vb.org Archive
Page 9 of 13 « First 78 9 1011 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 4.x Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=245)
-   -   Administrative and Maintenance Tools - Check 4 Hack - Finds infected Datastore Entries (https://vborg.vbsupport.ru/showthread.php?t=265866)

gregorym 07-04-2013 10:57 PM
I'd like to know if this is working or how to make it work with 4.2.1 as well.
As Wolver2 said above, it's very important to many of us.

Or is there another product that's compatible with 4.2.1??

Wolver2 07-07-2013 01:29 PM
I think its working as I get the emails for 4.2.1 and I get "Infects found: {1}"
BUT I CANNOT SEE WHERE! the emails are all blank lol

Lazorbeam 08-27-2013 10:38 AM
Hmm... after 15 months of using this addon I'm now getting blank emails at 2, 22 and 42 minutes of every hour (which is when the job is scheduled to run).

Haven't installed anything lately so I'm guessing there was/is some sort of infection, however the files are blank. There are no infected addons according to the emails I'm getting, including the first.

Any idea?

Keysailor 09-01-2013 03:59 PM
Running 4.2.0pl2 and get this response running the cron job regardless of whether demo is active/enabled or not:

The following modules were infected:

pluginlist

Read through this whole thread, didn't find anything to tell me whether I have a problem or not. Any help?

JesterP 09-07-2013 01:36 AM
Makes me wonder why this isn't built in functionality. :/

Moh4m4d 09-07-2013 01:59 AM
Quote:
Originally Posted by avitor (Post 2417120)
hello dear
thank you for this mod

any one can confirm that this mod working on vb 4.2.pl2 ?
thanks
you can run for : 4.x.x

ForceHSS 09-14-2013 06:57 PM
1 Attachment(s)
As this has never been updated I have fixed the English version as some of it was not in English and also the grammar was not the best. This is all that I have done

whodah 09-19-2013 08:24 PM
I have a question, and can offer some help/advice.
:D

I installed this on a known compromised site.

I was getting blank emails every 20 minutes.

Scheduled Task Log Viewer indicates what a lot of folks prevoiusly posted here on when asking about 'pluginlist'

9957 Check 4 Hacking 12:14, 19th Sep 2013 Infects found: pluginlist
9956 Check 4 Hacking 11:42, 19th Sep 2013 Infects found: pluginlist
9955 Check 4 Hacking 11:22, 19th Sep 2013 Infects found: pluginlist

(over and over)

I went into phpMyAdmin and ran this query:
Code:
SELECT title FROM datastore WHERE data LIKE '%base64%'
(note: you'll need to add the prefix to 'datastore' above if you have one. i.e. change 'datastore' to 'vb4_datastore' or whatever your case may be)

resultant row:
pluginlist

Code:
SELECT * FROM  `datastore` WHERE  `title` = 'pluginlist';
(again, add your prefix to 'datastore' if applicable)

edited that record, found:
Code:
....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....
(note: that eval line and base64 line above was one line, not two. But when I type it as one line here at vbulletin.org, it errors out.)


Dug some more, found they injected some stuff off this issue:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

And this is indeed the remnants of the known compromised site. I.e. subscriptions.php leads to that C99madShell v. 2.0 madnet edition file/exploit.

So: why the blank emails every 20 minutes?

I setup a test in check4hack.php changing it from:
Code:
        vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
        log_cron_action(implode(", ",$storages), $nextitem, 1);
to:
Code:
        vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
        log_cron_action("whodahtest1 ".$recipent, $nextitem, 1);
        log_cron_action("whodahtest2 ".$vbphrase['c4h_subject'], $nextitem, 1);
        log_cron_action("whodahtest3 ".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)), $nextitem, 1);
        log_cron_action(implode(", ",$storages), $nextitem, 1);
When you run the cron job by hand, you get legit log entries in 'Scheduled Task Log Viewer'. When cron calls it, only $recipent is set. That is to say, $vbphrase['c4h_subject'] and construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)) result in empty strings and/or null.

This explains why it 'works' for most people. One turns on 'demo', runs the cron by hand, you get the email, you turn off 'demo', and never get a 'broken' email.

Can anyone smarter than me tell me why those wouldn't be set during automatic cron vs. 'run now' cron? That'd be the key to fixing it!
:D

whodah 09-20-2013 04:07 PM
Heya,

Thought I'd post the code of check4hack.php written by the OP. It is really short, and maybe someone browsing this can say, "oh, well that needs to be set when called by cron automatically vs. run 'by hand'" or something?

Code:
<?php
/*======================================================================*\
|| #################################################################### ||
|| # Check4Hack by Hoffi                                                                                          # ||
|| #################################################################### ||
\*======================================================================*/

// ######################## SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
if (!is_object($vbulletin->db))
{
        exit;
}

// ########################################################################
// ######################### START MAIN SCRIPT ############################
// ########################################################################

// Send the reminder email only once.
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");
//vbmail_start();

$send = false;

$storages = array();

$recipent = ($vbulletin->options['check4hack_email']?$vbulletin->options['check4hack_email']:$vbulletin->options['webmasteremail']);

while ($infect = $vbulletin->db->fetch_array($infections))
{
        $storages[] = $infect['title'];
        $send = true;
        echo $infect['title']."-";
}

foreach($storages as $item)
{
        switch ($item)
        {
                // During the following found Items, the Datastore need to rebuild.
                case 'pluginlist':
                        vBulletinHook::build_datastore($vbulletin->db);
                        break;
        }
}

if ($send)
{
        vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
        log_cron_action("whodahtest1 ".$recipent, $nextitem, 1);
        log_cron_action("whodahtest2 ".$vbphrase['c4h_subject'], $nextitem, 1);
        log_cron_action("whodahtest3 ".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)), $nextitem, 1);
        log_cron_action(implode(", ",$storages), $nextitem, 1);
}

vbmail_end();

?>

whodah 09-20-2013 04:15 PM
And here is an example of the Scheduled Task Log when running it 'by hand':

Code:
10311        Check 4 Hacking        10:12, 20th Sep 2013        Infects found: pluginlist
10310        Check 4 Hacking        10:12, 20th Sep 2013        Infects found: whodahtest3 The following modules were infected: pluginlist
10309        Check 4 Hacking        10:12, 20th Sep 2013        Infects found: whodahtest2 Corrupt Datastore found!
10308        Check 4 Hacking        10:12, 20th Sep 2013        Infects found: whodahtest1 email@address.com
And one when it is naturally run through cron on it's own: (note that only 'whodahtest1' has a variable next to it)
Code:
10315        Check 4 Hacking        10:14, 20th Sep 2013        Infects found: pluginlist
10314        Check 4 Hacking        10:14, 20th Sep 2013        Infects found: whodahtest3
10313        Check 4 Hacking        10:14, 20th Sep 2013        Infects found: whodahtest2
10312        Check 4 Hacking        10:14, 20th Sep 2013        Infects found: whodahtest1 email@address.com


All times are GMT. The time now is 05:08 PM.
Page 9 of 13 « First 78 9 1011 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01185 seconds
  • Memory Usage 1,756KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (8)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete