First symptoms: statistics disappeared

The first symptoms is that the statistics in OpenX disappear. I’ve seen reports of people mentioning this on the OpenX forums, and some people have also contacted me directly. Luckily, the statistics aren’t really gone from the database, and ad delivery continues to function without problem. This was confirmed when inspecting the database and looking at the tables that store the statistics.

Cause: hacks of old versions

While investigating one of these problematic OpenX installations, fellow OpenX consultant Matteo Beccati discovered that it had been attacked, abusing a vulnerability in OpenX v2.8.2 that has been fixed a long time ago. Unfortunately, not everyone has taken the time to upgrade yet, leaving their systems vulnerable to attacks like this one.

It was found that the attacker uses this security vulnerability to insert an additional administrator account. Next he uses this login to upgrade the OpenX plugin that takes care of the available banner types. The plugin he injects contains malicious code that creates a backdoor into the server. As a side effect, the attack creates some entries in the database, leading to the disappearance of the on-screen statistics.

From the logs that have been found, this appears to be an automated attack. The attacks that have been investigated are all originating from the same IP address.

Remedy: upgrade

For someone running OpenX v2.8.2 or older who hasn’t been infected yet, the best course of action is to upgrade to a more recent version of OpenX as soon as possible. If it takes a while to prepare and plan for this, then meanwhile I would recommend removing the install.php and install-plugins.php files in the ‘www/admin’ folder of your OpenX installation.

If a system has been attacked already, an upgrade is not going to fix this problem, since the modified plugin will be migrated to the new version, along with any changes in the database. This will have to be cleaned first.

Update

In later reports of the same kind of hack, the ‘missing statistics’ issue no longer occurred. It appears that the hacker has changed this element. However, the malicious code is still getting injected. The first time people notice problems is when their site or the ad server is reported as as containing malware by Google’s Safe Browsing program.

Not only OpenX v2.8.2 is vulnerable to this problem, the same applies to v2.8.0 and v2.8.1.

An emergency fix has been developed and released as OpenX Ad Server v2.8.3. The new version is available for immediate download at the OpenX website. The OpenX Blog provides background information and tips for security precautions.

Update April 13, 2010: it appears that an exploit for the vulnerability in OpenX v2.8.2 is making the rounds on the internet, infection these old versions with a back door and breaking the display of the on-screen statistics.