![]() ![]() Still, Internet searches like this one suggest that 10,000 or more sites may be running vulnerable versions. Fortunately, version 5x makes up less than 7% of active installations, according to W3techs, a site that surveys the software used across the Internet. VBulletin is among the most widely used website commenting systems and is probably used on tens of thousands-possibly hundreds of thousands-of sites. Another user reported having an entire MySQL database deleted. “I received an email today from my hosting provider stating that ‘malicious code was detected on your website and a huge number of email spam messages originating from it,’” one user wrote here (free account required). Some vBulletin users took to the software’s official support pages on Wednesday to report they had been hacked. Some of the infected computers carrying out the attacks have been spotted in the past using the EternalBlue exploit, developed by and later stolen from the National Security Agency, to compromise computers that have yet to install a patch Microsoft released in early 2017. As for why threat actors are doing this, it's likely to build an inventory of bots while they figure additional ways to exploit the compromised hosts – such as infecting them with DDoS malware and conducting denial-of-service attacks. This exploit attempt basically backdoors sites via a backdoor. The vulnerability itself has been regarded by some as a backdoor. This would allow a botnet command-and-control (C2) server to exclusively exploit CVE-2019-16759 and issue commands to the targeted site. By doing this, the compromised site will only execute code in the eval function if 2dmfrb28nu3c6s9j is set in future requests sent to the server. This is done by setting a “password” (epass) of 2dmfrb28nu3c6s9j. Via the "sed" command to add a backdoor to the code. The exploit above modifies includes/vb5/frontend/controller/bbcode.php After decoding, some of the Web requests they send look like this: If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins' system-level user account has access to.” Seguin has more in this technical analysis of the vulnerability.Īccording to researcher Troy Mursch of the Bad Packets security intelligence service, attackers are using botnets to actively exploit vulnerable servers. “An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. “Essentially, any attack exploits a super simple command injection,” Ryan Seguin, a research engineer at Tenable, told Ars. The vulnerability is so severe and easy to exploit that some critics have described it as a back door. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. ![]() Sites running the app should take comments offline until administrators install a patch that vBulletin developers released late Wednesday morning. ![]() Attackers are mass-exploiting an anonymously disclosed vulnerability that makes it possible to take control of servers running vBulletin, one of the Internet’s most popular applications for website comments. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |