Go Back   vb.org Archive > vBulletin Modifications > vBulletin 4.x Modifications > vBulletin 4.x Add-ons
Reload this Page Administrative and Maintenance Tools - Check 4 Hack - Finds infected Datastore Entries
FAQ Community Calendar Today's Posts Search

Reply
Page 4 of 13 « First 23 4 56 Last »
 
Thread Tools
Check 4 Hack - Finds infected Datastore Entries Details »»
Check 4 Hack - Finds infected Datastore Entries
Version: 1.00, by Hoffi Hoffi is offline
Developer Last Online: Mar 2016 Show Printable Version Email this Page
Category: Administrative and Maintenance Tools - Version: 4.1.4 Rating:
Released: 06-26-2011 Last Update: Never Installs: 152
Uses Plugins
Additional Files Translations  
No support by the author.

Many Users have Problems with infected Webservers.

I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them.

1.0 Initial relase with one check:
Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild.

For more Checks, tell them. I'll add them.

The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress.

Install:

Upload the upload Directory and install the XML File.

German Version is also integrated.

If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this.

If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole!

Download Now

File Type: zip c4h.zip (2.8 KB, 1147 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
8 благодарности(ей) от:
djbaxter, fahris, furnival, Lee G, strudinox, TheLastSuperman, Toxic2

Comments
  #32  
Old 07-01-2011, 05:02 PM
djbaxter djbaxter is offline
 
Join Date: Aug 2006
Location: Ottawa, Canada
Posts: 2,601
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by MentaL View Post
I got no infected email just 3 blanks.
Did you enable the demo plugin to test it? If not, manually running the cron job will send the blank email unless you have a real infection somewhere.
Reply With Quote
  #33  
Old 07-01-2011, 05:48 PM
MentaL's Avatar
MentaL MentaL is offline
 
Join Date: Jan 2003
Posts: 550
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Im on vb3 and cannot find no place to enable the demo.

/EDIT
Corrupt Datastore found!


The following modules were infected:

vbindex_config

/edit , decoded and it says

Quote:
<div class="smallfont" style="text-align: center">vBindex Copyright &copy; MMII - MMIV Winter Systems.</div>
Reply With Quote
  #34  
Old 07-01-2011, 05:58 PM
djbaxter djbaxter is offline
 
Join Date: Aug 2006
Location: Ottawa, Canada
Posts: 2,601
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Then you need to delete that file: vbindex_config - what is that, anyway? That's not part of vBulletin, as far as I know.
Reply With Quote
  #35  
Old 07-01-2011, 06:21 PM
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
Posts: 2,528
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Simply checking for "base64" seems like it would give a lot of false positives... There are lots of legitimate uses for encoding data.

It's a good idea, but I think the implementation needs to be refined a lot, otherwise users will end up confused and scared.
Reply With Quote
  #36  
Old 07-03-2011, 08:12 AM
Hoffi's Avatar
Hoffi Hoffi is offline
 
Join Date: Nov 2001
Location: Germany
Posts: 342
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I did not use any AddOn that use the base64 Code in a plugin, so it works for me. If you know a plugin which uses this code, I can add some extra functionality that looks in which plugin the code is used.

If you got a blank email, I assume that some phrases are missing. eMails were only send, if base64 is found in the datastore.
Reply With Quote
  #37  
Old 07-03-2011, 08:25 PM
onealien's Avatar
onealien onealien is offline
 
Join Date: Jun 2010
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
installed and working....3.8.x

THANKS...
Reply With Quote
  #38  
Old 07-03-2011, 09:03 PM
djbaxter djbaxter is offline
 
Join Date: Aug 2006
Location: Ottawa, Canada
Posts: 2,601
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by onealien View Post
installed and working....3.8.x
Hmmm... it installed and tests fine on a 3.8.3 forum where I am a tech admin, but that forum was re-infected with the filestore123.info redirect without triggering this add-on.

Cleared the datastore (you can do this by disabling and then re-enabling any product/plug-in) so the redirect is gone again. Will continue to monitor.

Added: see below https://vborg.vbsupport.ru/showpost....2&postcount=39
Reply With Quote
  #39  
Old 07-04-2011, 02:44 PM
CBrown CBrown is offline
 
Join Date: Mar 2006
Posts: 25
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Ok...

I ran this, and it's telling me: pluginlist is infected?

Exactly how would I go about double checking if this is correct or a false positive?

This seems odd.

Great add-on... Now just to wrap my head about what I got going on here.
Reply With Quote
  #40  
Old 07-04-2011, 03:15 PM
djbaxter djbaxter is offline
 
Join Date: Aug 2006
Location: Ottawa, Canada
Posts: 2,601
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by djbaxter View Post
Hmmm... it installed and tests fine on a 3.8.3 forum where I am a tech admin, but that forum was re-infected with the filestore123.info redirect without triggering this add-on.

Cleared the datastore (you can do this by disabling and then re-enabling any product/plug-in) so the redirect is gone again. Will continue to monitor.
Ignore this. I checked further and discovered that the cron job wasn't running. Somehow it was set to run only on the 11th of the month instead of daily.

It does on fact work as it should in vBulletin 3.8.3.
Reply With Quote
  #41  
Old 07-11-2011, 04:56 PM
CBrown CBrown is offline
 
Join Date: Mar 2006
Posts: 25
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Just to be clear...

If you get a blank email -> Does that mean nothing was found?
Reply With Quote
Reply
Page 4 of 13 « First 23 4 56 Last »

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 12:23 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04975 seconds
  • Memory Usage 2,341KB
  • Queries Executed 28 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (7)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete