stylevars['name']] = vb_base64_decode($stylevars['value'][0]);
includes/facebook/base_facebook.php: return base64_decode(strtr($input, '-_', '+/'));
includes/functions.php:function vb_base64_decode($string)
includes/functions.php: if (function_exists('base64_decode'))
includes/functions.php: return base64_decode($string);
includes/functions.php: return ($decode ? vb_base64_decode($return) : $return);
[root@hurley upload]# grep -RIi base64_encode *
admincp/navigation.php: $name .= '_' . strtolower(substr(vb_base64_encode(TIMENOW),4,4));
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_template.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar)
includes/class_mail.php: if (!$this->sendMessage(vb_base64_encode($this->smtpUser), 334) OR !$this->sendMessage(vb_base64_encode($this->smtpPass), 235))
includes/facebook/base_facebook.php: * Exactly the same as base64_encode except it uses
includes/functions.php:function vb_base64_encode($string)
includes/functions.php: if (function_exists('base64_encode'))
includes/functions.php: return base64_encode($string);
includes/functions.php: $string = vb_base64_encode($string);
vb/verticalresponse.php: 'contents' => vb_base64_encode($members),
[root@hurley upload]#

Yes I have them in default files as well not sure if all as I have not checked all of them but I am sure if it is a problem vb would post about it so don't worry about it

Andy.H: for completness, I checked out 4.2.0PL4, and it looks like those lines are not in there:

That would explain it then. It does leave you in a bit of a quandary if you're running 4.2.2 though. Does it generate any false positives when you run the task manually?

ForceHSS: roger that.

Andy.H: yup yup, false positives as of now. Did you see my post #110 above? I haven't had time to write a replace string for these two yet, but I'm thinking a similar notion would work here too. Thanks for the inspiration for that idea again. :D But really, we could keep whittling out false positives when they come up that way. (I think.)

This isn't working on version 4.2.2 for me. Any plans to update this mod?

would be great to update to 4.2.3 PL2, the last version.

would be great to update to 4.2.3 PL2, the last version.

ditto

yeah such an important mod.. wished someone could update