Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Check 4 Hack - Finds infected Datastore Entries Details »
Check 4 Hack - Finds infected Datastore Entries
Mod Version: 1.00, by Hoffi (Member) Hoffi is offline
Developer Last Online: Mar 2016 I like it Show Printable Version Email this Page

vB Version: 4.1.4 Rating: (7 votes - 4.57 average) Installs: 151
Released: 27 Jun 2011 Last Update: Never Downloads: 1009
Not Supported Uses Plugins Additional Files Translations  

Many Users have Problems with infected Webservers.

I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them.

1.0 Initial relase with one check:
Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild.

For more Checks, tell them. I'll add them.

The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress.

Install:

Upload the upload Directory and install the XML File.

German Version is also integrated.

If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this.

If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole!

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • If you like this modification support the author by donating.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
  #91  
Old 21 Sep 2013, 23:33
whodah whodah is offline
 
Join Date: Feb 2004
So for now, I changed check4hack.php from:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

to:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

It isn't a fix, and it isn't perfect. But at least instead of blank emails, you'll get a little guidance on what to do or what the email means.
Reply With Quote
  #92  
Old 22 Sep 2013, 05:46
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
I'm not sure it will make a difference but I would try commenting out the line


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

(make it)


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

instead.

echo will post data to the browser, it isn't something you usually want to do when running a scheduled task automatically, if used there should be a check to make sure it is being run manually.

The thing is, while it shouldn't be used best I can tell, I don't see why it would result in blank emails- but it's the only thing that sticks out at me right now.
__________________
-Joe
Former vb.org Moderator. Retired.

@BirdOPrey5 | All Things BOP5 | Joe's Ultimate Off Topic
Note - I no longer making new VB mods, sorry.
Reply With Quote
  #93  
Old 24 Sep 2013, 15:26
Wolver2 Wolver2 is offline
 
Join Date: Oct 2010
I get this note as an email from the plugin:

The following modules were infected:

pluginlist


what do I do now? or how do I remove it

Last edited by Wolver2; 24 Sep 2013 at 15:48.
Reply With Quote
  #94  
Old 24 Sep 2013, 16:04
whodah whodah is offline
 
Join Date: Feb 2004
Originally Posted by Wolver2 View Post
I get this note as an email from the plugin:

The following modules were infected:

pluginlist


what do I do now? or how do I remove it
Try post #88 in this thread.
Reply With Quote
  #95  
Old 24 Sep 2013, 16:26
whodah whodah is offline
 
Join Date: Feb 2004
Originally Posted by BirdOPrey5 View Post
I'm not sure it will make a difference but I would try commenting out the line


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

(make it)


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

instead.

echo will post data to the browser, it isn't something you usually want to do when running a scheduled task automatically, if used there should be a check to make sure it is being run manually.

The thing is, while it shouldn't be used best I can tell, I don't see why it would result in blank emails- but it's the only thing that sticks out at me right now.
Heya BirdOPrey5,

Thanks for the idea, but it didn't fix it.
Reply With Quote
  #96  
Old 24 Sep 2013, 17:26
Wolver2 Wolver2 is offline
 
Join Date: Oct 2010
@whodah thanks for pointing it out.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

What do I do to remove it completely?

Btw below that code you posted a link to an exploit regarding /install folder.. but I never had an install folder there after installing
Reply With Quote
  #97  
Old 24 Sep 2013, 18:34
whodah whodah is offline
 
Join Date: Feb 2004
Originally Posted by Wolver2 View Post
@whodah thanks for pointing it out.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

What do I do to remove it completely?

Btw below that code you posted a link to an exploit regarding /install folder.. but I never had an install folder there after installing
Heya,

Interesting on the install thing. For me, that is what I saw all the log files hit.

For removal: this thread helped a ton:
http://www.vbulletin.com/forum/forum...i-e-p0wersurge

In particular, post number 4.

And secondly, although a lot of it is the same, the 2nd post here:
http://www.vbulletin.com/forum/forum...madnet-edition

Especially bullet point #6 as the infected plugin was by author 'vbulletin'. (fake of course, and removed of course.)
Reply With Quote
  #98  
Old 13 Oct 2013, 04:06
Wolver2 Wolver2 is offline
 
Join Date: Oct 2010
@Whodah I tried the post nr. 4:

Atm trying to clean.. but im a newbie in this.. will report

Last edited by Wolver2; 13 Oct 2013 at 04:32.
Reply With Quote
  #99  
Old 13 Oct 2013, 14:49
KHALIK KHALIK is offline
 
Join Date: May 2005
I am also getting the following message on my vb 4.2.2 when I manually run cron job.

Check 4 Hacking

pluginlist-

Done.

Is this a standard message, indicating no infected files found?

Or is it saying pluginlist- is infected ?



Please help

Last edited by KHALIK; 13 Oct 2013 at 15:55.
Reply With Quote
  #100  
Old 14 Oct 2013, 18:53
whodah whodah is offline
 
Join Date: Feb 2004
Originally Posted by KHALIK View Post
I am also getting the following message on my vb 4.2.2 when I manually run cron job.



Is this a standard message, indicating no infected files found?

Or is it saying pluginlist- is infected ?



Please help
Try post #88 in this thread.
Reply With Quote
  #101  
Old 17 Oct 2013, 13:18
Kolbi's Avatar
Kolbi Kolbi is offline
 
Join Date: Mar 2009
Real name: Matthias
I'm also getting blank mails.

It seems that tapatalk is the reason for the mails?

Version 4.8.0 Plugin: Tapatalk: Tapatalk Image Link

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Could this be the reason for sending out the mails?
Reply With Quote
  #102  
Old 18 Oct 2013, 12:11
MrD's Avatar
MrD MrD is offline
 
Join Date: Aug 2003
Real name: Marcus
Hi Kolbi,
yes it is.
__________________
Greetz from Dortmund/Germany
Marcus
Reply With Quote
  #103  
Old 18 Oct 2013, 15:46
Kolbi's Avatar
Kolbi Kolbi is offline
 
Join Date: Mar 2009
Real name: Matthias
I guess there's no workaround to explicit exclude this plugin?
Reply With Quote
  #104  
Old 19 Oct 2013, 06:00
lazytown lazytown is offline
 
Join Date: Feb 2004
uninstalled -- always sends blank email.
Reply With Quote
  #105  
Old 19 Oct 2013, 07:09
Teascu Dorin Teascu Dorin is offline
 
Join Date: Nov 2009
Real name: Teascu Dorin
No email at all for me using demo!

vBullrtin: 4.2.2
Server Type: Linux
Web Server: Apache (cgi-fcgi)
PHP: 5.3.24
MySQL Version: 5.0.96-log
__________________
Cu Respect / Best Regards / Mit freundlichen Grüßen
roStyles Design LLC
Teascu Dorin
https://www.rostyles.com
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 15:53.

Layout Options | Width: Wide Color: