Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard
Reload this Page Add-On Releases - Hackers Suck!
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Hackers Suck! Details »»
Hackers Suck!
Version: 1.0.1, by vbresults vbresults is offline
Developer Last Online: Apr 2023 Show Printable Version Email this Page
Category: Add-On Releases - Version: 4.2.x Rating:
Released: 07-10-2013 Last Update: 07-23-2013 Installs: 9
Uses Plugins
 
No support by the author.

Quote:
vBulletin is very unique on how it stores its templates and plugins, It?s different than WordPress and Joomla, all the content is saved in the database. That makes it a bit more complicated for webmasters because they can?t just use common command line tools (like grep) to search through all their files. They need to use phpMyAdmin or another database tool to try to find and fix those issues.

And that?s where this malware hides itself. It uses the Plugin system and hooks into ?global_start?, so it is called on every page request.

Read more...
What is this plugin?

This plugin allows you to export all plugin code in the database to a single file with one click. You can then scan the plugin text file for malware. This plugin will later expand into a full security audit suite.



Hackers can insert malicious code directly into the datastore, ignoring the actual plugin table and evading detection via scanning with the plugin manager. This plugin exports the live, running datastore rendering that tactic useless.

Installation
  1. Import the product Xml.
  2. The installation is complete; congratulations! Mark As Installed, Nominate For MOTM and Vote

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #2  
Old 07-11-2013, 05:38 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I click it then save the plugin-list to my desktop then what do I do
Reply With Quote
  #3  
Old 07-11-2013, 05:43 PM
vbresults vbresults is offline
 
Join Date: Apr 2009
Posts: 687
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ForceHSS View Post
I click it then save the plugin-list to my desktop then what do I do
Using a text editor, open it and search for "base64_encode", "eval", and "str_rot13". These are used to obfuscate the actual code to prevent you from finding it by simply typing in "iframe" or whatever the malicious code is.
Reply With Quote
  #4  
Old 07-11-2013, 05:51 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Wouldn't a better option just to flush the current datastore.plugin list and rebuild it from the current plugins?

Or to scan the plugin table for obfuscated code?
Reply With Quote
3 благодарности(ей) от:
ForceHSS, vbresults, z3r0
  #5  
Old 07-20-2013, 08:09 AM
DM BoNeZ DM BoNeZ is offline
 
Join Date: Jan 2012
Posts: 50
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
this looks helpful i'm going to take a look at this
Reply With Quote
Благодарность от:
vbresults
  #6  
Old 11-14-2013, 06:13 PM
crazyfalcon crazyfalcon is offline
 
Join Date: May 2008
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by vbresults View Post
Using a text editor, open it and search for "base64_encode", "eval", and "str_rot13". These are used to obfuscate the actual code to prevent you from finding it by simply typing in "iframe" or whatever the malicious code is.

If you fine eval then what ?

I found eval in 21 occurrences
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 08:52 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05016 seconds
  • Memory Usage 2,255KB
  • Queries Executed 21 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (4)post_thanks_box_bit
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (6)post_thanks_postbit_info
  • (5)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete