What to do when you suspect your OpenX Source system has been hacked

In the last couple of days, many reports have emerged of people seeing their OpenX Source systems being hacked. I’ve had mails from former clients and many new support requests from people I didn’t know yet. I’m afraid it is impossible for me to reply to every single e-mail instantly, and that’s why I’ve decided to post this article. I will keep adding tips and cleanup instructions to this article when I have new information.

How can you detect if your OpenX Source has been hacked?

There may be several ways to first find out about potential problems:

  • You might get mails or messages from people visiting your site(s) telling you that their virus scanner or malware protection has alerted them to a problem;
  • If the hack happened more than a few days ago, Google may have picked up on it and penalized your site by adding a malware warning to it. Visitors using the Google Toolbar in their browser will see a very clear warning on their screen, and you will receive an alert through the Google Webmaster Tools if you use that service;
  • You might find that when you are working in your ad server console you suddenly see a field asking you to enter a password (which you should NOT do!);

First things first: protect your site visitors

If you anticipate that it will take you longer than a few minutes to clean and fix your system, then it might be wise to protect your site visitors from being exposed to the malicious code through your banner ads. One way to do this in a very quick and dirty way is to temporarily rename the folder where your OpenX Source system is installed. So if your ad server is at www.example.com/openx/ you could rename it to www.example.com/brokenx/. This is not an elegant measure as it will result in ‘404 page not found’ errors for every single ad request, but at least your site visitors are now safe.

Next: protect your own computer. Do not log in on your OpenX Source but read below and find and clean all infections before restoring the ad server to a working state.

How did the hack work?

At a high level, the hack will probably have resulted in the following things that need to be ‘cleaned’:

  • one or more new administrator users will have been added to the ox_users table in the database that holds your OpenX Source data. See below for an example and cleanup instructions.
  • probably using these admin usernames, the hacker will then have been able to alter some of the plugins that are part of the core OpenX Source system;
  • one of the altered files will enable the hacker to access the database, completely circumventing the OpenX Source login process;
  • in the database, the hacker will have added code or altered code in the ‘append’ and/or prepend columns of the ox_banners or ox_zones tables (or both).

What needs to be done to clean your OpenX Source system?

If you do not know how to work with tools like an FTP client, or the database management tool phpMyAdmin, you should find an experienced person to assist you. You may be able to get help from your hosting company or their help desk.

Here’s what you must do:

  • Remove the malicious users from the ox_users table (see below)
  • Remove the malicious code from the ox_banners and ox_zones tables (more detailed instructions in an update of this article later)
  • Search the plugins folder and sub folders, looking for files that have been added or altered recently (more information in an update later)
  • Protect your OpenX Source installation to prevent future hacking attempts
  • Upgrade your OpenX Source software to the most recent version

Removing malicious users

The hacks usually start in a way that’s easy to spot, but only if you’re specifically looking for it. It is not yet exactly known how, but hackers have found a way to add administrator users to the ‘ox_users’ table. Many cases have been seen where the administrator users were created weeks or months before the hackers actually come back to use them and inject malicious code into the banners and/or zones, or make alterations to existing plugins.

Using a tool like phpMyAdmin or with the help of a system administrator or your hosting company, closely examine the ox_users table and look for records that look like this:

Malicious entries in the ox_users table indicate a hacker has gained access to your system at system administrator level

Malicious entries in the ox_users table indicate a hacker has gained access to your system at system administrator level

In this screen shot, I’ve masked the legitimate users and all encrypted passwords. What you’ll notice is that in this particular case, four records have been added that all have contact name “Administrator” (just like the real administrator), and the user name is a variation on the admin user name. Also, you’ll notice that there is no e-mail address for these four rogue users, even though normally you can not add a user through the OpenX user interface without providing an e-mail address. The hackers will have added encrypted passwords that they know, and as a result of that, they will have full administrator access to your system at any given time.

Obviously, you should delete any of these malicious users as soon as you find them.

Some preventative measures if you haven’t been hacked

  • Secure your OpenX Source admin panels by adding an .htaccess to the www/admin folder that blocks access to anyone except known IP address (an example to follow later).
  • Change all passwords for all OpenX Source users and change the password you use for FTP access.
  • Use a good virus scanner and update it regularly, because even when working in the OpenX Source admin, you might be confronted with the malicious code added to banners or zones.
  • Run a full malware scan on your computer(s) that you use to work in OpenX Source, because the malicious code may have installed a key logger or trojan.