Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 09-13-2013, 06:06 PM
Macsee Macsee is offline
 
Join Date: Sep 2010
Posts: 153
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Solving filestore72 hack. How to clear the database table?

I'm sorting out a filestore72 attack on my site. I'm upgrading vB to the latest version, changing passwords, deleting suspicious files, removing plugins etc.

My question is this:
There is some malicious code inserted in the datastore table of the database. It's in various places of that table and is encrypted.

How can I clear that? Can I simply delete that table and have vB recreate it somehow? Or is there another way of dealing with this?
Reply With Quote
  #2  
Old 09-13-2013, 06:10 PM
smirkley smirkley is offline
 
Join Date: Apr 2008
Posts: 627
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Would something like this help?

https://vborg.vbsupport.ru/showthread.php?t=265866
Reply With Quote
  #3  
Old 09-14-2013, 04:21 PM
Macsee Macsee is offline
 
Join Date: Sep 2010
Posts: 153
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks, smirkley. I had found that the other day and initially got excited, but it doesn't appear to do much except send you an email to tell you that the database is infected. I already know that the database is infected and which table the infection is in. I also know which text it is in the table that shouldn't be there.

What I'm hoping to get is advice on how I can delete that infection in the datastore table (not the datastore file which is something else and which, apparently, can be recreated by turning off all the plugins and then turning them back on again).
Reply With Quote
  #4  
Old 09-14-2013, 04:32 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Try editing any plugin, don't change anything, then hit Save, that may remove it.
Reply With Quote
Благодарность от:
Macsee
  #5  
Old 09-15-2013, 06:10 AM
DF031 DF031 is offline
 
Join Date: Nov 2012
Posts: 152
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What is this filestore72 hack ? And how do I protect the forum ?
Reply With Quote
  #6  
Old 09-15-2013, 08:38 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Remove your install directory, it is a redirect to that site.
Reply With Quote
  #7  
Old 09-16-2013, 07:53 PM
Macsee Macsee is offline
 
Join Date: Sep 2010
Posts: 153
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.
Reply With Quote
  #8  
Old 09-16-2013, 08:01 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Macsee View Post
Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.
Were you at any point in time or currently running vBSEO? If so see here - http://www.vbseo.com/f255/vbseo-data...ng-plug-55377/ and if not then go into the database and rip it out (Disclaimer: Make a backup if you're not use to editing a database in phpmyadmin).
Reply With Quote
  #9  
Old 09-16-2013, 08:39 PM
Macsee Macsee is offline
 
Join Date: Sep 2010
Posts: 153
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

As I've said in the other thread, I've never used vBSEO. Ever. Never even considered using it. So let's stop blaming vBSEO

Quote:
Originally Posted by TheLastSuperman View Post
if not then go into the database and rip it out
Which is exactly what I asked for help on - ripping the base64 stuff out of the db. How do I do this?
Reply With Quote
  #10  
Old 09-16-2013, 09:56 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

  • Run the following Queries in phpMyAdmin:
Code:
SELECT title, phpcode,  hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%';
Code:
SELECT styleid, title,  template FROM template WHERE template LIKE '%base64%' OR template LIKE  '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR  template like '%iframe%';

http://www.vbulletin.com/attachment....id=61831&stc=1
*If the above queries produce results you need to review them carefully, if they are in fact malicious delete them from the plugin manager in the admincp or in a worst case scenario using phpmyadmin.
  • If you feel the issue is within your templates themselves, you can rebuild your styles and to easily do this simply re-run the upgrade script, example url is yoursiteurl.com/install/upgrade.php
  • Rebuild the plugin datastore: AdminCP > Plugins & Products > Plugin Manager > *Click to "Save Active Status". *Even though you did not change the order, saving has now rebuilt the plugin datastore.
  • Check all software installed on your server, the hacker could have gained entry via another software. If there are updates available please update all software accordingly.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:21 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04778 seconds
  • Memory Usage 2,254KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete