Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 25 Apr 2017, 09:09
sattvhelp sattvhelp is offline
 
Join Date: Oct 2016
base64 in database

should our VB database contain any base64 code?

Ii seems to be linked to an if subscriptions.php type command


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

This is present in adminutil and datastore

We have had an issue with includes/datastore/datastore_cache.php erasing itself every 24 hours, and taking the forum down untill a new copy is uploaded. within a few hours the file then contains this same code as found in the database

is it safe to remove the entry from the database?

New files have been uploaded many times, so we think that it can only be the database thats keeping causing the issue
Reply With Quote
  #2  
Old 25 Apr 2017, 14:11
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
That looks like a backdoor to execute commands on the server, so yes you should remove it immediately. However, you might want to look into where it's coming from.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #3  
Old 02 May 2017, 22:18
sattvhelp sattvhelp is offline
 
Join Date: Oct 2016
Dave, would you be able to offer advise and / or a quote to help with this please
Reply With Quote
  #4  
Old 03 May 2017, 12:31
Kane@airrifle's Avatar
Kane@airrifle Kane@airrifle is offline
 
Join Date: Jun 2011
Real name: Kane
ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/foru...-patch-level-4
Reply With Quote
  #5  
Old 06 May 2017, 17:26
sattvhelp sattvhelp is offline
 
Join Date: Oct 2016
ok, im slowly working my way through this, following numerous online guides, and racking up the google air miles.

just about EVERY post that asks about any base64 code within vbulletin files, seems to be met with the default answer from vbulletin staff that 'vbulletin doesnt contain any base64 code, its been added by hackers, redownload new files'

Ive downloaded new files, and before even unzipping them, have found the following INSIDE the default vbulletin file attachment.php


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

As someone who is not an expert, and following guidance telling me that i should have NO base64 code AT ALL in ANY vbulletin file, i dont know how i should proceed next, as i have found around a dozen default files that contain base64

--------------- Added 06 May 2017 at 17:27 ---------------

Originally Posted by Kane@airrifle View Post
ACP/Plugin manager: Check to see if you have init_startup in Product : Vbulletin. If you do that is likely the backdoor.

Some background: https://www.vbulletin.com/forum/foru...-patch-level-4
This was indeed tucked away, and has since been removed. After removing it i cleared the system cache, and this has also caused the entire entry to be removed from the database
Reply With Quote
  #6  
Old 06 May 2017, 17:41
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
The base64 encoded string you posted is fine and part of vBulletin. I believe it acts as a transparent image or something like that.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #7  
Old 28 Sep 2017, 22:54
twitch's Avatar
twitch twitch is offline
 
Join Date: Apr 2005
Do you simply delete the code? or delete the init_startup tables in the database? I found two of them
Reply With Quote
  #8  
Old 28 Sep 2017, 22:55
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
You can either delete the code or delete the entire hook in the plugin system, just make sure there's no valid code in the hook or else you may break something.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 10:15.

Layout Options | Width: Wide Color: