OpenX users – Time to upgrade

September 16, 2010David Dede11 Comments

*Note that openx.org is currently offline, so we recommend disabling it until you can upgrade.
**We are mirroring version 2.8.7 here: http://sucuri.net/openx-2.8.7.tar.gz if you don’t want to wait until openx is back online.
***If your site is hacked/blacklisted and you need help, email us at support@sucuri.net

If you are using OpenX, make sure to upgrade it to the latest version (2.8.7) as soon as possible.

Older versions have a known vulnerability that is being exploited in the wild.

This is the announcement from the OpenX team (their site is offline, so I am copying in here):

Security is an important priority at OpenX and we’re constantly working to provide security patches and bug fixes as soon as we become aware of any potential issue. As these issues are discovered, we validate, patch and release as quickly as we can. But it’s important to understand that avoiding potential security issues also requires server administrators to be vigilant and upgrade their systems to new, patched versions as soon as they become available.

It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised. We have already closed this vulnerability with the latest version of our software. To avoid this issue, we recommend that all users immediately upgrade their systems to 2.8.7.

You can download the new version here: http://www.openx.org/ad-server/download (also offline, but hopefully it will be back soon).

Example of malware being used in the wild: http://sucuri.net/malware/entry/MW:IFRAME:HD36

If you can’t upgrade, make sure to delete the following file: admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

We will post more details as we learn.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Pingback: Tweets that mention OpenX users – Time to upgrade | Sucuri -- Topsy.com()
picajoso

We've been affected by this too. I've downloaded OpenX 2.8.7 from here:
http://download.openx.org/openx-2.8.7.tar.bz2 http://download.openx.org/openx-2.8.7.tar.gz http://download.openx.org/openx-2.8.7.zip

In case you're interested. The links work even though the website doesn't.

Anyway, I'm not sure the upgrade will be enough. I really don't now if the malware has spreaded to the database or the OpenX files in someway, and don't know either if there's some easy way to check this.
Joe

[quote] I'm not sure the upgrade will be enough. I really don't now if the malware has spreaded to the database or the OpenX files in someway [/quote]

It's not the patch's job to clean up your data and chase down malware which has been pushed to your machine, just to plug the vulnerability.
Francia

Somebody knows if this vulnerability affect 2.4.X versions???
End User

Update is not enough. You need to check DB tables for zones, banners and users.
Look for the append and prepend code in the zones and banners table. Check users to see if one or two were added recently.

You can also check the audit trail. To help hunt down issue.
theguy

We were attacked by this early today. Javascript code was added to the prepend and append columns in the ox_zones tables. Also the ox_banners table. 2 new users were added in the ox_users table. Make sure to remove this data from the DB.
picajoso

That's exactly what we have done: after upgrading we have checked the database, and there were in fact several issues:

– Codes in the apend and prepend fields on the ox_zones and ox_banners
– New users in the ox_users
– Several entries on ox_audit

I've cleaned everything I found but… could it be possible that some infected file could cause the auto-generation of new codes/users and its insertion on those tables? We thought that we were finished, but ten minutes ago we found new corrupted data on our OpenX DB 🙁
picajoso

In case you're interested, the OpenX team has posted an article about the vulnerability and the process to clean everything:
http://blog.openx.org/09/security-update-how-to-s…

Hope this helps!
Boris Delev

You can delete variables of "append" and "prepend" elements in table banners & ox_zones. Then you must check your computer for viruses and test all users of openx system.
Pingback: Alexa top sites – Blacklist status for september | Sucuri()
OpenX Reviews

Always check new versions for OpenX. It provides security.

Skip links

About David Dede