Webinar Alert: Beyond Hyperscalers - Smarter Infrastructure for Growing Companies (June 26th)
We recently had reports of a vBulletin site we host being infected with malicious code. Having worked for years in vBulletin hosting, we have a good bit of experience addressing security matters for vBulletin-related plugins. Troubleshooting these types of problems is a fairly common task for our staff. It usually involves doing some security scans and taking inventory of software installed on a website or server. This time, however, we were in for a bit more work as this was not an off the shelf common issue.
After doing some Google searches of the particular malware symptoms that we noticed, we came across several other reports of vBulletin-based sites suffering from the same problem. There was no known solution for this issue, and the sites in question were running the latest known versions of vBulletin software and plugins. This particular exploit involved malicious code being inserted into the vBulletin database datastore table which then caused the site to redirect users to the suspicious url123.info redirection service.
After finding a few possible workarounds and theories for how the exploit was happening, we decided to delve further and reverse-engineer the attack.
After doing some basic Apache log reviews for suspicious HTTP requests, we could tell that this was a more advanced attack. We would have to find it the old fashioned way.
We setup a modified version of this script from VBSEO in order to detect when the bad code was finding its way into the vBulletin datastore. By running the script every minute, we were able to narrow down the attack entry point into a one minute window. While waiting for the bad code to come back, we used the popular command-line tool tcpdump which allowed us record all incoming traffic to the server. We then reviewed all HTTP requests and found the specific method of attack.
After again detecting the malware, we knew that our data capture from tcpdump contained the attack entry point to show us how the malicious code was being put into the vBulletin datastore. WireShark is a very powerful and flexible packet capture tool that makes it easy to browse, filter and search through packet captures. We searched the captured packet data for some common footprints that hackers use to try to cover their tracks in PHP such as the base64_decode function.
Success! This search immediately turned up a suspicious HTTP GET request which we quickly determined was the culprit we were looking for:
From reviewing the above request, we now had some useful data in pinpointing the source of the exploit:
After carefully decoding the vbseo_crules cookie, we found that it does the following:
The backdoor plugin source code is available here. It does two things:
So how does malicious code from a HTTP cookie get executed by PHP? We traced that down to the use of the PHP preg_replace() function in VBSEO. Under certain conditions, the preg_replace() function has the ability to execute code in an evaluated variable.
Luckily, VBSEO was alerted of the exploit around the same time that we discovered the problem. We have tested that this vulnerability has been addressed in the latest version of VBSEO (version 3.6.1).
If you think you may have been affected by this exploit or the url123.info malware, we recommend the following actions:
If you have any questions about securing your vBulletin installation or specific questions about this exploit feel free to contact us for help!
Reach out to learn how our global platform can power your next deployment. Fast, secure, and built for scale.