Protect Your Interwebs!
In the past few days/weeks we have been seeing some nasty vBulletin infections that are proving difficult to find. In this post we’ll describe it and what we have done to remove it.
We recently wrote about Conditional Malware, this is but another instance of that. In this instance, the conditions are set around specific referrers and user-agents.
When a user visits the forum via Google search engine result pages (SERP), they are greeted with this payload:
Read More
We are seeing a large number of vBulletin/vBSEO websites getting compromised lately and we keep getting requests for info as to what’s going on.
A serious SQL injection vulnerability was reported on Vbulletin (4.0.x, 4.1.0, 4.1.1 and 4.1.2) last month and we are starting to see it being used to attack and infect forums using it. The vulnerability is very simple and explained here:
Multiple vBulletin Products ‘Search Multiple Content Types’ SQL Injection Vulnerability
Multiple vBulletin products are prone to an SQL-injection vulnerability because the applications fail to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The following example data are available:&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
There is even a video on Youtube showing how to do it:
So if you are a Vbulletin user, update it now! If you think your site is already hacked or compromised, you can scan it here: http://sitecheck.sucuri.net or contact us for help.
*Thanks to Marcus Maciel for the reminder and help.
If you are running Vbulletin 3.8.6 (the latest 3.8.x version), make sure to remove the faq.php as soon as possible. A vulnerability has been found that allows anyone to retrieve the database credentials from there.
The VBSEO team was quick to react and sent the following note to their clients a little while ago:
Hello valued vBSEO customer,
It has come to our attention that a vulnerability on vBulletin 3.8.6
has been discovered. The exploit allows a malicious user to retrieve a
forum’s database credentials via the faq.php script.If you are running vBulletin 3.8.6, we strongly recommend that you
remove the faq.php script and change your mysql database details as a
precaution.You can find faq.php in your vBulletin installation directory:
*/vbroot/faq.php
Update: Patch available here.
It seems that a patch is coming very soon too. Some discussion about this issue here. Thanks to Marcus Maciel for the heads up.
Receive new posts in your inbox.
Copyright © 2013 Sucuri Inc. · Terms of Service · Privacy Policy
Sucuri® is a registered trademark of Sucuri Inc. in the United States and/or other countries.
Comments