[en] OpenX Hacks example (malvertising)

Some days ago, i help some friend to get their ads network clean up, so i can share some Openx Hacks example.
The group behind this hacks is very well know, you cant reconize them by this pattern domain.tld/directory{1,3}/page.js
Recently they use Goddady subdomain : https://twitter.com/malekal_morte/status/599227867852054528

Last IPs :

Very active on trafficholder and mail3x on November 2013
Trafficholder Hack on november 2013
Probably also on Creoads

on the mail3x openx hacks :



ClickPapa on June 2014 :

Example 1 : Hijack Tags

The first example is a simple Tags Hijack.
An Ads Manager with some techs knownledge can probably see theses modifications from the openx admin panel.
As you can see, the code create also a PHP Backdoor.

openx_hack_tags Result - we can see the bad code and redirection in the middle of the webpage generate by the afr.php file.
In this case, the malicious URLs and tags are updated automatically every 30/hour from a PHP Backdoor (they use to make UPDATE/INSERT in the database).


They use customized PHP Backdoor that mix Data and PHP code.
The detection at VirusTotal was null : https://www.virustotal.com/fr/file/8a7c525be6ce1c7b92060682ac823c44c7a926f9eead9fbc7155b8aeddf09b15/analysis/1428996092/
or only one detection one year after the first comment! : https://www.virustotal.com/fr/file/1352b9e1ba9e137ce4eff545bfe393569a18106c625a32004c58ec27135abab7/analysis/1431940911/


Example 2 : Alter openx page

Another example, as you can see the iframe is now on the top in the afr.php
The code is not generated by the afr.php
The file plugins/deliveryCacheStore/oxMemcached/oxMemcached.delivery.php has been modified.
They are two part in the code.
Second part generate the iframe, the url is stored in a deliverycache_xxx.php file. As you can see, they is an useragent filtering, (only people using IE will be redirected to the EK).
The first part is very interresting, with hit oxMemcached.delivery.php, a ox cookie is able to write a new URL in the deliverycache_xxx.php page.
Cookie sda permit to delete the deliverycache page.

Delivery page content :


if you expect to see some hits to oxMemcached.delivery.php in HTTP Log, you wrong !
They hit the fc.php with a script parameter.
fc.php content (legitim file, present in the openx package) :
Here the hit content with the ox cookie.


Also, in this case, they use some servers to change the malicious URLs to bypass antivirus detections.
Also the die informations are very important, because, it can be used like a ping.

  • die("Success") = ok Backdoor still there, url updated
  • die("OFF") = ok url webpage removed
  • no reply = backdoor removed, webmaster got me ?

Very Smart.

They also seems to be very patient, the server can be in control, but they dont use it for mouths and active the redirection probably when they need traffics (or maybe when new CVE are realease).

Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...
bouton facebookbouton twitterbouton whatapps
Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.