vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Solving filestore72 hack. How to clear the database table? (https://vborg.vbsupport.ru/showthread.php?t=302248)

Macsee 09-13-2013 06:06 PM
Solving filestore72 hack. How to clear the database table?
 
I'm sorting out a filestore72 attack on my site. I'm upgrading vB to the latest version, changing passwords, deleting suspicious files, removing plugins etc.

My question is this:
There is some malicious code inserted in the datastore table of the database. It's in various places of that table and is encrypted.

How can I clear that? Can I simply delete that table and have vB recreate it somehow? Or is there another way of dealing with this?

smirkley 09-13-2013 06:10 PM
Would something like this help?

https://vborg.vbsupport.ru/showthread.php?t=265866

Macsee 09-14-2013 04:21 PM
Thanks, smirkley. I had found that the other day and initially got excited, but it doesn't appear to do much except send you an email to tell you that the database is infected. I already know that the database is infected and which table the infection is in. I also know which text it is in the table that shouldn't be there.

What I'm hoping to get is advice on how I can delete that infection in the datastore table (not the datastore file which is something else and which, apparently, can be recreated by turning off all the plugins and then turning them back on again).

ozzy47 09-14-2013 04:32 PM
Try editing any plugin, don't change anything, then hit Save, that may remove it.

DF031 09-15-2013 06:10 AM
What is this filestore72 hack ? And how do I protect the forum ?

ozzy47 09-15-2013 08:38 AM
Remove your install directory, it is a redirect to that site.

Macsee 09-16-2013 07:53 PM
Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.

TheLastSuperman 09-16-2013 08:01 PM
Quote:
Originally Posted by Macsee (Post 2446036)
Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.
Were you at any point in time or currently running vBSEO? If so see here - http://www.vbseo.com/f255/vbseo-data...ng-plug-55377/ and if not then go into the database and rip it out :p (Disclaimer: Make a backup if you're not use to editing a database in phpmyadmin).

Macsee 09-16-2013 08:39 PM
As I've said in the other thread, I've never used vBSEO. Ever. Never even considered using it. So let's stop blaming vBSEO ;)

Quote:
Originally Posted by TheLastSuperman (Post 2446040)
if not then go into the database and rip it out :p
Which is exactly what I asked for help on - ripping the base64 stuff out of the db. How do I do this?

ozzy47 09-16-2013 09:56 PM
  • Run the following Queries in phpMyAdmin:
Code:
SELECT title, phpcode,  hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%';
Code:
SELECT styleid, title,  template FROM template WHERE template LIKE '%base64%' OR template LIKE  '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR  template like '%iframe%';

http://www.vbulletin.com/attachment....id=61831&stc=1
*If the above queries produce results you need to review them carefully, if they are in fact malicious delete them from the plugin manager in the admincp or in a worst case scenario using phpmyadmin.
  • If you feel the issue is within your templates themselves, you can rebuild your styles and to easily do this simply re-run the upgrade script, example url is yoursiteurl.com/install/upgrade.php
  • Rebuild the plugin datastore: AdminCP > Plugins & Products > Plugin Manager > *Click to "Save Active Status". *Even though you did not change the order, saving has now rebuilt the plugin datastore.
  • Check all software installed on your server, the hacker could have gained entry via another software. If there are updates available please update all software accordingly.

Macsee 09-17-2013 09:59 AM
Thanks ozzy. I've already removed the only plugin I had and am going to be upgrading to the latest version of vB but wanted to clear the database of any infection first.

I tried your first command and got an error saying that DatabaseName.plugin didn't exist. I tried swapping "plugin" for the table name but that didn't work either. I got the same problem with the second command i.e. an error message saying that the table template doesn't exist.

Quote:
Table 'databasename.template' doesn't exist
I can download that table, edit it in Notepad++ and then upload it back to the database. Would that work?

--------------- Added [DATE]1379422949[/DATE] at [TIME]1379422949[/TIME] ---------------

Nope, that didn't work. I backed up the db, edited the datastore.MYD in Notepad++ and uploaded it and I was getting all kinds of SQL errors. I had to revert to a saved copy of the database.

TheLastSuperman 09-17-2013 01:22 PM
Quote:
Originally Posted by Macsee (Post 2446150)
Thanks ozzy. I've already removed the only plugin I had and am going to be upgrading to the latest version of vB but wanted to clear the database of any infection first.

I tried your first command and got an error saying that DatabaseName.plugin didn't exist. I tried swapping "plugin" for the table name but that didn't work either. I got the same problem with the second command i.e. an error message saying that the table template doesn't exist.



I can download that table, edit it in Notepad++ and then upload it back to the database. Would that work?

--------------- Added [DATE]1379422949[/DATE] at [TIME]1379422949[/TIME] ---------------

Nope, that didn't work. I backed up the db, edited the datastore.MYD in Notepad++ and uploaded it and I was getting all kinds of SQL errors. I had to revert to a saved copy of the database.
You're running these queries from within phpmyadmin correct? "plugin" is the table name, don't change that ;) and do your tables use a prefix? If so add the prefix and then run example:

PHP Code:
SELECT titlephpcodehooknameproduct FROM TABLEPREFIXHERE_plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%'

prefix_tablename

Also don't edit via notepad++ when you can edit via phpmyadmin, not all data is meant to nor can be edited that way.

Macsee 09-17-2013 01:25 PM
Update: AdminCP > Maintenance > Repair Tables seems to have done it! :)

The table is now clean! :)

But, of course, the infection may exist in other tables so I would still be keen in running a search through the whole database for any malicious code.

To answer your question, yes, it's in phpmyadmin.

TheLastSuperman 09-17-2013 01:31 PM
Quote:
Originally Posted by Macsee (Post 2446205)
Update: AdminCP > Maintenance > Repair Tables seems to have done it! :)

The table is now clean! :)

But, of course, the infection may exist in other tables so I would still be keen in running a search through the whole database for any malicious code.

To answer your question, yes, it's in phpmyadmin.
Ok then run the two queries in ozzy's post above to check, that's what those do i.e. they "Select" results from the tables in question IF any of the codes are present withing them such as %base64% see how in between the percentages it has base64 which is what you're specifically looking for they simply don't delete, you must do that manually (be forewarned though in rare cases some valid mods use base64 code so don't just go blindly deleting everything that comes up in results).

Also are you 100% sure that your files are clean? Make sure you download the same version of vBulletin from the members area, overwrite all vBulletin files AND while you are in there check the date on files the timestamps rather... any new files? Any recently modified files per the timestamps? If so overwrite those with clean files and/or delete.

Macsee 09-17-2013 02:04 PM
Quote:
Originally Posted by TheLastSuperman (Post 2446204)
prefix_tablename
That worked. :)

Ran both the queries. The first one came up clean. The template search came up with a few results in the form of :

Quote:
styleid title template
-1 editor.css $final_rendered = '.formcontrols .blockrow.textedi...
-1 forumhome_markread_script $final_rendered = '<script type="text/javascript" ...
etc
There were some files with some dates that did not match the others. Particularly the htaccess ... and one or two new files - the typical ini.php used in this hack. Those were all deleted at the start. I will be upgrading to the latest version of vB which should overwrite all existing files.


All times are GMT. The time now is 05:40 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01162 seconds
  • Memory Usage 1,765KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_php_printable
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (15)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete