Security Incidents mailing list archives
Malware(?) inserting porn links into registration/profile data for unsuspecting users
From: SF Lists <sfmailinglists () yahoo com>
Date: Thu, 15 Jul 2004 05:47:05 -0700 (PDT)
Hi, I run a web site featuring a vBulletin forum (v3.0.3) running on a debian woody system with apache 1.3.x which allows users to register accounts and include basic profile information such as interests, occupation, etc. One of these fields allows for the input of a home page web address, identified by: <input type="text" name="homepage" size="25" maxlength="200"> The registration process involves correctly entering in the text present in a randomly generated image as well as an e-mail confirmation process. I have found that a significant number, although small minority (between 20-30), of users registering out of roughly 20,000 registrations, have included pornographic web sites that seem to be randomly generated based off of a list of valid sites and these users appear to be real people that go on to post constructively, apparently oblivious to the content of their profiles. Given the quality of the posts and the interaction that occurs with these users, I am confident that these are not automated registrations and that they are in fact humans which are somehow having this data inserted. Also, the vast majority of these affected users are completing the registration process which involves receipt of the registration e-mail and authentication via an encoded link. When contacted, the individuals with the offending content in their profiles do not know how the sites ended up in their profiles. One individual has indicated that she was able to see the site listed in her profile and had suspected a virus before we contacted her, however has not been able to provide me with a name of a program responsible or the result of an updated anti-virus/adware scan. There are no signs that our server has been compromised and we have not found anything in apache logs that would suggest this, however I am open to further exploration of that issue. At this point, I suspect that this is the work of some sort of malware or virus that detects the presence of an input field with the name "homepage" and inserts one of these addresses upon submitting the form, however have been unsuccessful in finding any references to a known application that uses this behavior. Keep in mind that this is simply based on observation and I have not attempted to change the fields in the registration form to see if the affected registrations stop. Are there any known viruses or malware that exhibit this type of behavior? I've searched Symantec and Trend Micro for information regarding this but have turned up nothing thus far. Google seems to also be a lost cause, finding other sites that report similar problems without any mention of what this could be attributed to. It seems unlikely to me, as pointed out by the Incidents list moderator, that this behavior would go unnoticed for long without having been attributed to a specific virus or malware, and those of us who have run across the issue have been reporting it since the beginning of this year. There is an ongoing thread at vBulletin's support forums on the subject: http://www.vbulletin.com/forum/showthread.php?t=96331 Note that both the 2.x and 3.x branches of vBulletin seem to be equally affected and both use "homepage" as the name of the input field. I am simply trying to get a name and point these users to information about maintaining a safe computing environment including updated anti-virus definitions and any specific removal instructions that might accompany whatever this is. I do realize, however, that it's not unlikely that if they'd become infected with this that they might have other compromises to deal with. A small sampling of the sites that appear in user profiles: http://hardcore-porn-1.net/porn_video_white_slut_black_dick_daaughter/ (sic) http://teen-porn-1.com/hot_free_teen_pics/ http://pornfree18.com/porn_pictures_girls_free/ Others are listed in the vBulletin thread linked above. Many thanks, -B __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
Current thread:
- Malware(?) inserting porn links into registration/profile data for unsuspecting users SF Lists (Jul 16)