vb.org Archive - Administrative and Maintenance Tools - Check 4 Hack

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vBulletin 4.x Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=245)

- - Administrative and Maintenance Tools - Check 4 Hack - Finds infected Datastore Entries (https://vborg.vbsupport.ru/showthread.php?t=265866)

Looks like there are two legit base64 in 4.2.2 PL1 -- ya?

Code:

if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {

and

Code:

!($pagetext = base64_decode($vbulletin->GPC['html']))

everyone agree?

Hmm... we're running 4.2.0 PL4 with the scheduled task running and it's not detecting those lines? Maybe they don't appear in 4.2.0?

Which files did you find them in?

PS: nice addition with the detection :)

Quote:

Originally Posted by whodah (Post 2488496)

Looks like there are two legit base64 in 4.2.2 PL1 -- ya?

Code:

if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {

and

Code:

!($pagetext = base64_decode($vbulletin->GPC['html']))

everyone agree?

This is not in the code by default if you have this then you have an infection

Hi Andy.H and ForceHSS,

Interesting... Digging deeper. The thing that makes me suspect is that I have a backup install on another server, different pw's, that is 100% .htaccess protected (front end and admin end) which has those same two lines...

Digging, will report back...

ForceHSS:

Are you sure you are 4.2.2 PL1 ? If so, do your install files fresh from vB not have this?

Code:

includes/xml/product-panjo.xml:         if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {

includes/xml/product-panjo.xml:                 !($pagetext = base64_decode($vbulletin->GPC['html']))

BTW: I thought it might be interesting to note the other base64_(encode|decode) stuff off a fresh 4.2.2PL1 download:

Code:

[root@hurley upload]# grep -RIi base64_decode *

asset.php:      $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');

attachment.php:         $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');

blog_attachment.php:    $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');

cron.php:$filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');

includes/adminfunctions_template.php:                           $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['validation'])) . "', '" .

includes/adminfunctions_template.php:                           $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['failsafe'])) . "', 0, 0

includes/adminfunctions_template.php:           $value = vb_base64_decode($stylevar['value'][0]);

includes/adminfunctions_template.php:           $decode[$stylevars['name']] = vb_base64_decode($stylevars['value'][0]);

includes/facebook/base_facebook.php:    return base64_decode(strtr($input, '-_', '+/'));

includes/functions.php:function vb_base64_decode($string)

includes/functions.php: if (function_exists('base64_decode'))

includes/functions.php:         return base64_decode($string);

includes/functions.php:         return ($decode ? vb_base64_decode($return) : $return);

includes/xml/product-panjo.xml:         if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {

includes/xml/product-panjo.xml:                 !($pagetext = base64_decode($vbulletin->GPC['html']))

picture.php:    $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');

[root@hurley upload]# grep -RIi base64_encode *

admincp/navigation.php: $name .= '_' . strtolower(substr(vb_base64_encode(TIMENOW),4,4));

forumrunner/push.php:    $msgargs = array(base64_encode(prepare_utf8_string($vbulletin->options['bbtitle'])));

forumrunner/push.php:       $msgargs[] = base64_encode(count($pms));

forumrunner/push.php:       $msgargs[] = base64_encode(prepare_utf8_string($first_pm['fromusername']));

forumrunner/push.php:       $msgargs[] = base64_encode(count($subs));

forumrunner/push.php:       $msgargs[] = base64_encode(prepare_utf8_string($first_sub['title']));

forumrunner/support/Snoopy.class.php:                   $headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n";

forumrunner/support/Snoopy.class.php:                   $headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n";

forumrunner/support/Snoopy.class.php:                   $headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);

includes/adminfunctions_plugin.php:                                     'validation' => vb_base64_encode($stylevar['validation']),

includes/adminfunctions_plugin.php:                                     'failsafe'   => vb_base64_encode($stylevar['failsafe'])

includes/adminfunctions_plugin.php:                             'value' => vb_base64_encode($stylevar['value'])

includes/adminfunctions_plugin.php:                                             'validation' => vb_base64_encode($stylevar['validation']),

includes/adminfunctions_plugin.php:                                             'failsafe'   => vb_base64_encode($stylevar['failsafe'])

includes/adminfunctions_plugin.php:                                     'value' => vb_base64_encode($stylevar['value'])

includes/adminfunctions_template.php:                                   'validation' => vb_base64_encode($stylevar['validation']),

includes/adminfunctions_template.php:                                   'failsafe'   => vb_base64_encode($stylevar['failsafe'])

includes/adminfunctions_template.php:                           'value' => vb_base64_encode($stylevar['value'])

includes/adminfunctions_template.php:                                   'value' => vb_base64_encode($stylevar)

includes/class_mail.php:                                        if (!$this->sendMessage(vb_base64_encode($this->smtpUser), 334) OR !$this->sendMessage(vb_base64_encode($this->smtpPass), 235))

includes/facebook/base_facebook.php:   * Exactly the same as base64_encode except it uses

includes/facebook/base_facebook.php:   * Exactly the same as base64_encode except it uses

includes/facebook/base_facebook.php:    $str = strtr(base64_encode($input), '+/', '-_');

includes/functions.php:function vb_base64_encode($string)

includes/functions.php: if (function_exists('base64_encode'))

includes/functions.php:         return base64_encode($string);

includes/functions.php:         $string = vb_base64_encode($string);

vb/verticalresponse.php:                    'contents'  => vb_base64_encode($members),

[root@hurley upload]#

Andy.H: for completness, I checked out 4.2.0PL4, and it looks like those lines are not in there:

Code:

[root@hurley upload]# grep -RIi base64_decode *

asset.php:      $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');

includes/adminfunctions_template.php:                           $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['validation'])) . "', '" .

includes/adminfunctions_template.php:                           $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['failsafe'])) . "', 0, 0

includes/adminfunctions_template.php:           $value = vb_base64_decode($stylevar['value'][0]);

includes/adminfunctions_template.php:           $decode[$stylevars['name']] = vb_base64_decode($stylevars['value'][0]);

includes/facebook/base_facebook.php:    return base64_decode(strtr($input, '-_', '+/'));

includes/functions.php:function vb_base64_decode($string)

includes/functions.php: if (function_exists('base64_decode'))

includes/functions.php:         return base64_decode($string);

includes/functions.php:         return ($decode ? vb_base64_decode($return) : $return);

[root@hurley upload]# grep -RIi base64_encode *

admincp/navigation.php: $name .= '_' . strtolower(substr(vb_base64_encode(TIMENOW),4,4));

includes/adminfunctions_plugin.php:                                     'validation' => vb_base64_encode($stylevar['validation']),

includes/adminfunctions_plugin.php:                                     'failsafe'   => vb_base64_encode($stylevar['failsafe'])

includes/adminfunctions_plugin.php:                             'value' => vb_base64_encode($stylevar['value'])

includes/adminfunctions_plugin.php:                                             'validation' => vb_base64_encode($stylevar['validation']),

includes/adminfunctions_plugin.php:                                             'failsafe'   => vb_base64_encode($stylevar['failsafe'])

includes/adminfunctions_plugin.php:                                     'value' => vb_base64_encode($stylevar['value'])

includes/adminfunctions_template.php:                                   'validation' => vb_base64_encode($stylevar['validation']),

includes/adminfunctions_template.php:                                   'failsafe'   => vb_base64_encode($stylevar['failsafe'])

includes/adminfunctions_template.php:                           'value' => vb_base64_encode($stylevar['value'])

includes/adminfunctions_template.php:                                   'value' => vb_base64_encode($stylevar)

includes/class_mail.php:                                        if (!$this->sendMessage(vb_base64_encode($this->smtpUser), 334) OR !$this->sendMessage(vb_base64_encode($this->smtpPass), 235))

includes/facebook/base_facebook.php:   * Exactly the same as base64_encode except it uses

includes/functions.php:function vb_base64_encode($string)

includes/functions.php: if (function_exists('base64_encode'))

includes/functions.php:         return base64_encode($string);

includes/functions.php:         $string = vb_base64_encode($string);

vb/verticalresponse.php:                    'contents'  => vb_base64_encode($members),

[root@hurley upload]#

Yes I have them in default files as well not sure if all as I have not checked all of them but I am sure if it is a problem vb would post about it so don't worry about it

Quote:

Originally Posted by whodah (Post 2489357)

Andy.H: for completness, I checked out 4.2.0PL4, and it looks like those lines are not in there:

That would explain it then. It does leave you in a bit of a quandary if you're running 4.2.2 though. Does it generate any false positives when you run the task manually?

ForceHSS: roger that.

Andy.H: yup yup, false positives as of now. Did you see my post #110 above? I haven't had time to write a replace string for these two yet, but I'm thinking a similar notion would work here too. Thanks for the inspiration for that idea again. :D But really, we could keep whittling out false positives when they come up that way. (I think.)

This isn't working on version 4.2.2 for me. Any plans to update this mod?

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (7)bbcode_code_printable (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (3)pagenav_pagelink (1)pagenav_pagelinkrel (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01564 seconds Memory Usage 1,786KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (7)bbcode_code_printable (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (3)pagenav_pagelink (1)pagenav_pagelinkrel (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: