![]() ![]() 5.1.0 will have additional, unspecified fixes, “however you still need to remove the install folder.” A member of the vBulletin support team said version 4.2.2 “fixes the problem, but we still always recommend removing the install folder.” The same individual promised that the as yet unreleased vBulletin v. I followed up with the vBulletin folks and asked whether the company planned to automate the removal of these forums in future updates. If your vBulletin site still has those directories installed, you may also want to check for new administrator accounts. If you run a forum or site powered by vBulletin, take a minute to check if you have followed vBulletin’s advice and removed the “/install” and/or “/core/install” folders. “That way they can get the list sliced into much smaller pieces that a single machine can then crawl and scrape.” “These guys can instruct each part of that distributed network to perform a partial search that would return a part of the entire results,” Shteiman said. “And if I repeat this behavior from the same Internet address, I’ll get blocked for a certain period of time.”īarry Shteiman, director of security strategy at Imperva, said that distributing the searches through many different Internet addresses solves that problem. Google may show you that there are 30,000, but when you start scrolling through them all you may get to maybe page five or six you get a message that your machine is performing automated queries, and it will start showing you CAPTCHA,” challenges to block automated lookups. “In order to infect 30,000 targets in such a short period of time you need Google, but the problem is that you can’t retrieve so many search results that easily in an automated way. Here’s a Google search that offers a rough idea of the forums compromised with this exploit, which was apparently authored or at least publicly released by this guy.Īmichai Shulman, Imperva’s chief technology officer, said the company believes the attackers are using some sort of botnet - a collection of hacked PCs - to help scrape Google for compromised sites and to inject the malicious code. ![]() The second tool does effectively the same thing, except with a bit more stealth: The administrator account that gets added to hacked forums is more innocuously named “supportvb”. ![]() ![]() Among the sites apparently compromised is a support forum for the National Runaway Safeline and a site selling vBulletin add-ons. A Google search for forums with the the rather conspicuously-named administrator account added in that attack (“Th3H4ck”) shows that many of the hack sites also are hosting malware. The first was apparently used in a mass Website defacement campaign. Imperva said the compromised sites appear to have been hacked by one of two sets of exploit tools that have been released publicly online. The security weakness lets attackers quickly discover which forums are vulnerable, and then use automated, open-source exploit tools to add administrator accounts to vulnerable sites. But apparently many vBulletin-based sites didn’t get that memo: According to Web site security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. In a blog post in late August, vBulletin maker Jelsoft Internet Brands Inc. warned users that failing to remove the “/install” and “/core/install” directories on sites running 4.x and 5.x versions of the forum software could render them easily hackable. Attack tool for exploiting vulnerable vBulletin forums. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |