Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


January 13th, 2014

How to clean your hacked OpenX server

cleanup_noframeChristmas is a time of peace, but it does not apply to hackers and creators of malware. In the middle of the holidays, the AVAST Virus Lab found a new type of infection targeting advertisement servers with OpenX installed. Unfortunately, the only antivirus detecting this threat is avast! which leads to the erroneous conclusion that there is a false positive on our side, but it is actual danger.

This infection is called JS:Redirector-BJB or JS:Redirector-BJC and it has been confirmed on 930 servers running OpenX over the world. This means that at least 130 thousand people are saved by avast! from malware infection in advertisements every day, so please be reasonable and update your server as soon as possible.

Infection and consequences for users visiting a malicious website are described in our recent post about malvertising, but today let’s look at how to successfully clean, update, and secure your application. Below are the top 5 most visited and infected sites. Is yours on this list?

  1. pub.akinator.com
  2. ads.locafilm.com
  3. ads.novsport.com
  4. ads.svetplus.com
  5. 116.66.206.132

If you are using OpenX or Revive AdServer’s prior version 3.0.2 your system is vulnerable!

Below you can find a few steps that will lead you through cleaning, but updating to the latest version of Revive AdServer is necessary. Otherwise your server will still have known security flaws.

backup1. Backup Files – Download all files from FTP to your computer and scan them with antivirus. If any of the files are marked as a threat, delete it from FTP instantly. If it is possible, also backup your database to ensure calm upgrading.

check2. Check for Backdoor - Search FTP for files that do not belong there. You can find them by their date of creation (file with different date than others in the directory) or by obfuscated content in source files. You can also compare your source codes with official installation and reveal newly added files. If you are using OpenX version 2.8.10, delete file “flowplayer-3.1.1.min.js” because it contains a backdoor.

cleandb3. Clean the Database – The first step is to change passwords both for admin and for database, and also check if there are no unknown users. This will ensure no disturbance during the cleaning process. Next, you must examine tables “Banners” and “Zones” in the database. Find and delete any malicious javascript located there. Usually its located in “Append” or “Prepend” fields. The last step is to update the new database password in config, because it will be needed during the upgrade.

upgrade4. Upgrade Application – Download the latest version of Revive AdServer to your hard drive. OpenX changed its name in summer 2013 so the newest version can be downloaded only from link above. Follow the steps that you find in the article from the official pages about upgrading OpenX or Revive AdServer application.

secure5. Secure Server – After the upgrade you have only a few things to do. Check that the database and all users have their password unbreakable. Do not use any passwords from before. Do not leave any installation or old files on FTP. Change the password to the FTP because hackers could discover it too.

Someone might think “upgrading must help solve my problem,” but that’s unfortunately not true. In this and as well in many other cases, website administrators and owners must perform the described steps in order to get rid of the infection completely. Do not forget to change all passwords.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: How to, lab, Virus Lab Tags: , ,
Comments are closed.