tt1551239 Posted March 2, 2015 Report Posted March 2, 2015 My organization has recently undergone a security incident having to do with our openx server (we use version 2.8.7). What we know - 1. The attacker most probably exploited SQL Injection vulnerability in axmlrpc.php as an enrty point into our organization. 2. From there he went on to modify 2 files in /var/cache to contain malicious code in the "compiledlimitation" key. (This code created a web shell in the plugins directory). 3. Besides the shell created by the malicious files in /var/cache he was also able to create another shell in the plugins directory. This is a publicly available shell, known to be used in the context of openx (https://www.badwarebusters.org/stories/show/19972), titled "Web Shell by oRb". we have no idea how it was created. 4. After a few days the attacker modified the contents of \openx\plugins\deliveryCacheStore\oxCacheFile\oxCacheFile.delivery.php to contain code that infects the openx cache in a way that creates another entry in /var/cache which causes openx to server malicious iframes to users. The attacker modified the oxCacheFile.delivery.php file to contain the code that can be found here: http://ninjafirewall.com/malware/?threat=2014-02-20.01 Our Database and openx installations are on different servers. We have no idea how the attacker was able to create the malicious files in \var\cache or how he was able to modify the contents of oxCacheFile.delivery.php. Does anyone have experience with this type of attack vector? Any help you can provide in understanding the what happened would be greatly appreciated. Thanks, Quote
Erik Geurts Posted March 2, 2015 Report Posted March 2, 2015 I suggest upgrading to the latest version of Revive Adserver, the version you are using is several years old and has many known security issues. Quote
eLiX Posted May 12, 2016 Report Posted May 12, 2016 I know, that this is an old topic, but we are facing the almost same problem right now. After being hacked in the old OpenX version 2.8.x we updated to the latest Revive version 3.2.4 and the compromised database kept clean since then. But the hackers are now using the way like described from the topic opener. I found malicious code into the /plugins/deliveryCacheStore/oxCacheFile/oxCacheFile.delivery.php and a fake cache file under /var/cache/deliverycache_aaq22kik12944a6de781d37d3g0fd972nac6a9.php, which included a link to the hidden iframes, which were injected for Internet Explorers. So I googled and found this: http://www.malekal.com/en-openx-hacks-example-malvertising/ which describes almost the same issue - but I don't know how to fix the entry point right now? Can anyone help? Quote
dJAX Posted May 12, 2016 Report Posted May 12, 2016 Elix, Revive Cache plug-in hacks the ad server. If you provide revive login and server detail, we will check " is they followed security tips or not?". Quote
eLiX Posted May 12, 2016 Report Posted May 12, 2016 15 minutes ago, dJAX said: Elix, Revive Cache plug-in hacks the ad server. If you provide revive login and server detail, we will check " is they followed security tips or not?". Hello dJAX, thank you for your reply. Our sysadmin will not provide any login information to unknown people, sorry ;). Our admin area is protected by .htaccess. I am very interested into the attack vector of the scenario the topic owner posted to prevent further modifications. Quote
Ian Posted May 12, 2016 Report Posted May 12, 2016 1 hour ago, eLiX said: Hello dJAX, thank you for your reply. Our sysadmin will not provide any login information to unknown people, sorry ;). Our admin area is protected by .htaccess. I am very interested into the attack vector of the scenario the topic owner posted to prevent further modifications. I hope like every sane user who uses OpenX 2.8.7, he has upgraded to the latest Revive version... Quote
eLiX Posted May 12, 2016 Report Posted May 12, 2016 8 minutes ago, Ian van Marwijk said: I hope like every sane user who uses OpenX 2.8.7, he has upgraded to the latest Revive version... Sure, as I said before: We updated the system to the latest revive version :). 6 hours ago, eLiX said: After being hacked in the old OpenX version 2.8.x we updated to the latest Revive version 3.2.4 and the compromised database kept clean since then. But the cache file hack is/was still active... Quote
Ian Posted May 12, 2016 Report Posted May 12, 2016 Be sure to check if there is not a file outside of your Revive folder which infects it again. Or maybe even a cronjob (i've seen it happening) also be sure to htaccess your /www/api and change passwords from all users. Quote
Erik Geurts Posted May 12, 2016 Report Posted May 12, 2016 8 minutes ago, eLiX said: Sure, as I said before: We updated the system to the latest revive version :). But the cache file hack is/was still active... Yes, when you perform an upgrade, any and all plugins in the previous version will be ported along to the upgraded version. This includes anything that a malicious user might have added or modified. If an ad server is compromised, it should be cleaned up first, and then upgraded. Quote
eLiX Posted May 13, 2016 Report Posted May 13, 2016 15 hours ago, Erik Geurts said: Yes, when you perform an upgrade, any and all plugins in the previous version will be ported along to the upgraded version. This includes anything that a malicious user might have added or modified. If an ad server is compromised, it should be cleaned up first, and then upgraded. Ok, we made a second installation in a different folder with a blank revive adserver 3.2.4 and followed the instructions here https://www.revive-adserver.com/support/upgrading/. In the old OpenX we removed the injected code from the ox_zones tables and a user with the userid 999 with admin rights named "Maintenance" and then we copied the database, because it seemed to be clean then. I followed the instructions from here: http://www.adserveropenx.com/how-to-remove-malware-or-injection-from-openx/ Anything wrong in this procedure? I thought, that will do the job. 15 hours ago, Ian van Marwijk said: Be sure to check if there is not a file outside of your Revive folder which infects it again. Or maybe even a cronjob (i've seen it happening) also be sure to htaccess your /www/api and change passwords from all users. Passwords were all changed, I'll htaccess the api - folder too now. I removed the file adxmlrpc.php from the root folder to "disable" XML-RPC - is there a better way to disable this than removing the file? Thanks for your hints and tips! Quote
Erik Geurts Posted May 13, 2016 Report Posted May 13, 2016 It is not impossible and actually very likely that the previous hack has placed something malicious on your server that will result in a compromise of your newly installed software. You are going to have to do a thorough check of the server as a whole, perhaps even do a complete re-install of the server itself. Quote
eLiX Posted May 13, 2016 Report Posted May 13, 2016 So that means, that upgrading to revive likely did not solve my problem then ... In case I am reinstalling the revive adserver completely blank on a totally different server under a different domain - how can I safely import our data to the new system? Do I need to copy&paste every banner by hand to be sure, that there is no malicious code or anything else into it? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.