Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions

Reply
 
Thread Tools Display Modes
  #11  
Old 09-17-2013, 09:59 AM
Macsee Macsee is offline
 
Join Date: Sep 2010
Posts: 153
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks ozzy. I've already removed the only plugin I had and am going to be upgrading to the latest version of vB but wanted to clear the database of any infection first.

I tried your first command and got an error saying that DatabaseName.plugin didn't exist. I tried swapping "plugin" for the table name but that didn't work either. I got the same problem with the second command i.e. an error message saying that the table template doesn't exist.

Quote:
Table 'databasename.template' doesn't exist
I can download that table, edit it in Notepad++ and then upload it back to the database. Would that work?

--------------- Added [DATE]1379422949[/DATE] at [TIME]1379422949[/TIME] ---------------

Nope, that didn't work. I backed up the db, edited the datastore.MYD in Notepad++ and uploaded it and I was getting all kinds of SQL errors. I had to revert to a saved copy of the database.
Reply With Quote
  #12  
Old 09-17-2013, 01:22 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Macsee View Post
Thanks ozzy. I've already removed the only plugin I had and am going to be upgrading to the latest version of vB but wanted to clear the database of any infection first.

I tried your first command and got an error saying that DatabaseName.plugin didn't exist. I tried swapping "plugin" for the table name but that didn't work either. I got the same problem with the second command i.e. an error message saying that the table template doesn't exist.



I can download that table, edit it in Notepad++ and then upload it back to the database. Would that work?

--------------- Added [DATE]1379422949[/DATE] at [TIME]1379422949[/TIME] ---------------

Nope, that didn't work. I backed up the db, edited the datastore.MYD in Notepad++ and uploaded it and I was getting all kinds of SQL errors. I had to revert to a saved copy of the database.
You're running these queries from within phpmyadmin correct? "plugin" is the table name, don't change that and do your tables use a prefix? If so add the prefix and then run example:

PHP Code:
SELECT titlephpcodehooknameproduct FROM TABLEPREFIXHERE_plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%'

prefix_tablename

Also don't edit via notepad++ when you can edit via phpmyadmin, not all data is meant to nor can be edited that way.
Reply With Quote
  #13  
Old 09-17-2013, 01:25 PM
Macsee Macsee is offline
 
Join Date: Sep 2010
Posts: 153
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Update: AdminCP > Maintenance > Repair Tables seems to have done it!

The table is now clean!

But, of course, the infection may exist in other tables so I would still be keen in running a search through the whole database for any malicious code.

To answer your question, yes, it's in phpmyadmin.
Reply With Quote
  #14  
Old 09-17-2013, 01:31 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Macsee View Post
Update: AdminCP > Maintenance > Repair Tables seems to have done it!

The table is now clean!

But, of course, the infection may exist in other tables so I would still be keen in running a search through the whole database for any malicious code.

To answer your question, yes, it's in phpmyadmin.
Ok then run the two queries in ozzy's post above to check, that's what those do i.e. they "Select" results from the tables in question IF any of the codes are present withing them such as %base64% see how in between the percentages it has base64 which is what you're specifically looking for they simply don't delete, you must do that manually (be forewarned though in rare cases some valid mods use base64 code so don't just go blindly deleting everything that comes up in results).

Also are you 100% sure that your files are clean? Make sure you download the same version of vBulletin from the members area, overwrite all vBulletin files AND while you are in there check the date on files the timestamps rather... any new files? Any recently modified files per the timestamps? If so overwrite those with clean files and/or delete.
Reply With Quote
Благодарность от:
Macsee
  #15  
Old 09-17-2013, 02:04 PM
Macsee Macsee is offline
 
Join Date: Sep 2010
Posts: 153
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by TheLastSuperman View Post
prefix_tablename
That worked.

Ran both the queries. The first one came up clean. The template search came up with a few results in the form of :

Quote:
styleid title template
-1 editor.css $final_rendered = '.formcontrols .blockrow.textedi...
-1 forumhome_markread_script $final_rendered = '<script type="text/javascript" ...
etc
There were some files with some dates that did not match the others. Particularly the htaccess ... and one or two new files - the typical ini.php used in this hack. Those were all deleted at the start. I will be upgrading to the latest version of vB which should overwrite all existing files.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:15 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03587 seconds
  • Memory Usage 2,213KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (5)post_thanks_box
  • (1)post_thanks_box_bit
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (5)post_thanks_postbit_info
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete