Administrative and Maintenance Tools - Check 4 Hack - Finds infected Datastore Entries

Many Users have Problems with infected Webservers.

I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them.

1.0 Initial relase with one check:
Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild.

For more Checks, tell them. I'll add them.

The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress.

Install:

Upload the upload Directory and install the XML File.

German Version is also integrated.

If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this.

If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole!

[gregorym]

I'd like to know if this is working or how to make it work with 4.2.1 as well.
As Wolver2 said above, it's very important to many of us.

Or is there another product that's compatible with 4.2.1??

[Wolver2]

I think its working as I get the emails for 4.2.1 and I get "Infects found: {1}"
BUT I CANNOT SEE WHERE! the emails are all blank lol

[Lazorbeam]

Hmm... after 15 months of using this addon I'm now getting blank emails at 2, 22 and 42 minutes of every hour (which is when the job is scheduled to run).

Haven't installed anything lately so I'm guessing there was/is some sort of infection, however the files are blank. There are no infected addons according to the emails I'm getting, including the first.

Any idea?

[Keysailor]

Running 4.2.0pl2 and get this response running the cron job regardless of whether demo is active/enabled or not:

The following modules were infected:

pluginlist

Read through this whole thread, didn't find anything to tell me whether I have a problem or not. Any help?

[JesterP]

Makes me wonder why this isn't built in functionality. :/

[Moh4m4d]

Quote:

Originally Posted by avitor

hello dear
thank you for this mod

any one can confirm that this mod working on vb 4.2.pl2 ?
thanks

you can run for : 4.x.x

[ForceHSS]

As this has never been updated I have fixed the English version as some of it was not in English and also the grammar was not the best. This is all that I have done

[whodah]

I have a question, and can offer some help/advice.


I installed this on a known compromised site.

I was getting blank emails every 20 minutes.

Scheduled Task Log Viewer indicates what a lot of folks prevoiusly posted here on when asking about 'pluginlist'

9957 Check 4 Hacking 12:14, 19th Sep 2013 Infects found: pluginlist
9956 Check 4 Hacking 11:42, 19th Sep 2013 Infects found: pluginlist
9955 Check 4 Hacking 11:22, 19th Sep 2013 Infects found: pluginlist

(over and over)

I went into phpMyAdmin and ran this query:

Code:

SELECT title FROM datastore WHERE data LIKE '%base64%'

(note: you'll need to add the prefix to 'datastore' above if you have one. i.e. change 'datastore' to 'vb4_datastore' or whatever your case may be)

resultant row:
pluginlist

Code:

SELECT * FROM  `datastore` WHERE  `title` = 'pluginlist';

(again, add your prefix to 'datastore' if applicable)

edited that record, found:

Code:

....
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(gzinflat
e(base64_decode('HJ3HkqNQEkU/Zzq
....

(note: that eval line and base64 line above was one line, not two. But when I type it as one line here at vbulletin.org, it errors out.)


Dug some more, found they injected some stuff off this issue:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

And this is indeed the remnants of the known compromised site. I.e. subscriptions.php leads to that C99madShell v. 2.0 madnet edition file/exploit.

So: why the blank emails every 20 minutes?

I setup a test in check4hack.php changing it from:

Code:

	vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
	log_cron_action(implode(", ",$storages), $nextitem, 1);

to:

Code:

	vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
	log_cron_action("whodahtest1 ".$recipent, $nextitem, 1);
	log_cron_action("whodahtest2 ".$vbphrase['c4h_subject'], $nextitem, 1);
	log_cron_action("whodahtest3 ".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)), $nextitem, 1);
	log_cron_action(implode(", ",$storages), $nextitem, 1);

When you run the cron job by hand, you get legit log entries in 'Scheduled Task Log Viewer'. When cron calls it, only $recipent is set. That is to say, $vbphrase['c4h_subject'] and construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)) result in empty strings and/or null.

This explains why it 'works' for most people. One turns on 'demo', runs the cron by hand, you get the email, you turn off 'demo', and never get a 'broken' email.

Can anyone smarter than me tell me why those wouldn't be set during automatic cron vs. 'run now' cron? That'd be the key to fixing it!

[whodah]

Heya,

Thought I'd post the code of check4hack.php written by the OP. It is really short, and maybe someone browsing this can say, "oh, well that needs to be set when called by cron automatically vs. run 'by hand'" or something?

Code:

<?php
/*======================================================================*\
|| #################################################################### ||
|| # Check4Hack by Hoffi 											  # ||
|| #################################################################### ||
\*======================================================================*/

// ######################## SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
if (!is_object($vbulletin->db))
{
	exit;
}

// ########################################################################
// ######################### START MAIN SCRIPT ############################
// ########################################################################

// Send the reminder email only once. 
$infections = $vbulletin->db->query_read("SELECT title FROM " . TABLE_PREFIX . "datastore WHERE data LIKE '%base64%'");
//vbmail_start();

$send = false;

$storages = array();

$recipent = ($vbulletin->options['check4hack_email']?$vbulletin->options['check4hack_email']:$vbulletin->options['webmasteremail']);

while ($infect = $vbulletin->db->fetch_array($infections))
{
	$storages[] = $infect['title'];
	$send = true;
	echo $infect['title']."-";
}

foreach($storages as $item)
{
	switch ($item)
	{
		// During the following found Items, the Datastore need to rebuild.
		case 'pluginlist':
			vBulletinHook::build_datastore($vbulletin->db);
			break;
	}
}

if ($send)
{
	vbmail($recipent,$vbphrase['c4h_subject'],construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)));
	log_cron_action("whodahtest1 ".$recipent, $nextitem, 1);
	log_cron_action("whodahtest2 ".$vbphrase['c4h_subject'], $nextitem, 1);
	log_cron_action("whodahtest3 ".construct_phrase($vbphrase['c4h_body'], implode(", ",$storages)), $nextitem, 1);
	log_cron_action(implode(", ",$storages), $nextitem, 1);
}

vbmail_end();

?>

[whodah]

And here is an example of the Scheduled Task Log when running it 'by hand':

Code:

10311	Check 4 Hacking	10:12, 20th Sep 2013	Infects found: pluginlist
10310	Check 4 Hacking	10:12, 20th Sep 2013	Infects found: whodahtest3 The following modules were infected: pluginlist
10309	Check 4 Hacking	10:12, 20th Sep 2013	Infects found: whodahtest2 Corrupt Datastore found!
10308	Check 4 Hacking	10:12, 20th Sep 2013	Infects found: whodahtest1 email@address.com

And one when it is naturally run through cron on it's own: (note that only 'whodahtest1' has a variable next to it)

Code:

10315	Check 4 Hacking	10:14, 20th Sep 2013	Infects found: pluginlist
10314	Check 4 Hacking	10:14, 20th Sep 2013	Infects found: whodahtest3
10313	Check 4 Hacking	10:14, 20th Sep 2013	Infects found: whodahtest2
10312	Check 4 Hacking	10:14, 20th Sep 2013	Infects found: whodahtest1 email@address.com