vb.org Archive
Page 11 of 13 « First 910 11 1213
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 4.x Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=245)
-   -   Administrative and Maintenance Tools - Check 4 Hack - Finds infected Datastore Entries (https://vborg.vbsupport.ru/showthread.php?t=265866)

Kolbi 10-17-2013 11:18 AM
I'm also getting blank mails.

It seems that tapatalk is the reason for the mails?

Version 4.8.0 Plugin: Tapatalk: Tapatalk Image Link
Code:
$postbits = preg_replace_callback('/(<img src=")(http:\/\/img.tapatalk.com\/d\/[0-9]{2}\/[0-9]{2}\/[0-9]{2})(.*?)(".*>)/i',
create_function(
    '$matches',
    'return \'<a href="http://tapatalk.com/tapatalk_image.php?img=\'.urlencode(base64_encode($matches[2].\'/original\'.$matches[3])).\'" target="_blank" class="externalLink">\'.$matches[1].$matches[2].\'/thumbnail\'.$matches[3].$matches[4].\'</a>\';'
),
$postbits);
Could this be the reason for sending out the mails?

MrD 10-18-2013 10:11 AM
Hi Kolbi,
yes it is.

Kolbi 10-18-2013 01:46 PM
I guess there's no workaround to explicit exclude this plugin?

lazytown 10-19-2013 04:00 AM
uninstalled -- always sends blank email.

Teascu Dorin 10-19-2013 05:09 AM
No email at all for me using demo!

vBullrtin: 4.2.2
Server Type: Linux
Web Server: Apache (cgi-fcgi)
PHP: 5.3.24
MySQL Version: 5.0.96-log

Andy.H 10-28-2013 07:31 PM
As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.

Kolbi 10-29-2013 07:24 AM
Quote:
Originally Posted by Andy.H (Post 2456874)
As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.
The result: "Infekte Gefunden: pluginlist" doesn't say a lot. Because tapatalk causes this :) and if there would be another infection it still would tell you "pluginlist".

orangefive 10-30-2013 09:57 PM
Quote:
Originally Posted by Andy.H (Post 2456874)
As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.
me too

Andy.H 01-07-2014 07:04 PM
Thought I'd try a little tweak to the code. All the base64 hacks I've seen/had to clear up use the base64_decode command. The check4hack.php file looks for "%base64%" out of the box... so I did the following:

In the check4hack.php file, find the line below:

Code:
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");
and change to:

Code:
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64_decode%'");
Seeing as the Tapatalk code uses the base64_encode command, check4hack.php no longer picks it up as a false positive, and should hopefully still detect any base64_decode hacks... I hope!

:)

whodah 03-05-2014 01:42 AM
Andy.H: Hey cool. That gives me an idea. How about replacing that same line with this:
Code:
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE REPLACE(data,'\'return \\\\\'<a href=\"http://tapatalk.com/tapatalk_image.php?img=\\\''.urlencode(base64_encode($matches[2]','TAPATALK_REPLACEMENT_STRING') LIKE '%base64%'");
:D

There might be a more eloquent way, and that wouldn't be 100% fool proof, but really really narrows it down, ya?


All times are GMT. The time now is 03:23 AM.
Page 11 of 13 « First 910 11 1213
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02166 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_code_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete