Check 4 Hack - Finds infected Datastore Entries
 

Many Users have Problems with infected Webservers.

I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them.

1.0 Initial relase with one check:
Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild.

For more Checks, tell them. I'll add them.

The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress.

Install:

Upload the upload Directory and install the XML File.

German Version is also integrated.

If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this.

If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole!

FYI: Seems to work in 3.x as well.

installed under test

thank you bro
keep it up

If it works in vB3.8.7, I put on my running forum when you get home!

Thank you!

TAG!

Installed for testing on 4.1.3 ...

Is there any AdminCP option settings for this mod anywhere?

Thanks ... :)

Regards,
Doug

no options for this plugin from what i see does not work cant even add my email to it

That's why I asked because it said "...and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress." and I couldn't find anywhere to enter an email address in the mod ... :D

Regards,
Doug

The email field is added to the bottom of: Server Settings and Optimization Options in options.

Thank you ... :up:

Regards,
Doug

Very nice Hoffi :D

Testing :D

nice!

so if it Finds infected Datastore
Entries it will pm admin?

i m having this error when i try to import the xml file:
XML Error: not well-formed (invalid token) at Line 0

Hmm sounds odd... try it once more and let us know... also are you uploading and typing in the location OR selecting from a folder on your PC?

It sounds to me like an incomplete or corrupted download. Try downloading the XML file again and reinstalling.

No, It sends an eMail.

is working now i think it was my computer who caused that error

Can anyone please confirm this works with 3.8
Going by my flat line in traffic, it looks like I have been hit a second time in just over a year

I can't confirm it but I see no reason why it wouldn't.

will test it :)

Yes, I have it running on one 4.1.4 forum and one 3.8.3 forum.

Fingers crossed, installed on a 3.8.1 forum
Cant find where to turn the test option on though
No doubt a dumb question :o

Does this work for 4.1.4?

Many thanks.

In the very top post it says "vB version 4.1.4" so I would say yes, it does.

No, not at all. This is a very useful add-on but doesn't have a lot of documentation.

1. Admin CP >> vBulletin Options >> vBulletin Options
   
   select Server Settings and Optimization Options
   
   scroll down to "E-Mail adress: If a infect is detected, a warn mail will send to this adress. Then the System trys to repair" and enter the email address for notification.
   
   
2. AdminCP >> Plugins & Products >> Plugin Manager
   
   scroll down to Product : Check 4 Hacking and find below that [s]demo[/s]
   
   enable demo
   
   
3. Admin CP >> Scheduled Tasks >> Scheduled Task Manager
   
   scroll down to "Check 4 Hacking: Test the datastore for infects"
   
   click on "Run Now"
   
   you should get an email saying the cron job has found an infection in demo
   
   
4. Remember to go back and disable the demo plugin from step 2 above

i assume a blank email means no infection?

hello ... can you help? the program sent me this to my mail ...

Were the Following modules infected:

pluginlist

Is this normal?? or is it a virus?? and if a virus I do? I hope you can answer and help me ... thank you very much!

Yes. That only happens once after the "infected" email, presumably to confirm that you're now clean.

That's because you enabled the "demo" plugin. Now go in and disable it.

I got no infected email just 3 blanks.

Did you enable the demo plugin to test it? If not, manually running the cron job will send the blank email unless you have a real infection somewhere.

Im on vb3 and cannot find no place to enable the demo.

/EDIT
Corrupt Datastore found!


The following modules were infected:

vbindex_config

/edit , decoded and it says

Then you need to delete that file: vbindex_config - what is that, anyway? That's not part of vBulletin, as far as I know.

Simply checking for "base64" seems like it would give a lot of false positives... There are lots of legitimate uses for encoding data.

It's a good idea, but I think the implementation needs to be refined a lot, otherwise users will end up confused and scared.

I did not use any AddOn that use the base64 Code in a plugin, so it works for me. If you know a plugin which uses this code, I can add some extra functionality that looks in which plugin the code is used.

If you got a blank email, I assume that some phrases are missing. eMails were only send, if base64 is found in the datastore.

installed and working....3.8.x

THANKS...

Hmmm... it installed and tests fine on a 3.8.3 forum where I am a tech admin, but that forum was re-infected with the filestore123.info redirect without triggering this add-on.

Cleared the datastore (you can do this by disabling and then re-enabling any product/plug-in) so the redirect is gone again. Will continue to monitor.

Added: see below https://vborg.vbsupport.ru/showpost....2&postcount=39

Ok...

I ran this, and it's telling me: pluginlist is infected?

Exactly how would I go about double checking if this is correct or a false positive?

This seems odd.

Great add-on... Now just to wrap my head about what I got going on here.

Ignore this. I checked further and discovered that the cron job wasn't running. Somehow it was set to run only on the 11th of the month instead of daily.

It does on fact work as it should in vBulletin 3.8.3.

Just to be clear...

If you get a blank email -> Does that mean nothing was found?