Solving filestore72 hack. How to clear the database table?

[Macsee]

I'm sorting out a filestore72 attack on my site. I'm upgrading vB to the latest version, changing passwords, deleting suspicious files, removing plugins etc.

My question is this:
There is some malicious code inserted in the datastore table of the database. It's in various places of that table and is encrypted.

How can I clear that? Can I simply delete that table and have vB recreate it somehow? Or is there another way of dealing with this?

[smirkley]

Would something like this help?

https://vborg.vbsupport.ru/showthread.php?t=265866

[Macsee]

Thanks, smirkley. I had found that the other day and initially got excited, but it doesn't appear to do much except send you an email to tell you that the database is infected. I already know that the database is infected and which table the infection is in. I also know which text it is in the table that shouldn't be there.

What I'm hoping to get is advice on how I can delete that infection in the datastore table (not the datastore file which is something else and which, apparently, can be recreated by turning off all the plugins and then turning them back on again).

[ozzy47]

Try editing any plugin, don't change anything, then hit Save, that may remove it.

[DF031]

What is this filestore72 hack ? And how do I protect the forum ?

[ozzy47]

Remove your install directory, it is a redirect to that site.

[Macsee]

Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.

[TheLastSuperman]

Quote:

Originally Posted by Macsee

Thanks ozzy, that didn't work. I still have the several blanks lines which seem to have been inserted deliberately followed by some encrypted text:

"....59}i+G^<+c@ve6<Z]8daDc@KO4]>LKY#eN<v8c6pe8Y#~M*{~k{S}ME;O79{e8YfL4nb8c6M~K<M~ M~?t7{P+G^5+c;1]><@~a+1~ata$,..."

I even then went to the extent of uninstalling the only plugin I had (glowhost) to no avail.

Were you at any point in time or currently running vBSEO? If so see here - http://www.vbseo.com/f255/vbseo-data...ng-plug-55377/ and if not then go into the database and rip it out (Disclaimer: Make a backup if you're not use to editing a database in phpmyadmin).

[Macsee]

As I've said in the other thread, I've never used vBSEO. Ever. Never even considered using it. So let's stop blaming vBSEO

Quote:

Originally Posted by TheLastSuperman

if not then go into the database and rip it out

Which is exactly what I asked for help on - ripping the base64 stuff out of the db. How do I do this?

[ozzy47]

• Run the following Queries in phpMyAdmin:

Code:

SELECT title, phpcode,  hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%';

Code:

SELECT styleid, title,  template FROM template WHERE template LIKE '%base64%' OR template LIKE  '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR  template like '%iframe%';

http://www.vbulletin.com/attachment....id=61831&stc=1
*If the above queries produce results you need to review them carefully, if they are in fact malicious delete them from the plugin manager in the admincp or in a worst case scenario using phpmyadmin.

• If you feel the issue is within your templates themselves, you can rebuild your styles and to easily do this simply re-run the upgrade script, example url is yoursiteurl.com/install/upgrade.php
• Rebuild the plugin datastore: AdminCP > Plugins & Products > Plugin Manager > *Click to "Save Active Status". *Even though you did not change the order, saving has now rebuilt the plugin datastore.
• Check all software installed on your server, the hacker could have gained entry via another software. If there are updates available please update all software accordingly.