It looks like the prophecy made by the maker of vBulletin, Internet Brands, is coming true. The company warned back in August that those who don’t remove the “/install” and “/core/install” directories on their websites running on versions 4 and 5 of vBulletin would be facing problems owing to vulnerabilities in the system. If what security firm Imperva says is true, more than 35,000 websites seem to have ignored Internet Brands’ advice.
According to Imperva, the websites seem to have been hacked by one of two different exploit tools that are publically available online. The first of the two exploit tools was apparently used in a defacement-spree where the hackers went about defacing a lot of websites. Forums affected by this have had a suspicious-looking administrator account added to them, called "Th3H4ck", and these websites also seem to be hosts to malware.
We're assuming that all hackers wear ski masks
The second thing apparently does the same thing as the first one, but with more subtlety. The admin account that gets added to vBulletin forums being attacked by this tool is named "supportvb".
“In order to infect 30,000 targets in such a short period of time you need Google, but the problem is that you can’t retrieve so many search results that easily in an automated way. Google may show you that there are 30,000 [vulnerable target sites], but when you start scrolling through them all you may get to maybe page five or six [before] you get a message that your machine is performing automated queries, and it will start showing you CAPTCHA,” said Amichai Shulman, Chief Technology Officer at Imperva. “And if I repeat this behavior from the same Internet address, I’ll get blocked for a certain period of time.”
UNP
According to Imperva, the websites seem to have been hacked by one of two different exploit tools that are publically available online. The first of the two exploit tools was apparently used in a defacement-spree where the hackers went about defacing a lot of websites. Forums affected by this have had a suspicious-looking administrator account added to them, called "Th3H4ck", and these websites also seem to be hosts to malware.
We're assuming that all hackers wear ski masks
The second thing apparently does the same thing as the first one, but with more subtlety. The admin account that gets added to vBulletin forums being attacked by this tool is named "supportvb".
“In order to infect 30,000 targets in such a short period of time you need Google, but the problem is that you can’t retrieve so many search results that easily in an automated way. Google may show you that there are 30,000 [vulnerable target sites], but when you start scrolling through them all you may get to maybe page five or six [before] you get a message that your machine is performing automated queries, and it will start showing you CAPTCHA,” said Amichai Shulman, Chief Technology Officer at Imperva. “And if I repeat this behavior from the same Internet address, I’ll get blocked for a certain period of time.”
UNP
