Malware Served With Ads, malware served with ads Options

[dendrob]

I'm getting several different people letting me know that their antivirus/spam blockers are stopping infection attempts of Antivirus 2009 malware. I've scanned my server and had my hosting company check it as well. Google doesn't complain either. I suspect that openx is serving malware code with banners. Is anyone else having this issue?

[keledan]

Hi, have you updated to openx 285? I had the same problems and the only solutions I could find was to upgrade, my version was 2.81.

[dendrob]

Hi, have you updated to openx 285? I had the same problems and the only solutions I could find was to upgrade, my version was 2.81.

I use the openx.org not stand alone version

[svsanchez]

Hello, I am having the same problem here, also using the hosted version of openx (openx.org).

[loodp]

Hello, I am having the same problem here, also using the hosted version of openx (openx.org).

So the hosted version is serving malware as well? I was just thinking about switching to hosted from my stand-alone (which is up-to-date 2.8.5 but still gets hacked every other week). So that's not going to be an improvement then..

[bdw]

are you all opted-in to the Ad Market? other people have complained about this in other threads.

[neomax]

they found me too. Not a member of openx market.

What they did to me was inject a zero pixel iframe into the banner append language ...(first time) and the pre-pend field the second time.

I upgraded after the second and now notice a big difference in how the software operates. Thought I'd see the issue here.

I think someone compiled a list of openx ... maybe hacked the registrations here ... and did a little research.

With a well placed hack, they could do well, the frigging criminals.

GP Hughes

[quix0r]

Just run this SQL query to clear all (!) append/prepend tags:

CODE

UPDATE `ox_banners` SET `append`='',`prepend`=''

On my server, the IFRAME included a "in.cgi" which is hosted on a .co.cc domain, which seems to be protected and only redirect to a JavaScript (helpctrall.php for my side but they seem to randomize these script names) which calls a hcp:// link. According to one of my users it tries to "install something into Windows Media Player".

I have analyzed the HTML code generated by the helpctrall.php script, it looks like that it tries to force the Media Player to download load.exe which is a win32 binary (I do not execute that on my Wine installation). So far with my investigations.

I *think* the cracker (not hacker, please!) was able to intrude my server through the scripts in www/delivery/ which were not yet (but now are) protected by Cracker Tracker Standalone (see my SVN download link http://www.ship-simu.org/repos/ctracker/trunk/ for details). As I know these files got flushed (right?) and therefore the little line require('ctracker.php'); got removed from it. Can I somewhere add it so it will always be included?

[Zbynek Filinger]

Just run this SQL query to clear all (!) append/prepend tags:

CODE

UPDATE `ox_banners` SET `append`='',`prepend`=''

On my server, the IFRAME included a "in.cgi" which is hosted on a .co.cc domain, which seems to be protected and only redirect to a JavaScript (helpctrall.php for my side but they seem to randomize these script names) which calls a hcp:// link. According to one of my users it tries to "install something into Windows Media Player".

I have analyzed the HTML code generated by the helpctrall.php script, it looks like that it tries to force the Media Player to download load.exe which is a win32 binary (I do not execute that on my Wine installation). So far with my investigations.

I *think* the cracker (not hacker, please!) was able to intrude my server through the scripts in www/delivery/ which were not yet (but now are) protected by Cracker Tracker Standalone (see my SVN download link http://www.ship-simu.org/repos/ctracker/trunk/ for details). As I know these files got flushed (right?) and therefore the little line require('ctracker.php'); got removed from it. Can I somewhere add it so it will always be included?

Thanks, quix0r, the sql code you've provided, has saved me a lot of clicking!

[darkrvador44]

my version of open x was 2.8.1, i've got the same problem with google since two days…
i uprgrade my version to 2.8.7 yesterday, and i run the sql script today…
i hope this will repair my Google avertissement.

[tof75017]

I'm experiencing the same problem with my websites.
Google phishing alert include !

I'm trying to download the 2.8.7 but the openx website displays error messages on the page.
I ran the SQL routine.

Is it enough ?

What more can i do ?

Thanks for your help.

[darkrvador44]

I'm experiencing the same problem with my websites.
Google phishing alert include !

I'm trying to download the 2.8.7 but the openx website displays error messages on the page.
I ran the SQL routine.

Is it enough ?

What more can i do ?

Thanks for your help.

Waiting for help too

[samurai]

Also facing this problem on 2.8.5 stand-alone. Will an upgrade to 2.8.7 fix this problem?

thanks

[T2VSonya]

Also facing this problem on 2.8.5 stand-alone. Will an upgrade to 2.8.7 fix this problem?

thanks

I am having this problem today on 2.8.7 stand-alone. I'm forwarding this thread to my support people. Is there any other help anyone can give me?