Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page base64 in database
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 04-25-2017, 06:09 AM
sattvhelp sattvhelp is offline
 
Join Date: Oct 2016
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default base64 in database
should our VB database contain any base64 code?

Ii seems to be linked to an if subscriptions.php type command

Code:
if (strpos($_SERVER['PHP_SELF'],'subscriptions.php')) {

eval(gzinflate(base64_decode('
This is present in adminutil and datastore

We have had an issue with includes/datastore/datastore_cache.php erasing itself every 24 hours, and taking the forum down untill a new copy is uploaded. within a few hours the file then contains this same code as found in the database

is it safe to remove the entry from the database?

New files have been uploaded many times, so we think that it can only be the database thats keeping causing the issue
Reply With Quote
  #2  
Old 04-25-2017, 11:11 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
That looks like a backdoor to execute commands on the server, so yes you should remove it immediately. However, you might want to look into where it's coming from.
Reply With Quote
  #3  
Old 05-02-2017, 07:18 PM
sattvhelp sattvhelp is offline
 
Join Date: Oct 2016
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Dave, would you be able to offer advise and / or a quote to help with this please
Reply With Quote
  #4  
Old 05-03-2017, 09:31 AM
Kane@airrifle's Avatar
Kane@airrifle Kane@airrifle is offline
 
Join Date: Jun 2011
Location: ZA
Posts: 181
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/foru...-patch-level-4
Reply With Quote
  #5  
Old 05-06-2017, 02:26 PM
sattvhelp sattvhelp is offline
 
Join Date: Oct 2016
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
ok, im slowly working my way through this, following numerous online guides, and racking up the google air miles.

just about EVERY post that asks about any base64 code within vbulletin files, seems to be met with the default answer from vbulletin staff that 'vbulletin doesnt contain any base64 code, its been added by hackers, redownload new files'

Ive downloaded new files, and before even unzipping them, have found the following INSIDE the default vbulletin file attachment.php

Code:
$filedata = vb_base64_decode('R0lGODlhAQABAIAAAMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==');
As someone who is not an expert, and following guidance telling me that i should have NO base64 code AT ALL in ANY vbulletin file, i dont know how i should proceed next, as i have found around a dozen default files that contain base64

--------------- Added [DATE]1494088047[/DATE] at [TIME]1494088047[/TIME] ---------------

Quote:
Originally Posted by Kane@airrifle View Post
ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/foru...-patch-level-4
This was indeed tucked away, and has since been removed. After removing it i cleared the system cache, and this has also caused the entire entry to be removed from the database
Reply With Quote
  #6  
Old 05-06-2017, 02:41 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
The base64 encoded string you posted is fine and part of vBulletin. I believe it acts as a transparent image or something like that.
Reply With Quote
  #7  
Old 09-28-2017, 07:54 PM
twitch's Avatar
twitch twitch is offline
 
Join Date: Apr 2005
Posts: 260
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Do you simply delete the code? or delete the init_startup tables in the database? I found two of them
Reply With Quote
  #8  
Old 09-28-2017, 07:55 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You can either delete the code or delete the entire hook in the plugin system, just make sure there's no valid code in the hook or else you may break something.
Reply With Quote
Благодарность от:
twitch
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 12:05 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04049 seconds
  • Memory Usage 2,233KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (1)post_thanks_box_bit
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete