Cyber crooks actively hijacking servers with unpatched vBulletin installations

Administrators of vBulletin installations would do well to install the latest vBulletin Connect updates as soon as possible, as cyber crooks are actively searching for servers running vulnerable versions of the popular Internet forum software package.

They might be after the data stored on it or, more likely, they want control of the servers so that they can use them to mount DDoS attacks or malware delivery (by booby-trapping the website). They can also sell access to the servers to other criminals.

It seems that the attackers are taking advantage of a recently discovered and patched zero-day that affects vBulletin Connect versions 5.1.4 through 5.1.9, which allows attackers to remotely execute code on the vulnerable server.

“The RCE exploit is relatively simple to deploy; a single HTTP request is all that is needed. Our telemetry suggests that attackers are scanning for servers running the vulnerable vBulletin software by using a common phpinfo() function or printing out an MD5 of an arbitrary value,” Symantec researchers noted.

“Once a vulnerable web server is found, the attacker can then take steps to infiltrate the system and begin to search and exfiltrate data from it, such as administrative user credentials, or even attempt to gain administrator privileges. This is all done by first downloading and executing a multipurpose malicious shell script (filesender1.sh) onto the compromised server.”

Once its executed, the script tries to discover and steal as much information as possible, and does so by going though a list of 130 predefined files and folders. The information is then sent to a server controlled by the attackers.

As noted before, sysadmins should patch their installations immediately, and they can also look for indicators of compromise (specific URLs in web access logs) provided by Symantec to see whether their server has already been scanned/breached.