Despite warnings from company behind vBulletin, tens of thousands of websites using the software have been hacked.
vBulletin is the fourth most popular content management system (CMS) on the internet with over 100,000 websites powered by its software, but a weakness in its security has seen hackers exploit tens of thousands of these websites using easily available and automated exploit tools to add administrator accounts to the affected sites.
In late August Internet Brands, the company behind vBulletin, issued a warning to all customers running versions 4.x and 5.x of its software, that they needed to remove two directories ( "/install" and "/core/install") on sites using the system or they would leave themselves open to an unspecified attack.
It seems that many customers didn't listen, and security company Imperva has revealed that over 35,000 websites running vBulletin have been hacked using this vulnerability. EA, Zynga, Sony and Steam are all listed as vBulletin customers on the company's website.
While Internet Brands didn't specify the root cause of the vulnerability, Imperva was able to determine how attacks breached the websites' security.
The security flaw "allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account."
Once the hacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the site supported by its CMS.
The people behind the attacks have been able to quickly identify websites which could be vulnerable to attack, and according to Amichai Shulman, Imperva's chief technology officer, the attackers could be using a botnet - a group of hacked PCs - to get around a problem of retrieving automated results.
Speaking to security researcher Brian Krebs, Shulman said: "In order to infect 30,000 targets in such a short period of time you need Google, but the problem is that you can't retrieve so many search results that easily in an automated way. Google may show you that there are 30,000 [vulnerable target sites], but when you start scrolling through them all you may get to maybe page five or six [before] you get a message that your machine is performing automated queries, and it will start showing you CAPTCHA," challenges to block automated lookups. "And if I repeat this behaviour from the same Internet address, I'll get blocked for a certain period of time."
By distributing the searches through many different internet addressepers by using a botnet, the attackers can overcome this problem.
"These guys can instruct each part of that distributed network to perform a partial search that would return a part of the entire results," Imperva's director of security strategy, Barry Shteiman said. "That way they can get the list sliced into much smaller pieces that a single machine can then crawl and scrape."
vBulletin has refused to confirm or deny if the vulnerability found by imperva is the same one it wanred about in late August, simply repeating the advise it gave initially, to remove the "/install" and/or "/core/install" folders. If you operate a vBulletin site and still have those directories installed, it is probalby worth while checking to see if any new administrator accounts have been added recently.