Comments on: Attacks on OpenX v2.8.2 installations reported http://www.openxconsultant.com/blog/2010/04/attacks-on-openx-v2-8-2-installations-reported/ Support, Consulting, and Training for OpenX Source ad server Thu, 03 Nov 2011 08:03:08 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Erik Geurts http://www.openxconsultant.com/blog/2010/04/attacks-on-openx-v2-8-2-installations-reported/comment-page-1/#comment-183 Erik Geurts Wed, 14 Apr 2010 17:45:33 +0000 http://www.openxconsultant.com/?p=445#comment-183 Hi Will, Tait, I'm very sorry to hear that you've been hit by this, as have been many others. I would like to recommend that you contact <a href="http://www.beccati.com/" rel="nofollow">Matteo Beccati</a>, he is almost certainly able to help you with the clean-up efforts. Good luck, Erik Geurts Hi Will, Tait,

I’m very sorry to hear that you’ve been hit by this, as have been many others. I would like to recommend that you contact Matteo Beccati, he is almost certainly able to help you with the clean-up efforts.

Good luck, Erik Geurts

]]> By: Tait http://www.openxconsultant.com/blog/2010/04/attacks-on-openx-v2-8-2-installations-reported/comment-page-1/#comment-182 Tait Wed, 14 Apr 2010 13:14:44 +0000 http://www.openxconsultant.com/?p=445#comment-182 Hey Erik, Do you know what entries were made in the DB that caused the stats to not show up? Thanks! Hey Erik,

Do you know what entries were made in the DB that caused the stats to not show up?

Thanks!

]]> By: Will Willis http://www.openxconsultant.com/blog/2010/04/attacks-on-openx-v2-8-2-installations-reported/comment-page-1/#comment-181 Will Willis Tue, 13 Apr 2010 22:44:33 +0000 http://www.openxconsultant.com/?p=445#comment-181 I just found that I've been hit with this attack. I moved the install.php file out of www/admin/ and I deleted the new admin account. Any idea how I can get my stats back? I just found that I’ve been hit with this attack. I moved the install.php file out of www/admin/ and I deleted the new admin account. Any idea how I can get my stats back?

]]> By: Matteo Beccati http://www.openxconsultant.com/blog/2010/04/attacks-on-openx-v2-8-2-installations-reported/comment-page-1/#comment-180 Matteo Beccati Tue, 13 Apr 2010 09:57:26 +0000 http://www.openxconsultant.com/?p=445#comment-180 I've just reported the attacker IP address to the abuse account of the Italian ISP (Fastweb). Quickly translated email follows: <cite> Hi, I've been contacted by many customers around the world to solve the issues caused by an attack exploiting a vulnerability of the popular open source ad server OpenX (www.openx.org). The mass infection took place on Saturday April 10 between 1pm and 2pm Italian time and it was coming from an IP address belonging to your network: 62.101.68.213. Here are some excerpts from web server logs that I verified myself: <code> 62.101.68.213 - - [10/Apr/2010:07:46:56 -0400] "GET /admin/index.php HTTP/1.1" 200 1388 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:07:46:56 -0400] "POST /admin/install.php HTTP/1.1" 200 1529 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:07:46:57 -0400] "POST /admin/index.php HTTP/1.1" 200 1438 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:07:46:57 -0400] "GET /admin/account-switch.php?account_id=1 HTTP/1.1" 200 1378 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:07:46:58 -0400] "POST /admin/plugin-index.php HTTP/1.1" 200 1367 "-" "Mozilla/5.0 (Windows)" </code> <code> 62.101.68.213 - - [10/Apr/2010:04:47:17 -0700] "GET /openx/www/admin/index.php HTTP/1.1" 200 4420 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:04:47:21 -0700] "POST /openx/www/admin/install.php HTTP/1.1" 200 3688 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:04:47:23 -0700] "POST /openx/www/admin/index.php HTTP/1.1" 200 4410 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:04:47:26 -0700] "GET /openx/www/admin/account-switch.php?account_id=1 HTTP/1.1" 200 4263 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:04:47:29 -0700] "POST /openx/www/admin/plugin-index.php HTTP/1.1" 200 4248 "-" "Mozilla/5.0 (Windows)" 62.101.68.213 - - [10/Apr/2010:04:47:32 -0700] "GET /openx/plugins/bannerTypeHtml/oxHtml/genericHtml.delivery.php HTTP/1.1" 200 175 "-" "Mozilla/5.0 (Windows)" </code> </cite> I’ve just reported the attacker IP address to the abuse account of the Italian ISP (Fastweb).

Quickly translated email follows:

Hi,

I’ve been contacted by many customers around the world to solve the issues caused by an attack exploiting a vulnerability of the popular open source ad server OpenX (www.openx.org).

The mass infection took place on Saturday April 10 between 1pm and 2pm Italian time and it was coming from an IP address belonging to your network: 62.101.68.213.

Here are some excerpts from web server logs that I verified myself:

62.101.68.213 - - [10/Apr/2010:07:46:56 -0400] "GET /admin/index.php HTTP/1.1" 200 1388 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:07:46:56 -0400] "POST /admin/install.php HTTP/1.1" 200 1529 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:07:46:57 -0400] "POST /admin/index.php HTTP/1.1" 200 1438 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:07:46:57 -0400] "GET /admin/account-switch.php?account_id=1 HTTP/1.1" 200 1378 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:07:46:58 -0400] "POST /admin/plugin-index.php HTTP/1.1" 200 1367 "-" "Mozilla/5.0 (Windows)"


62.101.68.213 - - [10/Apr/2010:04:47:17 -0700] "GET /openx/www/admin/index.php HTTP/1.1" 200 4420 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:04:47:21 -0700] "POST /openx/www/admin/install.php HTTP/1.1" 200 3688 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:04:47:23 -0700] "POST /openx/www/admin/index.php HTTP/1.1" 200 4410 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:04:47:26 -0700] "GET /openx/www/admin/account-switch.php?account_id=1 HTTP/1.1" 200 4263 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:04:47:29 -0700] "POST /openx/www/admin/plugin-index.php HTTP/1.1" 200 4248 "-" "Mozilla/5.0 (Windows)"
62.101.68.213 - - [10/Apr/2010:04:47:32 -0700] "GET /openx/plugins/bannerTypeHtml/oxHtml/genericHtml.delivery.php HTTP/1.1" 200 175 "-" "Mozilla/5.0 (Windows)"

]]> By: Craig Payne http://www.openxconsultant.com/blog/2010/04/attacks-on-openx-v2-8-2-installations-reported/comment-page-1/#comment-179 Craig Payne Tue, 13 Apr 2010 09:38:32 +0000 http://www.openxconsultant.com/?p=445#comment-179 Erik Thanks for staying on top of this. As you know I have been watching the forum posts and reports nervously about my installation. No problems yet. CP Erik

Thanks for staying on top of this. As you know I have been watching the forum posts and reports nervously about my installation. No problems yet.

CP

]]>