Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn.
In a blog post in late August, vBulletin maker Jelsoft Internet Brands Inc. warned users that failing to remove the “/install” and “/core/install” directories on sites running 4.x and 5.x versions of the forum software could render them easily hackable. But apparently many vBulletin-based sites didn’t get that memo: According to Web site security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability.
The security weakness lets attackers quickly discover which forums are vulnerable, and then use automated, open-source exploit tools to add administrator accounts to vulnerable sites.
Imperva said the compromised sites appear to have been hacked by one of two sets of exploit tools that have been released publicly online. The first was apparently used in a mass Website defacement campaign. A Google search for forums with the the rather conspicuously-named administrator account added in that attack (“Th3H4ck”) shows that many of the hack sites also are hosting malware. Among the sites apparently compromised is a support forum for the National Runaway Safeline and a site selling vBulletin add-ons.
The second tool does effectively the same thing, except with a bit more stealth: The administrator account that gets added to hacked forums is more innocuously named “supportvb”. Here’s a Google search that offers a rough idea of the forums compromised with this exploit, which was apparently authored or at least publicly released by this guy.
Amichai Shulman, Imperva’s chief technology officer, said the company believes the attackers are using some sort of botnet — a collection of hacked PCs — to help scrape Google for compromised sites and to inject the malicious code.
“In order to infect 30,000 targets in such a short period of time you need Google, but the problem is that you can’t retrieve so many search results that easily in an automated way. Google may show you that there are 30,000 [vulnerable target sites], but when you start scrolling through them all you may get to maybe page five or six [before] you get a message that your machine is performing automated queries, and it will start showing you CAPTCHA,” challenges to block automated lookups. “And if I repeat this behavior from the same Internet address, I’ll get blocked for a certain period of time.”
Barry Shteiman, director of security strategy at Imperva, said that distributing the searches through many different Internet addresses solves that problem.
“These guys can instruct each part of that distributed network to perform a partial search that would return a part of the entire results,” Shteiman said. “That way they can get the list sliced into much smaller pieces that a single machine can then crawl and scrape.”
If you run a forum or site powered by vBulletin, take a minute to check if you have followed vBulletin’s advice and removed the “/install” and/or “/core/install” folders. If your vBulletin site still has those directories installed, you may also want to check for new administrator accounts.
I followed up with the vBulletin folks and asked whether the company planned to automate the removal of these forums in future updates. A member of the vBulletin support team said version 4.2.2 “fixes the problem, but we still always recommend removing the install folder.” The same individual promised that the as yet unreleased vBulletin v. 5.1.0 will have additional, unspecified fixes, “however you still need to remove the install folder.”