I also wrote a custom bash shell script vbplugincheck.sh (illustrated from step 4) which is a handy tool to partially automate some of the manual leg work outlined by Zachery's blog article where you needed to check your vBulletin database and files for infections and embedded malicious files, scripts or plugins.
The vbplugincheck.sh tool only helps with detection of the infections by hackers - illustrative examples of the tools usage is shown in step 4. You will still need to manually clean up the infections and malicious files left behind by the hacker(s). I say hackers, because in some instances more than one hacker could have gotten in and not necessarily from the same security flaw i.e. if you have an outdated plugin i.e. vbseo or mismatching vB version files.
Full set of options available for vbplugincheck.sh with explanations outlined in step 4
Code:
./vbplugincheck.sh quick ./vbplugincheck.sh full ./vbplugincheck.sh quick {dbname} {dbprefix} ./vbplugincheck.sh full {dbname} {dbprefix} ./vbplugincheck.sh adminlogfull ./vbplugincheck.sh adminloguser ./vbplugincheck.sh adminlogtemp ./vbplugincheck.sh adminlogactions ./vbplugincheck.sh adminlogfull {dbname} {dbprefix} ./vbplugincheck.sh adminloguser {dbname} {dbprefix} ./vbplugincheck.sh adminlogtemp {dbname} {dbprefix} ./vbplugincheck.sh adminlogactions {dbname} {dbprefix} ./vbplugincheck.sh qkeyword ./vbplugincheck.sh fkeyword ./vbplugincheck.sh qkeyword {dbname} {dbprefix} ./vbplugincheck.sh fkeyword {dbname} {dbprefix} ./vbplugincheck.sh tempcheck ./vbplugincheck.sh temphistcheck ./vbplugincheck.sh tempcheck {dbname} {dbprefix} ./vbplugincheck.sh temphistcheck {dbname} {dbprefix} ./vbplugincheck.sh usertitle ./vbplugincheck.sh ads ./vbplugincheck.sh usertitle {dbname} {dbprefix} ./vbplugincheck.sh ads {dbname} {dbprefix} ./vbplugincheck.sh ranks ./vbplugincheck.sh ranks {dbname} {dbprefix} ./vbplugincheck.sh setting ./vbplugincheck.sh setting {dbname} {dbprefix} ./vbplugincheck.sh pluginlist ./vbplugincheck.sh pluginlist {dbname} {dbprefix}
If you save your vbplugincheck.sh output to text file, you can easily use a file comparison tool like BeyondCompare to compare side by side visually your infected database output to a known restored clean database backup (restored in a new database name) - making it easier to visually detect differences you need to investigate.
Saving output to text files is as easy as adding > filename.txt to end of script and option command.
Code:
.[COLOR=#000000][B]/[/B][/COLOR]vbplugincheck.sh quick > filename.txt
The screenshot shows where left side has infected MySQL database’s output compared side by side with clean MySQL database’s output. As you can see a hookname, init_startup is present in the hacked database and not in the clean backup. This needs further investigation and when you look in your plugins, you will find this init_startup hookname and within it will be embedded malicious code or even a PHP backdoor of cmdshell. In some instances, if your home computer has proper anti-virus and/or malware detection software installed, accessing or editing init_startup hookname may trigger a virus alert for your home computer depending on what type of code is embedded. So all you need to do is delete that init_startup hookname.
Note: vbplugincheck.sh quick and the other listed options above can also report false positives for infections or malicious code as the search are on wildcard terms i.e. %base64% and %iframe%, so you need to take a closer look and determine if any custom code or plugins you have added are legit. If unsure, you can always revert all custom templates, remove and reinstall all plugins and there associated php files (that you uploaded via ftp).
Other vbplugincheck.sh option examples
Checking your usergroup’s usertitle table for malicious html code embedded via the usertitle option. Below I altered the Senior Member title and added an exclamation mark ! as an example. Hackers could add malicious script html code here if they wanted.
Code:
./vbplugincheck.sh usertitle vb422a1 +-------------+----------+-----------------+ | usertitleid | minposts | title | +-------------+----------+-----------------+ | 1 | 0 | Junior Member | | 2 | 30 | Member | | 3 | 100 | Senior Member ! | +-------------+----------+-----------------+
Code:
./vbplugincheck.sh ads vb422a1 *************************** 1. row *************************** adid: 1 title: test ad adlocation: global_below_navbar displayorder: 10 active: 1 snippet: html code
Code:
./vbplugincheck.sh ranks vb422a1 *************************** 1. row *************************** rankid: 1 minposts: 10 ranklevel: 1 rankimg: Noob usergroupid: 0 type: 1 stack: 0 display: 0
Code:
./vbplugincheck.sh setting vb422a1 Enter keyword to search for i.e. %script% or %refresh : %script% --------------------------------------------------------------------- check setting tables value for %script% --------------------------------------------------------------------- varname: bbtitle grouptitle: address value: vB 4.2.2 PHP 5.4 Test Forums <script> defaultvalue: vBulletin Forums displayorder: 10
Other checks
The 10 page guide also illustrates other potential precautions and checks you should do. For example:
- checking for malicious files in user uploadable content directories such as /customavatars, and /attachments (if you make mistake of placing attachments in filesystem on public web accessible directory).
- running anti-virus and malware scans on your files and directories. I recommend at least AVG Anti-virus for Linux and Linux Malware Detect (maldet).
- locking down vB config.php and it's settings and ensuring proper vB upgrade procedures are followed and in general securing other non-vB scripts which are installed on same server.
- file and directory permissions checks
- use of usergroup password expiry feature and ensuring folks are changing passwords
Sources & other recommended reading: