High traffic vbulletin forums, using the vbseo URL rewrite plugin, have suffered from two weeks or relentless attacks from hackers.
However, a way to close the vulnerability has been offered by vbseo support staff, suggesting that changing the server setting “register_globals” to “off” as a solution.
So far, forums implementing this appear to have finally avoided reinfection.
The attacks started early in July, with an automated program hacking a list of sites every six hours.
The attack resulted in a redirect being inserted into the forum datastore, which redirected search engine traffic to another site, usually 123url.info.
The hackers gain from advertising revenue displayed to the redirected traffic.
The result is that someone using Google search and clicking through to a forum link, would instead be redirected to 123url.info.
Advertising was powered by Infinityads, and included clients such as the Financial Times FT.com website being promoted to the traffic gained through hacking.
However, the redirect would only happen the once, and a cookie dropped on the users machine would prevent it happening again.
As the forums would run normally for users coming in directly via bookmarks or their browser address bar, nothing would appear amiss.
The only suggestion of trouble would loss of traffic and any associated advertising revenue.
The hackers are believed to have attacked forums running vbseo specifically, because webmasters using this plugin are actively driving traffic to their sites, and therefore help with ad display volume on the hacker site.