OpenX.org serving malware?

January 7, 2011 by 2 Comments

We are tracking a few sites that are currently blacklisted and showing a warning from Google that openx.org (home of a popular open source ad server) is the site responsible for the infection:

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including openx.org/.

By looking at the diagnostic page for openx.org itself, it shows:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, openx.org appeared to function as an intermediary for the infection of 82 site(s) including solovenezolanas.com/, thelocal.de/, drtuber.com/.

We are still tracking to see which ads are causing the issue, or if the openx servers themselves are compromised. If you include the tracking code from openx.org, we recommend that you check to see if there isn’t any malicious code being pushed to your users.

Filed Under: blacklisted, openx Tagged With: , ,

OpenX users – Time to upgrade

September 16, 2010 by 11 Comments

*Note that openx.org is currently offline, so we recommend disabling it until you can upgrade.
**We are mirroring version 2.8.7 here: http://sucuri.net/openx-2.8.7.tar.gz if you don’t want to wait until openx is back online.
***If your site is hacked/blacklisted and you need help, email us at support@sucuri.net

If you are using OpenX, make sure to upgrade it to the latest version (2.8.7) as soon as possible.

Older versions have a known vulnerability that is being exploited in the wild.

This is the announcement from the OpenX team (their site is offline, so I am copying in here):

Security is an important priority at OpenX and we’re constantly working to provide security patches and bug fixes as soon as we become aware of any potential issue. As these issues are discovered, we validate, patch and release as quickly as we can. But it’s important to understand that avoiding potential security issues also requires server administrators to be vigilant and upgrade their systems to new, patched versions as soon as they become available.

It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised. We have already closed this vulnerability with the latest version of our software. To avoid this issue, we recommend that all users immediately upgrade their systems to 2.8.7.

You can download the new version here: http://www.openx.org/ad-server/download (also offline, but hopefully it will be back soon).

Example of malware being used in the wild: http://sucuri.net/malware/entry/MW:IFRAME:HD36

If you can’t upgrade, make sure to delete the following file: admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

We will post more details as we learn.
Read More

Filed Under: hacked, vulnerability Tagged With: , ,

ASIS International Website Blacklisted by Google

September 10, 2010 by 1 Comment

The official website (asisonline.org) of ASIS International, a major physical security association was hacked and blacklisted yesterday. Add another case to the list of sites using outdated and/or vulnerable applications. In the case of ASIS, they were running a vulnerable version of OpenX (ad server software) and the attackers injected malicious code in there.

Anyone visiting the ASIS website has ads served from ads.asisonline.org which is the culprit. The ad server is loading malware from: hxxp://liyerfit.com/blogs/martin/. The malware string can be detected using our scanner.



Read More

Filed Under: blacklist, blacklisted, hacked, Malware, openx Tagged With: , , , ,