Go Back   vb.org Archive > vBulletin Modifications > vBulletin 4.x Modifications > vBulletin 4.x Add-ons

Reply
 
Thread Tools
Check 4 Hack - Finds infected Datastore Entries Details »»
Check 4 Hack - Finds infected Datastore Entries
Version: 1.00, by Hoffi Hoffi is offline
Developer Last Online: Mar 2016 Show Printable Version Email this Page

Category: Administrative and Maintenance Tools - Version: 4.1.4 Rating:
Released: 06-26-2011 Last Update: Never Installs: 152
Uses Plugins
Additional Files Translations  
No support by the author.

Many Users have Problems with infected Webservers.

I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them.

1.0 Initial relase with one check:
Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild.

For more Checks, tell them. I'll add them.

The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress.

Install:

Upload the upload Directory and install the XML File.

German Version is also integrated.

If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this.

If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole!

Download Now

File Type: zip c4h.zip (2.8 KB, 1147 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
8 благодарности(ей) от:
djbaxter, fahris, furnival, Lee G, strudinox, TheLastSuperman, Toxic2

Comments
  #92  
Old 09-21-2013, 09:33 PM
whodah whodah is offline
 
Join Date: Feb 2004
Posts: 77
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

So for now, I changed check4hack.php from:
Code:
vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
to:
Code:
vbmail($recipent,"Something Wrong in forum dB!".$vbphrase['c4h_subject'],"Run Check 4 Hacking in Scheduled Task Manager. This auto-email messes up, but it runs OK 'by hand'.\n\n".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
It isn't a fix, and it isn't perfect. But at least instead of blank emails, you'll get a little guidance on what to do or what the email means.
Reply With Quote
  #93  
Old 09-22-2013, 03:46 AM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm not sure it will make a difference but I would try commenting out the line

Code:
echo $infect['title']."-";
(make it)

Code:
//echo $infect['title']."-";
instead.

echo will post data to the browser, it isn't something you usually want to do when running a scheduled task automatically, if used there should be a check to make sure it is being run manually.

The thing is, while it shouldn't be used best I can tell, I don't see why it would result in blank emails- but it's the only thing that sticks out at me right now.
Reply With Quote
Благодарность от:
TheLastSuperman
  #94  
Old 09-24-2013, 01:26 PM
Wolver2 Wolver2 is offline
 
Join Date: Oct 2010
Posts: 106
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I get this note as an email from the plugin:

The following modules were infected:

pluginlist


what do I do now? or how do I remove it
Reply With Quote
  #95  
Old 09-24-2013, 02:04 PM
whodah whodah is offline
 
Join Date: Feb 2004
Posts: 77
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wolver2 View Post
I get this note as an email from the plugin:

The following modules were infected:

pluginlist


what do I do now? or how do I remove it
Try post #88 in this thread.
Reply With Quote
  #96  
Old 09-24-2013, 02:26 PM
whodah whodah is offline
 
Join Date: Feb 2004
Posts: 77
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by BirdOPrey5 View Post
I'm not sure it will make a difference but I would try commenting out the line

Code:
echo $infect['title']."-";
(make it)

Code:
//echo $infect['title']."-";
instead.

echo will post data to the browser, it isn't something you usually want to do when running a scheduled task automatically, if used there should be a check to make sure it is being run manually.

The thing is, while it shouldn't be used best I can tell, I don't see why it would result in blank emails- but it's the only thing that sticks out at me right now.
Heya BirdOPrey5,

Thanks for the idea, but it didn't fix it.
Reply With Quote
  #97  
Old 09-24-2013, 03:26 PM
Wolver2 Wolver2 is offline
 
Join Date: Oct 2010
Posts: 106
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@whodah thanks for pointing it out.

Code:
After ....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....
What do I do to remove it completely?

Btw below that code you posted a link to an exploit regarding /install folder.. but I never had an install folder there after installing
Reply With Quote
  #98  
Old 09-24-2013, 04:34 PM
whodah whodah is offline
 
Join Date: Feb 2004
Posts: 77
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wolver2 View Post
@whodah thanks for pointing it out.

Code:
After ....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....
What do I do to remove it completely?

Btw below that code you posted a link to an exploit regarding /install folder.. but I never had an install folder there after installing
Heya,

Interesting on the install thing. For me, that is what I saw all the log files hit.

For removal: this thread helped a ton:
http://www.vbulletin.com/forum/forum...i-e-p0wersurge

In particular, post number 4.

And secondly, although a lot of it is the same, the 2nd post here:
http://www.vbulletin.com/forum/forum...madnet-edition

Especially bullet point #6 as the infected plugin was by author 'vbulletin'. (fake of course, and removed of course.)
Reply With Quote
  #99  
Old 10-13-2013, 02:06 AM
Wolver2 Wolver2 is offline
 
Join Date: Oct 2010
Posts: 106
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@Whodah I tried the post nr. 4:

Atm trying to clean.. but im a newbie in this.. will report
Reply With Quote
  #100  
Old 10-13-2013, 12:49 PM
KHALIK KHALIK is offline
 
Join Date: May 2005
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am also getting the following message on my vb 4.2.2 when I manually run cron job.

Quote:
Check 4 Hacking

pluginlist-

Done.

Is this a standard message, indicating no infected files found?

Or is it saying pluginlist- is infected ?



Please help
Reply With Quote
  #101  
Old 10-14-2013, 04:53 PM
whodah whodah is offline
 
Join Date: Feb 2004
Posts: 77
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by KHALIK View Post
I am also getting the following message on my vb 4.2.2 when I manually run cron job.



Is this a standard message, indicating no infected files found?

Or is it saying pluginlist- is infected ?



Please help
Try post #88 in this thread.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:30 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08522 seconds
  • Memory Usage 2,333KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (8)bbcode_code
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (8)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete