Openx Vulnerability? Banner Ads Compromised Somehow Options

[Robsta]

I'm not sure where to post this, or who to speak to.

I was using OpenX 2.8.0 until yesterday. Google's 'stopbadware.org' service started to block our forum site in the major browsers. In tracking the problem back to the OpenX service, I promptly upgraded to the latest release, v2.8.5 thinking the vulnerability must be fixed in the current release.

The 'stopbadware.org' service now unblocked the site and stated they were nolonger finding the trojan links. A result I thought.

However. I was on the site this evening, and my AVG suddenly brought up a virus alert. Looking at the page, it shows the malicious code in a small grey box right above the banner image in the centre. The page source does not show it.

I've examined the v2.8.0 files, and found no core file difference compared to the downloaded ZIP. Nothing was found in the database to indicate foul play. I can only surmise that the problem is an injection somehow, but I have no idea.

So. To conclude, the latest release is vulnerable somehow. Unless someone can say to me "here's a patch", I'm going to have to move away from OpenX to something else.... if there is something... I've not looked yet!

I've now removed all the banner placements so that our site does not get blocked again.

Suggestions welcome on fixing this issue.

[Robsta]

Could it be this one?
https://secure1.securityspace.com/smysecure....html?id=100462

[Robsta]

Is this file legitimate: \plugins\bannerTypeHtml\oxHtml\genericHtml.delivery.php

And is there meant to be a gzinflate base64_decode section to the file?

[Robsta]

Looks like I'm not the only one...
http://forum.openx.org/index.php?showtopic=503468161

[Spritz]

I've found the very same file hacked on a client server. It's a c99madshell encoded script and you absolutely need to remove those lines from the otherwise legitimate file.

[lupusyonderboy]

I've found the very same file hacked on a client server. It's a c99madshell encoded script and you absolutely need to remove those lines from the otherwise legitimate file.

Can you give an excerpt of what the code looks like? We haven't been exploited, but it might help others.

[Spritz]

I've found the very same file hacked on a client server. It's a c99madshell encoded script and you absolutely need to remove those lines from the otherwise legitimate file.

Can you give an excerpt of what the code looks like? We haven't been exploited, but it might help others.

something like:

CODE

if (basename($_SERVER['PHP_SELF'])=='genericHtml.delivery.php') {
eval(gzinflate(base64_decode("...")));
die;
}

in /plugins/bannerTypeHtml/oxHtml/genericHtml.delivery.php (affected file may change).

when the file is called directly PHP will execute the encoded shell script, which is nicely described here.

[lupusyonderboy]

something like:

CODE

if (basename($_SERVER['PHP_SELF'])=='genericHtml.delivery.php') {
eval(gzinflate(base64_decode("...")));
die;
}

in /plugins/bannerTypeHtml/oxHtml/genericHtml.delivery.php (affected file may change).

when the file is called directly PHP will execute the encoded shell script, which is nicely described here.

So my next question is: How is this file being modified? This doesn't appear to be a simple SQL injection that's modifying append or prepend DB columns. Were the files in question writable by the httpd daemon? Did some version of OpenX get trojaned prior to download?

[Spritz]

So my next question is: How is this file being modified? This doesn't appear to be a simple SQL injection that's modifying append or prepend DB columns. Were the files in question writable by the httpd daemon? Did some version of OpenX get trojaned prior to download?

That's a very good question. I was able to investigate only a customer server and that question is still unanswered. I can suppose that the box was hacked when 2.8.0 was there. I presume that the upgrade to 2.8.5 just copied over the mangled file, but I still need to verify that.

The file is created by OpenX itself when installing the default plugins, so it's definitely (and must be) writable by the webserver.

[Garrett]

Just an FYI, same problem here (2.8.0). I found the offending code in 2 files.
I suspect that the entire openXBannerTypes plugin was affected. Plugin manager shows I have version 1.4.1 of plugin
but openX says the latest is 1.0.1 (mines newer) when I hit upgrade.

I upgraded to 2.8.5 and grep'd the code in these two files and deleted it.

CODE

/www/admin/plugins/openXBannerTypes/index.php
/plugins/bannerTypeHtml/oxHtml/genericHtml.delivery.php

don't see "ads. fake-isp. com" showing up in YSlow anymore. But for how long? Has this happened to anyone not already
infected running 2.8.5?

Would like to just delete this plugin and reinstall it cleanly, possible? Where are the files to install?

[Robsta]

Yes, we installed a clean v2.8.5 set of files, move old v2.8.0 out, move new v2.8.5 files in. However using the same database. Standard upgrade process I thought.

Anyone know where the plugin files get installed from? they're not in the downloaded ZIP. If it's coming from the openx.org people during the upgrade process, could their files have been hacked?

[Spritz]

Yes, we installed a clean v2.8.5 set of files, move old v2.8.0 out, move new v2.8.5 files in. However using the same database. Standard upgrade process I thought.

Anyone know where the plugin files get installed from? they're not in the downloaded ZIP. If it's coming from the openx.org people during the upgrade process, could their files have been hacked?

The default plugin ZIP files are in the etc/plugins directory. It's close to impossible that they have been hacked. One thing I still need to verify is the possibility that a hacked plugin doesn't get overwritten dureing the upgrade (remember that you have to provide the old plugin path?)


Cheers

[Robsta]

(remember that you have to provide the old plugin path?)

Ahh good point.

We've not added any additional plug-ins. So anything there would have come from the default installation. It would not make sense to migrate the default plug-ins to the new upgrade release from the old version would it?

[Robsta]

If it makes any difference... I had forgotten about this, but when I upgraded I had the same upgrade error message as in this post... http://forum.openx.org/index.php?showtopic=503468381

[Robsta]

Ok, getting somewhere I think. I've installed a clean version, got the two plugin directories and replace the live install with those clean plugin directories.

How do I fix the issue of version reporting? the live install still reports them as newer. I deleted one of the plugins from the interface, how can I re-install them? Not worked it out yet.