vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Solving filestore72 hack. How to clear the database table? (https://vborg.vbsupport.ru/showthread.php?t=302248)

Macsee 09-13-2013 06:06 PM
Solving filestore72 hack. How to clear the database table?
 
I'm sorting out a filestore72 attack on my site. I'm upgrading vB to the latest version, changing passwords, deleting suspicious files, removing plugins etc.

My question is this:
There is some malicious code inserted in the datastore table of the database. It's in various places of that table and is encrypted.

How can I clear that? Can I simply delete that table and have vB recreate it somehow? Or is there another way of dealing with this?

smirkley 09-13-2013 06:10 PM
Would something like this help?

https://vborg.vbsupport.ru/showthread.php?t=265866

Macsee 09-14-2013 04:21 PM
Thanks, smirkley. I had found that the other day and initially got excited, but it doesn't appear to do much except send you an email to tell you that the database is infected. I already know that the database is infected and which table the infection is in. I also know which text it is in the table that shouldn't be there.

What I'm hoping to get is advice on how I can delete that infection in the datastore table (not the datastore file which is something else and which, apparently, can be recreated by turning off all the plugins and then turning them back on again).

ozzy47 09-14-2013 04:32 PM
Try editing any plugin, don't change anything, then hit Save, that may remove it.

DF031 09-15-2013 06:10 AM
What is this filestore72 hack ? And how do I protect the forum ?

ozzy47 09-15-2013 08:38 AM
Remove your install directory, it is a redirect to that site.

Macsee 09-16-2013 07:53 PM
Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.

TheLastSuperman 09-16-2013 08:01 PM
Quote:
Originally Posted by Macsee (Post 2446036)
Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.
Were you at any point in time or currently running vBSEO? If so see here - http://www.vbseo.com/f255/vbseo-data...ng-plug-55377/ and if not then go into the database and rip it out :p (Disclaimer: Make a backup if you're not use to editing a database in phpmyadmin).

Macsee 09-16-2013 08:39 PM
As I've said in the other thread, I've never used vBSEO. Ever. Never even considered using it. So let's stop blaming vBSEO ;)

Quote:
Originally Posted by TheLastSuperman (Post 2446040)
if not then go into the database and rip it out :p
Which is exactly what I asked for help on - ripping the base64 stuff out of the db. How do I do this?

ozzy47 09-16-2013 09:56 PM
  • Run the following Queries in phpMyAdmin:
Code:
SELECT title, phpcode,  hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%';
Code:
SELECT styleid, title,  template FROM template WHERE template LIKE '%base64%' OR template LIKE  '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR  template like '%iframe%';

http://www.vbulletin.com/attachment....id=61831&stc=1
*If the above queries produce results you need to review them carefully, if they are in fact malicious delete them from the plugin manager in the admincp or in a worst case scenario using phpmyadmin.
  • If you feel the issue is within your templates themselves, you can rebuild your styles and to easily do this simply re-run the upgrade script, example url is yoursiteurl.com/install/upgrade.php
  • Rebuild the plugin datastore: AdminCP > Plugins & Products > Plugin Manager > *Click to "Save Active Status". *Even though you did not change the order, saving has now rebuilt the plugin datastore.
  • Check all software installed on your server, the hacker could have gained entry via another software. If there are updates available please update all software accordingly.


All times are GMT. The time now is 01:52 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01035 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete