vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   base64 in database (https://vborg.vbsupport.ru/showthread.php?t=324968)

sattvhelp 04-25-2017 06:09 AM
base64 in database
 
should our VB database contain any base64 code?

Ii seems to be linked to an if subscriptions.php type command

Code:
if (strpos($_SERVER['PHP_SELF'],'subscriptions.php')) {

eval(gzinflate(base64_decode('
This is present in adminutil and datastore

We have had an issue with includes/datastore/datastore_cache.php erasing itself every 24 hours, and taking the forum down untill a new copy is uploaded. within a few hours the file then contains this same code as found in the database

is it safe to remove the entry from the database?

New files have been uploaded many times, so we think that it can only be the database thats keeping causing the issue

Dave 04-25-2017 11:11 AM
That looks like a backdoor to execute commands on the server, so yes you should remove it immediately. However, you might want to look into where it's coming from.

sattvhelp 05-02-2017 07:18 PM
Dave, would you be able to offer advise and / or a quote to help with this please

Kane@airrifle 05-03-2017 09:31 AM
ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/foru...-patch-level-4

sattvhelp 05-06-2017 02:26 PM
ok, im slowly working my way through this, following numerous online guides, and racking up the google air miles.

just about EVERY post that asks about any base64 code within vbulletin files, seems to be met with the default answer from vbulletin staff that 'vbulletin doesnt contain any base64 code, its been added by hackers, redownload new files'

Ive downloaded new files, and before even unzipping them, have found the following INSIDE the default vbulletin file attachment.php

Code:
$filedata = vb_base64_decode('R0lGODlhAQABAIAAAMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==');
As someone who is not an expert, and following guidance telling me that i should have NO base64 code AT ALL in ANY vbulletin file, i dont know how i should proceed next, as i have found around a dozen default files that contain base64

--------------- Added [DATE]1494088047[/DATE] at [TIME]1494088047[/TIME] ---------------

Quote:
Originally Posted by Kane@airrifle (Post 2586150)
ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/foru...-patch-level-4
This was indeed tucked away, and has since been removed. After removing it i cleared the system cache, and this has also caused the entire entry to be removed from the database

Dave 05-06-2017 02:41 PM
The base64 encoded string you posted is fine and part of vBulletin. I believe it acts as a transparent image or something like that.

twitch 09-28-2017 07:54 PM
Do you simply delete the code? or delete the init_startup tables in the database? I found two of them

Dave 09-28-2017 07:55 PM
You can either delete the code or delete the entire hook in the plugin system, just make sure there's no valid code in the hook or else you may break something.


All times are GMT. The time now is 06:24 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01608 seconds
  • Memory Usage 1,732KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete