Understanding How Our My Openx Was Compromised

[tt1551239]

My organization has recently undergone a security incident having to do with our openx server (we use version 2.8.7).

 

What we know - 

 

1. The attacker most probably exploited SQL Injection vulnerability in axmlrpc.php as an enrty point into our organization.

2. From there he went on to modify 2 files in /var/cache to contain malicious code in the "compiledlimitation" key. (This code created a web shell in the plugins directory).

3. Besides the shell created by the malicious files in /var/cache he was also able to create another shell in the plugins directory. This is a publicly available shell, known to be used in the context of openx (https://www.badwarebusters.org/stories/show/19972), titled "Web Shell by oRb". we have no idea how it was created.

4. After a few days the attacker modified the contents of \openx\plugins\deliveryCacheStore\oxCacheFile\oxCacheFile.delivery.php to contain code that infects the openx cache in a way that creates another entry in /var/cache which causes openx to server malicious iframes to users. The attacker modified the oxCacheFile.delivery.php file to contain the code that can be found here: http://ninjafirewall.com/malware/?threat=2014-02-20.01

 

Our Database and openx installations are on different servers.

We have no idea how the attacker was able to create the malicious files in \var\cache or how he was able to modify the contents of oxCacheFile.delivery.php.

 

Does anyone have experience with this type of attack vector?

Any help you can provide in understanding the what happened would be greatly appreciated.

 

Thanks,

 

[Erik Geurts]

I suggest upgrading to the latest version of Revive Adserver, the version you are using is several years old and has many known security issues.

[eLiX]

I know, that this is an old topic, but we are facing the almost same problem right now. After being hacked in the old OpenX version 2.8.x we updated to the latest Revive version 3.2.4 and the compromised database kept clean since then. But the hackers are now using the way like described from the topic opener.

I found malicious code into the /plugins/deliveryCacheStore/oxCacheFile/oxCacheFile.delivery.php and a fake cache file under /var/cache/deliverycache_aaq22kik12944a6de781d37d3g0fd972nac6a9.php, which included a link to the hidden iframes, which were injected for Internet Explorers. So I googled and found this: http://www.malekal.com/en-openx-hacks-example-malvertising/ which describes almost the same issue - but I don't know how to fix the entry point right now? Can anyone help?

[dJAX]

Elix,

Revive Cache plug-in hacks the ad server. If you provide revive login and server detail, we will check " is they followed security tips or not?".

 

[eLiX]

15 minutes ago, dJAX said:

Elix,

Revive Cache plug-in hacks the ad server. If you provide revive login and server detail, we will check " is they followed security tips or not?".

 

Hello dJAX, 

thank you for your reply. Our sysadmin will not provide any login information to unknown people, sorry ;). 

Our admin area is protected by .htaccess.

I am very interested into the attack vector of the scenario the topic owner posted to prevent further modifications.

 

[Ian]

1 hour ago, eLiX said:

Hello dJAX, 

thank you for your reply. Our sysadmin will not provide any login information to unknown people, sorry ;). 

Our admin area is protected by .htaccess.

I am very interested into the attack vector of the scenario the topic owner posted to prevent further modifications.

 

I hope like every sane user who uses OpenX 2.8.7, he has upgraded to the latest Revive version...

[eLiX]

8 minutes ago, Ian van Marwijk said:

I hope like every sane user who uses OpenX 2.8.7, he has upgraded to the latest Revive version...

Sure, as I said before: We updated the system to the latest revive version :).

6 hours ago, eLiX said:

After being hacked in the old OpenX version 2.8.x we updated to the latest Revive version 3.2.4 and the compromised database kept clean since then.

But the cache file hack is/was still active...

[Ian]

Be sure to check if there is not a file outside of your Revive folder which infects it again. Or maybe even a cronjob (i've seen it happening) also be sure to htaccess your /www/api and change passwords from all users.

 

[Erik Geurts]

8 minutes ago, eLiX said:

Sure, as I said before: We updated the system to the latest revive version :).

But the cache file hack is/was still active...

Yes, when you perform an upgrade, any and all plugins in the previous version will be ported along to the upgraded version. This includes anything that a malicious user might have added or modified. If an ad server is compromised, it should be cleaned up first, and then upgraded.

[eLiX]

15 hours ago, Erik Geurts said:

Yes, when you perform an upgrade, any and all plugins in the previous version will be ported along to the upgraded version. This includes anything that a malicious user might have added or modified. If an ad server is compromised, it should be cleaned up first, and then upgraded.

Ok, we made a second installation in a different folder with a blank revive adserver 3.2.4 and followed the instructions here https://www.revive-adserver.com/support/upgrading/.

In the old OpenX we removed the injected code from the ox_zones tables and a user with the userid 999 with admin rights named "Maintenance" and then we copied the database, because it seemed to be clean then. I followed the instructions from here: http://www.adserveropenx.com/how-to-remove-malware-or-injection-from-openx/

Anything wrong in this procedure? I thought, that will do the job.

15 hours ago, Ian van Marwijk said:

Be sure to check if there is not a file outside of your Revive folder which infects it again. Or maybe even a cronjob (i've seen it happening) also be sure to htaccess your /www/api and change passwords from all users.

 

Passwords were all changed, I'll htaccess the api - folder too now.

I removed the file adxmlrpc.php from the root folder to "disable" XML-RPC - is there a better way to disable this than removing the file?

Thanks for your hints and tips!

[Erik Geurts]

It is not impossible and actually very likely that the previous hack has placed something malicious on your server that will result in a compromise of your newly installed software. You are going to have to do a thorough check of the server as a whole, perhaps even do a complete re-install of the server itself.

[eLiX]

So that means, that upgrading to revive likely did not solve my problem then ...

In case I am reinstalling the revive adserver completely blank on a totally different server under a different domain - how can I safely import our data to the new system? Do I need to copy&paste every banner by hand to be sure, that there is no malicious code or anything else into it?