I'm sorting out a filestore72 attack on my site. I'm upgrading vB to the latest version, changing passwords, deleting suspicious files, removing plugins etc.

My question is this:
There is some malicious code inserted in the datastore table of the database. It's in various places of that table and is encrypted.

How can I clear that? Can I simply delete that table and have vB recreate it somehow? Or is there another way of dealing with this?

Would something like this help?

https://vborg.vbsupport.ru/showthread.php?t=265866

Thanks, smirkley. I had found that the other day and initially got excited, but it doesn't appear to do much except send you an email to tell you that the database is infected. I already know that the database is infected and which table the infection is in. I also know which text it is in the table that shouldn't be there.

What I'm hoping to get is advice on how I can delete that infection in the datastore table (not the datastore file which is something else and which, apparently, can be recreated by turning off all the plugins and then turning them back on again).

Try editing any plugin, don't change anything, then hit Save, that may remove it.

What is this filestore72 hack ? And how do I protect the forum ?

Remove your install directory, it is a redirect to that site.

Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.

Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.

Were you at any point in time or currently running vBSEO? If so see here - http://www.vbseo.com/f255/vbseo-datastore-monitoring-plug-55377/ and if not then go into the database and rip it out :p (Disclaimer: Make a backup if you're not use to editing a database in phpmyadmin).

As I've said in the other thread, I've never used vBSEO. Ever. Never even considered using it. So let's stop blaming vBSEO ;)

if not then go into the database and rip it out :p
Which is exactly what I asked for help on - ripping the base64 stuff out of the db. How do I do this?

Run the following Queries in phpMyAdmin: SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
http://www.vbulletin.com/attachment....id=61831&stc=1 (http://www.vbulletin.com/attachment.php?attachmentid=61831&stc=1)
*If the above queries produce results you need to review them carefully, if they are in fact malicious delete them from the plugin manager in the admincp or in a worst case scenario using phpmyadmin.

If you feel the issue is within your templates themselves, you can rebuild your styles and to easily do this simply re-run the upgrade script, example url is yoursiteurl.com/install/upgrade.php
Rebuild the plugin datastore: AdminCP > Plugins & Products > Plugin Manager > *Click to "Save Active Status". *Even though you did not change the order, saving has now rebuilt the plugin datastore.
Check all software installed on your server, the hacker could have gained entry via another software. If there are updates available please update all software accordingly.

Thanks ozzy. I've already removed the only plugin I had and am going to be upgrading to the latest version of vB but wanted to clear the database of any infection first.

I tried your first command and got an error saying that DatabaseName.plugin didn't exist. I tried swapping "plugin" for the table name but that didn't work either. I got the same problem with the second command i.e. an error message saying that the table template doesn't exist.

Table 'databasename.template' doesn't exist

I can download that table, edit it in Notepad++ and then upload it back to the database. Would that work?

--------------- Added 1379422949 at 1379422949 ---------------

Nope, that didn't work. I backed up the db, edited the datastore.MYD in Notepad++ and uploaded it and I was getting all kinds of SQL errors. I had to revert to a saved copy of the database.

Thanks ozzy. I've already removed the only plugin I had and am going to be upgrading to the latest version of vB but wanted to clear the database of any infection first.

I tried your first command and got an error saying that DatabaseName.plugin didn't exist. I tried swapping "plugin" for the table name but that didn't work either. I got the same problem with the second command i.e. an error message saying that the table template doesn't exist.



I can download that table, edit it in Notepad++ and then upload it back to the database. Would that work?

--------------- Added 1379422949 at 1379422949 ---------------

Nope, that didn't work. I backed up the db, edited the datastore.MYD in Notepad++ and uploaded it and I was getting all kinds of SQL errors. I had to revert to a saved copy of the database.

You're running these queries from within phpmyadmin correct? "plugin" is the table name, don't change that ;) and do your tables use a prefix? If so add the prefix and then run example:

SELECT title, phpcode, hookname, product FROM TABLEPREFIXHERE_plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';


prefix_tablename

Also don't edit via notepad++ when you can edit via phpmyadmin, not all data is meant to nor can be edited that way.

Update: AdminCP > Maintenance > Repair Tables seems to have done it! :)

The table is now clean! :)

But, of course, the infection may exist in other tables so I would still be keen in running a search through the whole database for any malicious code.

To answer your question, yes, it's in phpmyadmin.

Update: AdminCP > Maintenance > Repair Tables seems to have done it! :)

The table is now clean! :)

But, of course, the infection may exist in other tables so I would still be keen in running a search through the whole database for any malicious code.

To answer your question, yes, it's in phpmyadmin.

Ok then run the two queries in ozzy's post above to check, that's what those do i.e. they "Select" results from the tables in question IF any of the codes are present withing them such as %base64% see how in between the percentages it has base64 which is what you're specifically looking for they simply don't delete, you must do that manually (be forewarned though in rare cases some valid mods use base64 code so don't just go blindly deleting everything that comes up in results).

Also are you 100% sure that your files are clean? Make sure you download the same version of vBulletin from the members area, overwrite all vBulletin files AND while you are in there check the date on files the timestamps rather... any new files? Any recently modified files per the timestamps? If so overwrite those with clean files and/or delete.

prefix_tablename
That worked. :)

Ran both the queries. The first one came up clean. The template search came up with a few results in the form of :


styleid title template
-1 editor.css $final_rendered = '.formcontrols .blockrow.textedi...
-1 forumhome_markread_script $final_rendered = '<script type="text/javascript" ...
etc

There were some files with some dates that did not match the others. Particularly the htaccess ... and one or two new files - the typical ini.php used in this hack. Those were all deleted at the start. I will be upgrading to the latest version of vB which should overwrite all existing files.