The url involved is fairly random, the file name is identical between the requests, occuring back to back.
Example /gate.php
This leaves analysts with virtually very little to base a signature on.
Common factor for all flagged sites is that all have outdated versions of the vBulletin software, e.g. 4.0.2,
templates could have been infected,
polonus