You are here: Home / News / Attacks on OpenX v2.8.2 installations reported

Attacks on OpenX v2.8.2 installations reported

April 13, 2010 By

Starting Saturday, April 10, 2010, users of OpenX v2.8.2 have begun to experience problems with their ad servers that have now been traced back to the security vulnerability that I wrote about back in December of 2009.

First symptoms: statistics disappeared

The first symptoms is that the statistics in OpenX disappear. I’ve seen reports of people mentioning this on the OpenX forums, and some people have also contacted me directly. Luckily, the statistics aren’t really gone from the database, and ad delivery continues to function without problem. This was confirmed when inspecting the database and looking at the tables that store the statistics.

Cause: hacks of old versions

While investigating one of these problematic OpenX installations, fellow OpenX consultant Matteo Beccati discovered that it had been attacked, abusing a vulnerability in OpenX v2.8.2 that has been fixed a long time ago. Unfortunately, not everyone has taken the time to upgrade yet, leaving their systems vulnerable to attacks like this one.

It was found that the attacker uses this security vulnerability to insert an additional administrator account. Next he uses this login to upgrade the OpenX plugin that takes care of the available banner types. The plugin he injects contains malicious code that creates a backdoor into the server. As a side effect, the attack creates some entries in the database, leading to the disappearance of the on-screen statistics.

From the logs that have been found, this appears to be an automated attack. The attacks that have been investigated are all originating from the same IP address.

Remedy: upgrade

For someone running OpenX v2.8.2 or older who hasn’t been infected yet, the best course of action is to upgrade to a more recent version of OpenX as soon as possible. If it takes a while to prepare and plan for this, then meanwhile I would recommend removing the install.php and install-plugins.php files in the ‘www/admin’ folder of your OpenX installation.

If a system has been attacked already, an upgrade is not going to fix this problem, since the modified plugin will be migrated to the new version, along with any changes in the database. This will have to be cleaned first.

Update

In later reports of the same kind of hack, the ‘missing statistics’ issue no longer occurred. It appears that the hacker has changed this element. However, the malicious code is still getting injected. The first time people notice problems is when their site or the ad server is reported as as containing malware by Google’s Safe Browsing program.

Not only OpenX v2.8.2 is vulnerable to this problem, the same applies to v2.8.0 and v2.8.1.

Share this on:
  • Twitter
  • LinkedIn
  • Facebook
  • email
Filed Under: News Tagged With: ,
About Erik Geurts

Find out more about me on my profile page on Google+

Comments

  1. Craig Payne says:
    April 13, 2010 at 11:38 AM

    Erik

    Thanks for staying on top of this. As you know I have been watching the forum posts and reports nervously about my installation. No problems yet.

    CP

  2. Matteo Beccati says:
    April 13, 2010 at 11:57 AM

    I’ve just reported the attacker IP address to the abuse account of the Italian ISP (Fastweb).

    Quickly translated email follows:

    Hi,

    I’ve been contacted by many customers around the world to solve the issues caused by an attack exploiting a vulnerability of the popular open source ad server OpenX (www.openx.org).

    The mass infection took place on Saturday April 10 between 1pm and 2pm Italian time and it was coming from an IP address belonging to your network: 62.101.68.213.

    Here are some excerpts from web server logs that I verified myself:

    62.101.68.213 - - [10/Apr/2010:07:46:56 -0400] "GET /admin/index.php HTTP/1.1" 200 1388 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:07:46:56 -0400] "POST /admin/install.php HTTP/1.1" 200 1529 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:07:46:57 -0400] "POST /admin/index.php HTTP/1.1" 200 1438 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:07:46:57 -0400] "GET /admin/account-switch.php?account_id=1 HTTP/1.1" 200 1378 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:07:46:58 -0400] "POST /admin/plugin-index.php HTTP/1.1" 200 1367 "-" "Mozilla/5.0 (Windows)"


    62.101.68.213 - - [10/Apr/2010:04:47:17 -0700] "GET /openx/www/admin/index.php HTTP/1.1" 200 4420 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:04:47:21 -0700] "POST /openx/www/admin/install.php HTTP/1.1" 200 3688 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:04:47:23 -0700] "POST /openx/www/admin/index.php HTTP/1.1" 200 4410 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:04:47:26 -0700] "GET /openx/www/admin/account-switch.php?account_id=1 HTTP/1.1" 200 4263 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:04:47:29 -0700] "POST /openx/www/admin/plugin-index.php HTTP/1.1" 200 4248 "-" "Mozilla/5.0 (Windows)"
    62.101.68.213 - - [10/Apr/2010:04:47:32 -0700] "GET /openx/plugins/bannerTypeHtml/oxHtml/genericHtml.delivery.php HTTP/1.1" 200 175 "-" "Mozilla/5.0 (Windows)"

  3. Will Willis says:
    April 14, 2010 at 12:44 AM

    I just found that I’ve been hit with this attack. I moved the install.php file out of www/admin/ and I deleted the new admin account. Any idea how I can get my stats back?

  4. Tait says:
    April 14, 2010 at 3:14 PM

    Hey Erik,

    Do you know what entries were made in the DB that caused the stats to not show up?

    Thanks!

  5. Erik Geurts says:
    April 14, 2010 at 7:45 PM

    Hi Will, Tait,

    I’m very sorry to hear that you’ve been hit by this, as have been many others. I would like to recommend that you contact Matteo Beccati, he is almost certainly able to help you with the clean-up efforts.

    Good luck, Erik Geurts