[en] OpenX Hacks example (malvertising)

Some days ago, i help some friend to get their ads network clean up, so i can share some Openx Hacks example.
The group behind this hacks is very well know, you cant reconize them by this pattern domain.tld/directory{1,3}/page.js
Recently they use Goddady subdomain : https://twitter.com/malekal_morte/status/599227867852054528

Last IPs :
https://www.virustotal.com/fr/ip-address/85.143.216.203/information/
https://www.virustotal.com/fr/ip-address/85.143.217.219/information/
https://www.virustotal.com/fr/ip-address/85.143.217.89/information/

Very active on trafficholder and mail3x on November 2013
Trafficholder Hack on november 2013
Probably also on Creoads

on the mail3x openx hacks :

mail3x_openx_hacks

 

ClickPapa on June 2014 :

Example 1 : Hijack Tags

The first example is a simple Tags Hijack.
An Ads Manager with some techs knownledge can probably see theses modifications from the openx admin panel.
As you can see, the code create also a PHP Backdoor.

openx_hack_tags Result – we can see the bad code and redirection in the middle of the webpage generate by the afr.php file.
In this case, the malicious URLs and tags are updated automatically every 30/hour from a PHP Backdoor (they use to make UPDATE/INSERT in the database).
openx_hack_tags2

 

They use customized PHP Backdoor that mix Data and PHP code.
The detection at VirusTotal was null : https://www.virustotal.com/fr/file/8a7c525be6ce1c7b92060682ac823c44c7a926f9eead9fbc7155b8aeddf09b15/analysis/1428996092/
or only one detection one year after the first comment! : https://www.virustotal.com/fr/file/1352b9e1ba9e137ce4eff545bfe393569a18106c625a32004c58ec27135abab7/analysis/1431940911/

BackdoorPHP_Data

Example 2 : Alter openx page

Another example, as you can see the iframe is now on the top in the afr.php
The code is not generated by the afr.php
open_hack_Memcached5
The file plugins/deliveryCacheStore/oxMemcached/oxMemcached.delivery.php has been modified.
They are two part in the code.
Second part generate the iframe, the url is stored in a deliverycache_xxx.php file. As you can see, they is an useragent filtering, (only people using IE will be redirected to the EK).
The first part is very interresting, with hit oxMemcached.delivery.php, a ox cookie is able to write a new URL in the deliverycache_xxx.php page.
Cookie sda permit to delete the deliverycache page.
open_hack_Memcached

Delivery page content :

open_hack_Memcached6

if you expect to see some hits to oxMemcached.delivery.php in HTTP Log, you wrong !
They hit the fc.php with a script parameter.
open_hack_Memcached2
fc.php content (legitim file, present in the openx package) :
open_hack_Memcached4
Here the hit content with the ox cookie.
open_hack_Memcached3

 

Also, in this case, they use some servers to change the malicious URLs to bypass antivirus detections.
Also the die informations are very important, because, it can be used like a ping.

  • die(« Success ») = ok Backdoor still there, url updated
  • die(« OFF ») = ok url webpage removed
  • no reply = backdoor removed, webmaster got me ?

Very Smart.

They also seems to be very patient, the server can be in control, but they dont use it for mouths and active the redirection probably when they need traffics (or maybe when new CVE are realease).

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 150 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *