While a number of vBulletin sites have been attacked by malware in the past via VBSEO, the widely used SEO module has since been discontinued, but, according to a Sucuri post penned by Cesar Anjos, the site’s table datastore continues to be a prime vector of attack where bad actors can store malicious code that is subsequently loaded on each visit.
And now, a new malware campaign infecting vBulletin websites has been detected that displays malicious ads from popads[.]net.
However, the Sucuri researchers delved into the code – written in PHP and using a MySQL database server – and determined that it’s only being displayed once per IP, meaning that repeat visitors won’t see the ads on subsequent visits.
“We can see that the external script receives the visitor’s IP address, which allows the malware to perform its conditional IP controls and make detection harder,” Anjos wrote.
Further, the code attempts to dupe webmasters into mistaking it for legitimate code.
Anjos suspects there will be other sites that also leverage this tactic against vBulletin sites.
Be wary of plugins as they can add custom code to your website or calls to external scripts in already existing plugins, he advised.
“This alone makes it difficult for a webmaster to locate the malicious injection, unless constant reviews of the plugins in use are done,” he wrote.