There was hardly any information out there about this particular bicho, but it turned out that we were indeed infected. Avast pointed to the file ajs.php, which was the openX script delivering our ads. I didn't start to catch on until I googled ajs.php
The file itself was fine: unchanged from the installed version. The infection had gotten into our server's OpenX database somehow.
Here's the code that was served with each ad:
The fix was this:
- upgraded OpenX from 2.8.7 to 2.8.8
- zeroed out the files install.php and install-plugin.php
- moved the directory plugins to a random new location (I'll delete it altogether if no problem associated with its absence arises)
- set the column append equal to the empty string in every record of every table in which it appears (ox_banners, ox_zones, and all the ox_z_xxxxxxxxx tables)
- restarted apache2
Before I upgraded OpenX, I emptied out the same column, but the infection was back the next day. So there was a back door open somewhere. I hope that upgrading to 2.8.8 will have closed the back door, but it's hard to be sure.
From what I've seen, the route of the infection is by attackers taking advantage of the install.php file or install-plugin.php file to upload a script that they have written which writes into your OpenX database.
I wonder when software developers will stop being so naive -- but perhaps they are only naive in the open source version.