vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Modification Graveyard (https://vborg.vbsupport.ru/forumdisplay.php?f=224)
-   -   Add-On Releases - Hackers Suck! (https://vborg.vbsupport.ru/showthread.php?t=300017)

vbresults 07-10-2013 10:00 PM
Hackers Suck!
 
Quote:
vBulletin is very unique on how it stores its templates and plugins, It?s different than WordPress and Joomla, all the content is saved in the database. That makes it a bit more complicated for webmasters because they can?t just use common command line tools (like grep) to search through all their files. They need to use phpMyAdmin or another database tool to try to find and fix those issues.

And that?s where this malware hides itself. It uses the Plugin system and hooks into ?global_start?, so it is called on every page request.

Read more...
What is this plugin?

This plugin allows you to export all plugin code in the database to a single file with one click. You can then scan the plugin text file for malware. This plugin will later expand into a full security audit suite.

https://vborg.vbsupport.ru/attachmen...1&d=1373565590

Hackers can insert malicious code directly into the datastore, ignoring the actual plugin table and evading detection via scanning with the plugin manager. This plugin exports the live, running datastore rendering that tactic useless.

Installation
  1. Import the product Xml.
  2. The installation is complete; congratulations! Mark As Installed, Nominate For MOTM and Vote https://vborg.vbsupport.ru/external/2013/07/1.gif

ForceHSS 07-11-2013 05:38 PM
I click it then save the plugin-list to my desktop then what do I do

vbresults 07-11-2013 05:43 PM
Quote:
Originally Posted by ForceHSS (Post 2433228)
I click it then save the plugin-list to my desktop then what do I do
Using a text editor, open it and search for "base64_encode", "eval", and "str_rot13". These are used to obfuscate the actual code to prevent you from finding it by simply typing in "iframe" or whatever the malicious code is.

Zachery 07-11-2013 05:51 PM
Wouldn't a better option just to flush the current datastore.plugin list and rebuild it from the current plugins?

Or to scan the plugin table for obfuscated code?

DM BoNeZ 07-20-2013 08:09 AM
this looks helpful i'm going to take a look at this :)

crazyfalcon 11-14-2013 06:13 PM
Quote:
Originally Posted by vbresults (Post 2433231)
Using a text editor, open it and search for "base64_encode", "eval", and "str_rot13". These are used to obfuscate the actual code to prevent you from finding it by simply typing in "iframe" or whatever the malicious code is.

If you fine eval then what ?

I found eval in 21 occurrences


All times are GMT. The time now is 10:32 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01061 seconds
  • Memory Usage 1,724KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete