What to do when you suspect your OpenX Source system has been hacked

In the last couple of days, many reports have emerged of people seeing their OpenX Source systems being hacked. I’ve had mails from former clients and many new support requests from people I didn’t know yet. I’m afraid it is impossible for me to reply to every single e-mail instantly, and that’s why I’ve decided to post this article. I will keep adding tips and cleanup instructions to this article when I have new information.

How can you detect if your OpenX Source has been hacked?

There may be several ways to first find out about potential problems:

  • You might get mails or messages from people visiting your site(s) telling you that their virus scanner or malware protection has alerted them to a problem;
  • If the hack happened more than a few days ago, Google may have picked up on it and penalized your site by adding a malware warning to it. Visitors using the Google Toolbar in their browser will see a very clear warning on their screen, and you will receive an alert through the Google Webmaster Tools if you use that service;
  • You might find that when you are working in your ad server console you suddenly see a field asking you to enter a password (which you should NOT do!);

First things first: protect your site visitors

If you anticipate that it will take you longer than a few minutes to clean and fix your system, then it might be wise to protect your site visitors from being exposed to the malicious code through your banner ads. One way to do this in a very quick and dirty way is to temporarily rename the folder where your OpenX Source system is installed. So if your ad server is at www.example.com/openx/ you could rename it to www.example.com/brokenx/. This is not an elegant measure as it will result in ‘404 page not found’ errors for every single ad request, but at least your site visitors are now safe.

Next: protect your own computer. Do not log in on your OpenX Source but read below and find and clean all infections before restoring the ad server to a working state.

How did the hack work?

At a high level, the hack will probably have resulted in the following things that need to be ‘cleaned’:

  • one or more new administrator users will have been added to the ox_users table in the database that holds your OpenX Source data. See below for an example and cleanup instructions.
  • probably using these admin usernames, the hacker will then have been able to alter some of the plugins that are part of the core OpenX Source system;
  • one of the altered files will enable the hacker to access the database, completely circumventing the OpenX Source login process;
  • in the database, the hacker will have added code or altered code in the ‘append’ and/or prepend columns of the ox_banners or ox_zones tables (or both).

What needs to be done to clean your OpenX Source system?

If you do not know how to work with tools like an FTP client, or the database management tool phpMyAdmin, you should find an experienced person to assist you. You may be able to get help from your hosting company or their help desk.

Here’s what you must do:

  • Remove the malicious users from the ox_users table (see below)
  • Remove the malicious code from the ox_banners and ox_zones tables (more detailed instructions in an update of this article later)
  • Search the plugins folder and sub folders, looking for files that have been added or altered recently (more information in an update later)
  • Protect your OpenX Source installation to prevent future hacking attempts
  • Upgrade your OpenX Source software to the most recent version

Removing malicious users

The hacks usually start in a way that’s easy to spot, but only if you’re specifically looking for it. It is not yet exactly known how, but hackers have found a way to add administrator users to the ‘ox_users’ table. Many cases have been seen where the administrator users were created weeks or months before the hackers actually come back to use them and inject malicious code into the banners and/or zones, or make alterations to existing plugins.

Using a tool like phpMyAdmin or with the help of a system administrator or your hosting company, closely examine the ox_users table and look for records that look like this:

Malicious entries in the ox_users table indicate a hacker has gained access to your system at system administrator level

Malicious entries in the ox_users table indicate a hacker has gained access to your system at system administrator level

In this screen shot, I’ve masked the legitimate users and all encrypted passwords. What you’ll notice is that in this particular case, four records have been added that all have contact name “Administrator” (just like the real administrator), and the user name is a variation on the admin user name. Also, you’ll notice that there is no e-mail address for these four rogue users, even though normally you can not add a user through the OpenX user interface without providing an e-mail address. The hackers will have added encrypted passwords that they know, and as a result of that, they will have full administrator access to your system at any given time.

Obviously, you should delete any of these malicious users as soon as you find them.

Some preventative measures if you haven’t been hacked

  • Secure your OpenX Source admin panels by adding an .htaccess to the www/admin folder that blocks access to anyone except known IP address (an example to follow later).
  • Change all passwords for all OpenX Source users and change the password you use for FTP access.
  • Use a good virus scanner and update it regularly, because even when working in the OpenX Source admin, you might be confronted with the malicious code added to banners or zones.
  • Run a full malware scan on your computer(s) that you use to work in OpenX Source, because the malicious code may have installed a key logger or trojan.

More information

There is some information and cleanup instructions in an article here, but this article is more than a year old and the hacks have become more sophisticated since that time. The article suggest to upgrade to the latest version and then to clean the malicious code. I strongly recommend to clean everything first and only then to start planning an upgrade. Unfortunately, we’ve found this week that even the latest release v2.8.7 of OpenX Source seems to be vulnerable to this new round of attacks.

Share!

Please feel free to share this article with others, and please post comments, tips and suggestions below.

Share this on:
  • Twitter
  • LinkedIn
  • Facebook
  • email
About Erik Geurts

Comments

  1. My OpenX was hacked and malware was added to it.

    I found and deleted malware tags from the append and prepend columns of the banners table. And I have checked the users table, there were no strangers there. Also, I scanned the web and database server.

    When I open HTML banners which are already in OpenX, it shows an error message. And the same for when I try to create a new HTML banner.

    However, it still shows this error. Any suggestion beside this?

    • You’re seeing this because of the fact the hacker managed to alter at least on of the files in the plugins directory, in this case most likely in the “plugins/3rdPartyServers/ox3rdPartyServers” directory. The files in there are normally about 3 to 4 KB in size, but you may find one or more files there that are larger and have a different date from the rest.

  2. It happened to me as well. The OpenX application still asks for a password when I get the tab code invocation n configuration.

  3. I found the 24kb find at the location that you wrote above. And then I deleted it. Now the error is gone!

    Thank you so much!

  4. I went ahead and not only renamed the directory while cleaning the affected fields, I also created a new database user and then changed it in the config file. In addition, I added an .htaccess file to /www/admin as you said, and it’s IP restricted. So far, that seems to be working (yes all passwords are changed).

    By the way, if I were to want to make a permanent change to database user and password in the config file, how do I go about doing that? I’ve been unsuccessful so far (without reinstalling, I mean).

    • If you want to change the database login credentials, I’d suggest going about it like this:
      – in MySQL, create a new user with password
      – in MySQL, assign the user to the existing database, with ‘all privileges’ as is required for OpenX
      – for OpenX, change the configuration file with a text editor so that it starts to use the new username and password
      – in MySQL, once you’ve verified everything works correctly, remove the ‘old’ user in MYSQL so it can no longer access the database, but do not remove the user yet
      – Check again if everything continues to work correctly, and once that’s confirmed, you can remove the old MySQL user

  5. Thank you very much.

    Since we can’t even get an older version like Openx 2.6.5 as a download any more, I am quite disappointed with the development by OpenX. I was quite happy to find a lot of useful information FOR FREE on your page, how to update for example. Without this I could have never done it. And this entry about security fixes certainly made my day and my page more secure.

    Thank you for sharing.

    With best regards, Burgy

    P.s. And yes, you are certainly an OpenX specialist!