vBulletin Still Redirecting to Myfilestore.com

  • October 13, 2015
Labs Note

MyFileStore[.]com redirects from vBulletin sites have been a problem since 2011. It is associated with the VBSEO plugin with multiple unpatched vulnerabilities that has been discontinued for more than 3 year now. You can find more information about this hack here

Since then, the code remains pretty much the same. Only minor changes in variable names. Just search either the datastore table or the includes/datastore/datastore_cache.php file for = preg_replace( with strtr inside of it like:

...
$gpu = preg_replace($baseline, strtr($arrvb, $ajx, $ajx2), "vbseo");

Preceded by long gibberish stings that look like this:

...
$arrvb = '[R_=#AH_p[3"rP[abP[#Vj@?Vu=&_S?q!KZ`mu=8%$!zH8.:_T?&KuS"_K.:a}lLaxLN[}/g%>PL_K.nH$,7KuS}a8?}a}apW>L{Vj@bVugR!z?...

Despite the fact that that this hack is very old and VBSEO is no longer supported and should have been already removed from sites, we still regularly clean vBulletin websites affected by this infection.

Please, keep your sites software up-to-date. Secure it to prevent future break-ins.

Fernando Barbosa is a Sucuri's Software Development Manager who joined the company in 2012. Fernando's main responsibilities include leading Sucuri's backend teams and engineering solutions for our suite of security products. His professional experience also covers five years of malware analysis and incident response. When Fernando isn't working, you might find him having good times with his family. Connect with Fernando on Twitter.

Related Tags
Related Categories
You May Also Like