Infected Invision Power Board and vBulletin with malicious redirects

Currently the websites running on Invision Power Board (IPB) or vBulletin CMS are getting infected more and more often. The malicious code (redirect) sends users to other websites:

  8. and others.

Yandex Antivirus Engine identifies this malware as «Behaviour Analysis». The malicious code is hard to find as it is encrypted and appears under certain conditions only.

The malicious code looks like this (virus is framed in red)

Infected Invision Power Board with redirect

Usually it is injected in the main template (in the database) and in the template cached copy (in the file)

The malicious code can be detected by searching for “strstr($mds”, “preg_replace($i” or “#c#.substr” within database dump or skin cache files.

Forum administrators should remove the code from the database and then clean skin cache to completely remove the malware from the site.

IPB clean skin after infection

Do not delete the code in cached skins only as it’ll appear again upon cache rebuild.

Let’s decrypt the code and look inside it

IPB malware code snippet

Firstly, in the 10th line the malware contains backdoor that allows to perform an arbitrary code from the $k parameter. It’s passed as base64 + str_rot13.

Secondly, the malware performs unauthorized redirect to another website, for instance, to The redirect is occasional (appears from time to time) that’s why the malware is hard to detect even by the website owner. Below you’ll find the conditions to reproduce the redirect:

  1. cookie is not set <prefix>lang_id
  2. HTTP request doesn't contain ipbv parameter
  3. HTTP request doesn't contain <prefix>session_id, but the same cookie is set
  4. HTTP REFERER contains infected website host

While user is coming to an infected forum from search results page the following code is being injected. It looks like this:


While this javascript is loading the parameters mentioned above are being checked and if everything is in place a user will be redirected to another website by this javascript code 


A redirected user is got a cookie <prefix>lang_id for 10 hours. So, while surfing the infected website during this period with the same browser the user will not be redirected.

The malicious code can be easily found by searching for the following code snippets:

strstr($mds”, “preg_replace($i” or “#c#.substr” and some others

in skin_global.php file.

The vBulletin CMS administrators will find more details about this malware detection in the following article . The vBulletin infection is similar to IPB’s. So, everything written above about IPB is true for vBulletin CMS.  

If you can't remove malware from your website reach our malware experts.