OpenX has released a 2.8.7 which patches a vulnerability that could cause OpenX to be compromised. Previous vulnerabilities have led to numerous OpenX installations to be hacked and infected with malware. No detail has been given on what the vulnerability was or what, if any, other changes were made in this release. The new version does include an updated version of openXVideoAds plugin that patches a vulnerability in an earlier version. Without knowing what the issue or issues that were fixed makes it hard to determine the source of a hacking, potentially leading to new vulnerabilities that are exploited in OpenX going undiagnosed in the future if the OpenX installation hacked was running an out of date version.
OpenX lack of details of changes began with version 2.8.4, which was released in January of 2010. Beginning with that release the only information on changes that have been made is a link to https://developer.openx.org. The information about releases in this section of the website are not complete. The listing for Version 2.8.6 list only one item that was fixed, it does not indicate that a fix for a “potentially serious SQL injection vulnerability” and bug that caused advertisers to disappear were also patched in the update. The listing for 2.8.7 only lists 13 unresolved issues.
SG Managed is providing hosting for c4412d2ffc4bf832.info, which is an important component of a spam hack that has affected a large number of Zen Cart based websites. The website is one of eight that the hacked websites attempt to retrieve a file containing a set of spam links to display when search engines request pages from the website. This website is the only one currently active and if the hosting was shut off the hacked websites would no longer contain spam links unless new hosting could be found. We contacted SG Managed about the issue several weeks ago, we have received no response and the website is still being hosted by them. When we contacted another host who had been providing service for another website used by the hack they shut down the service within a hour.
We are currently in the process of contacting the websites that have been affected.
The Planet, a large US hosting provider, provides hosting for two websites that are critical for a major SEO poisoning campaign. SEO poisoning involves getting web pages listed in search engines that when accessed attempt to infect the computer with malware. This particular campaign involves two sets of hacked websites and the websites hosted by The Planet. The first set of websites has been hacked to display the content from a file requested from either getalllinks.info or dvc44ftgr.com when a page from the hacked website is requested by a search engine. The files from getalllinks.info and dvc44ftgr.com, hosted by The Planet at the IP address 22.214.171.124, include links to pages on the second set of hacked websites. The content of those files can be seen at http://www.getalllinks.info/links/0.txt or http://www.dvc44ftgr.com/links/0.txt. Search engines crawl those pages on the second set of hacked websites and they get included in search engines results. When people access the pages through search engines they are redirected to fake anti-virus scanner that attempts to infect their computers with malware. Without the two domains hosted by The Planet the pages on the second set of websites are never crawled and never get included in the search results where the could be accessed by users.
We twice contacted The Planet about the issue and in both cases they took no action. The first time they claimed the issue had been already been resolved and the second time they claimed they could not find anything. We did not receive the same response when we contacted another provided who had been providing service for one of the domains. EveryDNS, which had been providing DNS service for getalllinks.info, shut off the service a day after we contacted them. Two weeks later the domain became active again after the domain starting using DNS service hosted on the same server at The Planet.
Rackspace is the latest in a string of recent hosting provider caused hackings of client websites. Unfortunately some hosting providers continue to not take the basic steps to keep their customers secure from hack at the hosting provider level. One of the most basic security steps is keeping software updated, which Rackspace has failed to do so with at least one major software component. On January 27, phpMyAdmin, a widely used MySql database administration tool, released a security advisory warning of “critical” vulnerability in version of 2.11.x prior to version 2.11.10. The secure version of phpMyAdmin had been released month prior to the security advisorie’s release. Rackspace finally upgraded their installation of phpMyAdmin running on their Rackspace Cloud service on June 13 and that was only after “after customer reports brought” it to their attention. Up until then, they had not updated phpMyAdmin since version 2.11.3 was released, which was back in December of 2007. Rackspace claims that they have “reviewed and adjusted our procedures so that going forward we will do better to stay up to date with the latest security releases of phpMyAdmin”.
Google has announced that they will begin displaying “Notice of Suspected Hacking” messages in their Webmaster Tools when they detect that a website has potentially been hacked. The messages will provide example URLs of the hacked pages, next steps for fixing the issue, instructions on getting back into Google’s search results after the issue has been fixed. Google will also being added notifications of spammy or abused user-generated content and abused forum pages or egregious amounts of comment spam. Once you have signed up for Google’s Webmaster Tools you can instruct Google to forward these messages and other messages, including malware notifications, to an email address you select.