The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
Check 4 Hack - Finds infected Datastore Entries Details »»
|
|||||||||||||||||||||||||||||
|
Check 4 Hack - Finds infected Datastore Entries
Developer Last Online: Mar 2016 
Many Users have Problems with infected Webservers.
I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them. 1.0 Initial relase with one check: Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild. For more Checks, tell them. I'll add them. The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress. Install: Upload the upload Directory and install the XML File. German Version is also integrated. If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this. If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole! Download Now
Show Your Support
|
|||||||||||||||||||||||||||||
About Developer
Visit Web Site
Uses Plugins 
No support by the author.
| Comments |
|
#112
03-20-2014, 03:45 AM
|
|||
|
|||
Looks like there are two legit base64 in 4.2.2 PL1 -- ya?
Code:
if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {
Code:
!($pagetext = base64_decode($vbulletin->GPC['html'])) 
|
|
#113
03-24-2014, 06:59 PM
|
|||
|
|||
|
Hmm... we're running 4.2.0 PL4 with the scheduled task running and it's not detecting those lines? Maybe they don't appear in 4.2.0?
Which files did you find them in? PS: nice addition with the detection 
|
|
#114
03-24-2014, 08:10 PM
|
|||
|
|||
|
Quote:
|
|
#115
03-24-2014, 08:51 PM
|
|||
|
|||
|
Hi Andy.H and ForceHSS,
Interesting... Digging deeper. The thing that makes me suspect is that I have a backup install on another server, different pw's, that is 100% .htaccess protected (front end and admin end) which has those same two lines... Digging, will report back...
|
|
#116
03-24-2014, 09:10 PM
|
|||
|
|||
|
ForceHSS:
Are you sure you are 4.2.2 PL1 ? If so, do your install files fresh from vB not have this? Code:
includes/xml/product-panjo.xml: if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {
includes/xml/product-panjo.xml: !($pagetext = base64_decode($vbulletin->GPC['html']))
Code:
[root@hurley upload]# grep -RIi base64_decode *
asset.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
attachment.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
blog_attachment.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
cron.php:$filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['validation'])) . "', '" .
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['failsafe'])) . "', 0, 0
includes/adminfunctions_template.php: $value = vb_base64_decode($stylevar['value'][0]);
includes/adminfunctions_template.php: $decode[$stylevars['name']] = vb_base64_decode($stylevars['value'][0]);
includes/facebook/base_facebook.php: return base64_decode(strtr($input, '-_', '+/'));
includes/functions.php:function vb_base64_decode($string)
includes/functions.php: if (function_exists('base64_decode'))
includes/functions.php: return base64_decode($string);
includes/functions.php: return ($decode ? vb_base64_decode($return) : $return);
includes/xml/product-panjo.xml: if ((!$message = base64_decode($vbulletin->GPC['pm_message']))) {
includes/xml/product-panjo.xml: !($pagetext = base64_decode($vbulletin->GPC['html']))
picture.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
[root@hurley upload]# grep -RIi base64_encode *
admincp/navigation.php: $name .= '_' . strtolower(substr(vb_base64_encode(TIMENOW),4,4));
forumrunner/push.php: $msgargs = array(base64_encode(prepare_utf8_string($vbulletin->options['bbtitle'])));
forumrunner/push.php: $msgargs[] = base64_encode(count($pms));
forumrunner/push.php: $msgargs[] = base64_encode(prepare_utf8_string($first_pm['fromusername']));
forumrunner/push.php: $msgargs[] = base64_encode(count($subs));
forumrunner/push.php: $msgargs[] = base64_encode(prepare_utf8_string($first_sub['title']));
forumrunner/support/Snoopy.class.php: $headers .= "Authorization: Basic ".base64_encode($this->user.":".$this->pass)."\r\n";
forumrunner/support/Snoopy.class.php: $headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($this->proxy_user . ':' . $this->proxy_pass)."\r\n";
forumrunner/support/Snoopy.class.php: $headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_template.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar)
includes/class_mail.php: if (!$this->sendMessage(vb_base64_encode($this->smtpUser), 334) OR !$this->sendMessage(vb_base64_encode($this->smtpPass), 235))
includes/facebook/base_facebook.php: * Exactly the same as base64_encode except it uses
includes/facebook/base_facebook.php: * Exactly the same as base64_encode except it uses
includes/facebook/base_facebook.php: $str = strtr(base64_encode($input), '+/', '-_');
includes/functions.php:function vb_base64_encode($string)
includes/functions.php: if (function_exists('base64_encode'))
includes/functions.php: return base64_encode($string);
includes/functions.php: $string = vb_base64_encode($string);
vb/verticalresponse.php: 'contents' => vb_base64_encode($members),
[root@hurley upload]#
|
|
#117
03-24-2014, 09:24 PM
|
|||
|
|||
|
Andy.H: for completness, I checked out 4.2.0PL4, and it looks like those lines are not in there:
Code:
[root@hurley upload]# grep -RIi base64_decode *
asset.php: $filedata = vb_base64_decode('STRING_REPLACED_BY_WHODAH==');
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['validation'])) . "', '" .
includes/adminfunctions_template.php: $vbulletin->db->escape_string(vb_base64_decode($stylevardfn['failsafe'])) . "', 0, 0
includes/adminfunctions_template.php: $value = vb_base64_decode($stylevar['value'][0]);
includes/adminfunctions_template.php: $decode[$stylevars['name']] = vb_base64_decode($stylevars['value'][0]);
includes/facebook/base_facebook.php: return base64_decode(strtr($input, '-_', '+/'));
includes/functions.php:function vb_base64_decode($string)
includes/functions.php: if (function_exists('base64_decode'))
includes/functions.php: return base64_decode($string);
includes/functions.php: return ($decode ? vb_base64_decode($return) : $return);
[root@hurley upload]# grep -RIi base64_encode *
admincp/navigation.php: $name .= '_' . strtolower(substr(vb_base64_encode(TIMENOW),4,4));
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_plugin.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_plugin.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_plugin.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'validation' => vb_base64_encode($stylevar['validation']),
includes/adminfunctions_template.php: 'failsafe' => vb_base64_encode($stylevar['failsafe'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar['value'])
includes/adminfunctions_template.php: 'value' => vb_base64_encode($stylevar)
includes/class_mail.php: if (!$this->sendMessage(vb_base64_encode($this->smtpUser), 334) OR !$this->sendMessage(vb_base64_encode($this->smtpPass), 235))
includes/facebook/base_facebook.php: * Exactly the same as base64_encode except it uses
includes/functions.php:function vb_base64_encode($string)
includes/functions.php: if (function_exists('base64_encode'))
includes/functions.php: return base64_encode($string);
includes/functions.php: $string = vb_base64_encode($string);
vb/verticalresponse.php: 'contents' => vb_base64_encode($members),
[root@hurley upload]#
|
|
#118
03-24-2014, 09:34 PM
|
|||
|
|||
|
Yes I have them in default files as well not sure if all as I have not checked all of them but I am sure if it is a problem vb would post about it so don't worry about it
|
|
#119
03-24-2014, 09:44 PM
|
|||
|
|||
|
Quote:
|
|
#120
03-24-2014, 11:24 PM
|
|||
|
|||
|
ForceHSS: roger that.
Andy.H: yup yup, false positives as of now. Did you see my post #110 above? I haven't had time to write a replace string for these two yet, but I'm thinking a similar notion would work here too. Thanks for the inspiration for that idea again.  But really, we could keep whittling out false positives when they come up that way. (I think.)
|
 |
«
Previous Thread
|
Next Thread
»
|
|
All times are GMT. The time now is 02:01 AM.