It isn't!

Your templates are your templates and all what happens to them is entirely up to you. This modification does not make any changes to existing templates and template modifications as suggested in the help file, are made by you or your software.

Yes, you can eventually do it from there, if there is such as a negation option.

I didn't make the changes. That's why it's called a hack. But seemed to be connected with this script if that's how the hacker gained entrance.

When I run the suspect file version tool, the ONLY files that it complains about are RBS files.

Yeah I'm sure you didn't change in the way it is now, but I'm sure you created the part which follows the "hack". Because this script dows not make changes to the templates. Else, you could also say it is related to vBulletin or any other script you may have.

The WORM you got in your forums is changing whatever it pleases, it has nothing to do with any other legit script. Remove it (and the changes it made) and your forum behaves well.

"Remove it..." How does one find "it"? VB file checker only shows RBS files as suspicious. Should I delete them? Reinstall RBS?

I realize RBS doesn't change templates. And you know, html forms don't delete databases, but people have used insecure forms to do just that with SQL injection.
I doesn't matter what RBS "does" in normal operation, the question is whether things were hacked through it.

In any event, I edited the templates to remove the payload, but what other means can tell me where some worm is hiding?

I know this is probably not the thread to continue this, but if someone has a link to a method of validating the whole install, that would help.

You have to trace the changes. Find out when and who changed the template from the logs and go from there. It's a painstakingly slow process to find when and who changed it. As for vbulletin reporting rbs files as suspect it will do that for almost all products since most product do not supply the xml file that vb requires to know if the file is the original file for the mod.

This particular WORM enters via XSS your admin panel and installs itself into the plugin cache. Some versions keep also a plugin you never installed, but most of them just have the cached code, which may be found by extracting all plugin code from the datastore table. It has a suspiciously long white space line (to move out of sight) and some eval/base64_decode sequences which install and quirk the templates in order to show their links.

You can get rid of the cache-only version by saving a single plugin, but usually there is also an infected script (tampered image) which then reinstalls the WORM once again. I found that Avast makes a good job to find infected scripts, but also a global search on files for some pattern may work as well.

Please note, that this WORM is carefully designed and not as stupid as most of their kind. It is hard to remove and usually requires to check all files on your installation, including plugins where it may hide (appended or prepended, rarely inserted). There also may be some templates which attempt to load external files in order to reinfect the whole.

Hi!

Thank you so much for your plugin.

Could you please let me know if PHP code can be inserted?
Thank you

No. PHP isn't executed at the browser level.

Hello! I've been using your product for years at www.screamandfly.com
On the left side, we have four 140x200px banners managed by the individual locations, which is great.
I wanted to add additional banners, however when I add another banner to a 5th location, it won't show up. It seems only the 4 locations can be visible. Is there an easy way to add more locations on the left side?

Thank you!