[whodah]

I have a question, and can offer some help/advice.


I installed this on a known compromised site.

I was getting blank emails every 20 minutes.

Scheduled Task Log Viewer indicates what a lot of folks prevoiusly posted here on when asking about 'pluginlist'

9957 Check 4 Hacking 12:14, 19th Sep 2013 Infects found: pluginlist
9956 Check 4 Hacking 11:42, 19th Sep 2013 Infects found: pluginlist
9955 Check 4 Hacking 11:22, 19th Sep 2013 Infects found: pluginlist

(over and over)

I went into phpMyAdmin and ran this query:

Code:

SELECT title FROM datastore WHERE data LIKE '%base64%'

(note: you'll need to add the prefix to 'datastore' above if you have one. i.e. change 'datastore' to 'vb4_datastore' or whatever your case may be)

resultant row:
pluginlist

Code:

SELECT * FROM  `datastore` WHERE  `title` = 'pluginlist';

(again, add your prefix to 'datastore' if applicable)

edited that record, found:

Code:

....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....

(note: that eval line and base64 line above was one line, not two. But when I type it as one line here at vbulletin.org, it errors out.)


Dug some more, found they injected some stuff off this issue:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

And this is indeed the remnants of the known compromised site. I.e. subscriptions.php leads to that C99madShell v. 2.0 madnet edition file/exploit.

So: why the blank emails every 20 minutes?

I setup a test in check4hack.php changing it from:

Code:

	vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
	log_cron_action(implode(", ",$storages), $nextitem, 1);

to:

Code:

	vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
	log_cron_action("whodahtest1 ".$recipent, $nextitem, 1);
	log_cron_action("whodahtest2 ".$vbphrase['c4h_subject'], $nextitem, 1);
	log_cron_action("whodahtest3 ".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)), $nextitem, 1);
	log_cron_action(implode(", ",$storages), $nextitem, 1);

When you run the cron job by hand, you get legit log entries in 'Scheduled Task Log Viewer'. When cron calls it, only $recipent is set. That is to say, $vbphrase['c4h_subject'] and construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)) result in empty strings and/or null.

This explains why it 'works' for most people. One turns on 'demo', runs the cron by hand, you get the email, you turn off 'demo', and never get a 'broken' email.

Can anyone smarter than me tell me why those wouldn't be set during automatic cron vs. 'run now' cron? That'd be the key to fixing it!