Currently the websites running on Invision Power Board (IPB) or vBulletin CMS are getting infected more and more often. The malicious code (redirect) sends users to other websites:
Yandex Antivirus Engine identifies this malware as «Behaviour Analysis». The malicious code is hard to find as it is encrypted and appears under certain conditions only.
The malicious code looks like this (virus is framed in red)
Usually it is injected in the main template (in the database) and in the template cached copy (in the file)
The malicious code can be detected by searching for “strstr($mds”, “preg_replace($i” or “#c#.substr” within database dump or skin cache files.
Forum administrators should remove the code from the database and then clean skin cache to completely remove the malware from the site.
Do not delete the code in cached skins only as it’ll appear again upon cache rebuild.
Let’s decrypt the code and look inside it
Firstly, in the 10th line the malware contains backdoor that allows to perform an arbitrary code from the $k parameter. It’s passed as base64 + str_rot13.
Secondly, the malware performs unauthorized redirect to another website, for instance, to url4short.info. The redirect is occasional (appears from time to time) that’s why the malware is hard to detect even by the website owner. Below you’ll find the conditions to reproduce the redirect:
While user is coming to an infected forum from search results page the following code is being injected. It looks like this:
A redirected user is got a cookie <prefix>lang_id for 10 hours. So, while surfing the infected website during this period with the same browser the user will not be redirected.
The malicious code can be easily found by searching for the following code snippets:
“strstr($mds”, “preg_replace($i” or “#c#.substr” and some others
in skin_global.php file.
The vBulletin CMS administrators will find more details about this malware detection in the following article http://club.myce.com/f20/vbulletin-myfilestore-hack-find-traces-remove-them-332219/ . The vBulletin infection is similar to IPB’s. So, everything written above about IPB is true for vBulletin CMS.
If you can't remove malware from your website reach our malware experts.