should our VB database contain any base64 code?

Ii seems to be linked to an if subscriptions.php type command

if (strpos($_SERVER['PHP_SELF'],'subscriptions.php')) {

eval(gzinflate(base64_decode('

This is present in adminutil and datastore

We have had an issue with includes/datastore/datastore_cache.php erasing itself every 24 hours, and taking the forum down untill a new copy is uploaded. within a few hours the file then contains this same code as found in the database

is it safe to remove the entry from the database?

New files have been uploaded many times, so we think that it can only be the database thats keeping causing the issue

That looks like a backdoor to execute commands on the server, so yes you should remove it immediately. However, you might want to look into where it's coming from.

Dave, would you be able to offer advise and / or a quote to help with this please

ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4368064-popup-injection-vb-4-2-2-patch-level-4

ok, im slowly working my way through this, following numerous online guides, and racking up the google air miles.

just about EVERY post that asks about any base64 code within vbulletin files, seems to be met with the default answer from vbulletin staff that 'vbulletin doesnt contain any base64 code, its been added by hackers, redownload new files'

Ive downloaded new files, and before even unzipping them, have found the following INSIDE the default vbulletin file attachment.php

$filedata = vb_base64_decode('R0lGODlhAQABAIAAAMDAwAAAACH5BAEA AAAALAAAAAABAAEAAAICRAEAOw==');

As someone who is not an expert, and following guidance telling me that i should have NO base64 code AT ALL in ANY vbulletin file, i dont know how i should proceed next, as i have found around a dozen default files that contain base64

--------------- Added 1494088047 at 1494088047 ---------------

ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4368064-popup-injection-vb-4-2-2-patch-level-4

This was indeed tucked away, and has since been removed. After removing it i cleared the system cache, and this has also caused the entire entry to be removed from the database

The base64 encoded string you posted is fine and part of vBulletin. I believe it acts as a transparent image or something like that.

Do you simply delete the code? or delete the init_startup tables in the database? I found two of them

You can either delete the code or delete the entire hook in the plugin system, just make sure there's no valid code in the hook or else you may break something.