Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Check 4 Hack - Finds infected Datastore Entries Details »
Check 4 Hack - Finds infected Datastore Entries
Mod Version: 1.00, by Hoffi (Member) Hoffi is offline
Developer Last Online: Mar 2016 I like it Show Printable Version Email this Page

vB Version: 4.1.4 Rating: (7 votes - 4.57 average) Installs: 151
Released: 27 Jun 2011 Last Update: Never Downloads: 1009
Not Supported Uses Plugins Additional Files Translations  

Many Users have Problems with infected Webservers.

I wrote a small Cron-Job that searches the datastore for possible infects and tried to repair them.

1.0 Initial relase with one check:
Checks if a base64 Code resists in the Datastore. If it's found in the pluginlist, the Datastore will be rebuild.

For more Checks, tell them. I'll add them.

The Cron Job will be started every 20 Min, and sends a Mail to the entered Mailadress, or if non entered, to the webmaster eMail-adress.

Install:

Upload the upload Directory and install the XML File.

German Version is also integrated.

If you want to check the Plugin, enable the Demo-Plugin which is installed, too. Only if it's enabled, the Check will find this.

If this Mod detects an infect, please do not lean back! Research it, and fix your security Hole!

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • If you like this modification support the author by donating.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
  #106  
Old 28 Oct 2013, 20:31
Andy.H Andy.H is offline
 
Join Date: Feb 2013
As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.
Reply With Quote
  #107  
Old 29 Oct 2013, 08:24
Kolbi's Avatar
Kolbi Kolbi is offline
 
Join Date: Mar 2009
Real name: Matthias
Originally Posted by Andy.H View Post
As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.
The result: "Infekte Gefunden: pluginlist" doesn't say a lot. Because tapatalk causes this and if there would be another infection it still would tell you "pluginlist".
Reply With Quote
  #108  
Old 30 Oct 2013, 22:57
orangefive orangefive is offline
 
Join Date: Nov 2009
Originally Posted by Andy.H View Post
As above, we installed Tapatalk 4.8.0 and started getting blank mails and an "infected" pluginlist.

I've disabled the scheduled task but left it installed so it can still be run manually... it could still be a useful tool to scan for infects on demand or if/when required.
me too
Reply With Quote
  #109  
Old 07 Jan 2014, 20:04
Andy.H Andy.H is offline
 
Join Date: Feb 2013
Thought I'd try a little tweak to the code. All the base64 hacks I've seen/had to clear up use the base64_decode command. The check4hack.php file looks for "%base64%" out of the box... so I did the following:

In the check4hack.php file, find the line below:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and change to:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Seeing as the Tapatalk code uses the base64_encode command, check4hack.php no longer picks it up as a false positive, and should hopefully still detect any base64_decode hacks... I hope!

Reply With Quote
  #110  
Old 05 Mar 2014, 02:42
whodah whodah is offline
 
Join Date: Feb 2004
Andy.H: Hey cool. That gives me an idea. How about replacing that same line with this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



There might be a more eloquent way, and that wouldn't be 100% fool proof, but really really narrows it down, ya?
Reply With Quote
  #111  
Old 20 Mar 2014, 04:45
whodah whodah is offline
 
Join Date: Feb 2004
Looks like there are two legit base64 in 4.2.2 PL1 -- ya?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

everyone agree?
Reply With Quote
  #112  
Old 24 Mar 2014, 19:59
Andy.H Andy.H is offline
 
Join Date: Feb 2013
Hmm... we're running 4.2.0 PL4 with the scheduled task running and it's not detecting those lines? Maybe they don't appear in 4.2.0?

Which files did you find them in?

PS: nice addition with the detection

Last edited by Andy.H; 24 Mar 2014 at 20:06.
Reply With Quote
  #113  
Old 24 Mar 2014, 21:10
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Originally Posted by whodah View Post
Looks like there are two legit base64 in 4.2.2 PL1 -- ya?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

everyone agree?
This is not in the code by default if you have this then you have an infection
Reply With Quote
  #114  
Old 24 Mar 2014, 21:51
whodah whodah is offline
 
Join Date: Feb 2004
Hi Andy.H and ForceHSS,

Interesting... Digging deeper. The thing that makes me suspect is that I have a backup install on another server, different pw's, that is 100% .htaccess protected (front end and admin end) which has those same two lines...

Digging, will report back...
Reply With Quote
  #115  
Old 24 Mar 2014, 22:10
whodah whodah is offline
 
Join Date: Feb 2004
ForceHSS:

Are you sure you are 4.2.2 PL1 ? If so, do your install files fresh from vB not have this?

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

BTW: I thought it might be interesting to note the other base64_(encode|decode) stuff off a fresh 4.2.2PL1 download:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Reply With Quote
  #116  
Old 24 Mar 2014, 22:24
whodah whodah is offline
 
Join Date: Feb 2004
Andy.H: for completness, I checked out 4.2.0PL4, and it looks like those lines are not in there:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Reply With Quote
  #117  
Old 24 Mar 2014, 22:34
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Yes I have them in default files as well not sure if all as I have not checked all of them but I am sure if it is a problem vb would post about it so don't worry about it
Reply With Quote
  #118  
Old 24 Mar 2014, 22:44
Andy.H Andy.H is offline
 
Join Date: Feb 2013
Originally Posted by whodah View Post
Andy.H: for completness, I checked out 4.2.0PL4, and it looks like those lines are not in there:
That would explain it then. It does leave you in a bit of a quandary if you're running 4.2.2 though. Does it generate any false positives when you run the task manually?
Reply With Quote
  #119  
Old 25 Mar 2014, 00:24
whodah whodah is offline
 
Join Date: Feb 2004
ForceHSS: roger that.

Andy.H: yup yup, false positives as of now. Did you see my post #110 above? I haven't had time to write a replace string for these two yet, but I'm thinking a similar notion would work here too. Thanks for the inspiration for that idea again. But really, we could keep whittling out false positives when they come up that way. (I think.)
Reply With Quote
  #120  
Old 08 May 2016, 22:39
Azonaco Azonaco is offline
 
Join Date: Aug 2008
This isn't working on version 4.2.2 for me. Any plans to update this mod?
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 13:33.

Layout Options | Width: Wide Color: